SmartAlex Data Protection Impact Assessment (DPIA)
1. Overview and purpose of this assessment
This Data Protection Impact Assessment (the "DPIA") is prepared by THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D), with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, trading as SmartAlex ("SmartAlex", "we", "us" or "our"). SmartAlex operates a multi-tenant business-to-business platform on which business customers ("Customers") configure AI voice agents that place and receive real telephone calls, run outbound calling and messaging campaigns, manage contact records, and view analytics. The platform records and transcribes calls and processes the resulting audio and transcripts with speech and language AI.
This DPIA assesses the risks to the rights and freedoms of natural persons arising from that processing and the measures taken to address them. It is an accountability artefact under Article 35 of the UK and EU General Data Protection Regulation (the "GDPR") and supports our parallel obligations under the Singapore Personal Data Protection Act 2012 (the "PDPA") and the South African Protection of Personal Information Act 2013 ("POPIA"). It is a living document: it is maintained alongside, and should be read with, our Privacy Policy, our Data Processing Addendum, our Subprocessor List, and our Telephony and Call Recording Notice.
1.1 Why a DPIA is carried out
The processing assessed here exhibits several of the features that, under Article 35(3) of the GDPR and the guidance of the European Data Protection Board, make a DPIA appropriate or mandatory:
- the systematic recording, transcription, and large-scale processing of voice communications, which are inherently rich in Personal Data;
- the use of innovative technology, namely AI voice agents and automated speech and language models;
- the possibility that special-category data and data that may constitute biometric data are processed; and
- the matching, combining, and analytical use of contact data and call content to qualify leads and generate analytics.
SmartAlex therefore prepares this DPIA as a matter of accountability whether or not any single threshold is met for a given Customer deployment, and makes it available so that Customers can rely on it in their own DPIAs.
1.2 Scope
This DPIA covers the processing of Personal Data through the core Services: account provisioning, telephony connectivity, live AI voice agent calls, call recording, transcription, transcript and contact analysis, campaign execution, and platform analytics. It does not separately assess optional integrations that a Customer may choose to enable (for example a connected store, a meeting-notetaker, web-enrichment, or messaging integrations); where a Customer enables such an integration, the additional subprocessor and data flow are disclosed in the Subprocessor List and should be assessed by the Customer for its own use case.
2. Definitions
In this DPIA, capitalised terms have the meanings given below, and otherwise have the meanings given in the GDPR:
- Customer Data means data the Customer or its End Users provide or that is generated through the Customer's use of the Services, including call audio, transcripts, contact records, and message content.
- Controller and Processor have the meanings given in Article 4 of the GDPR.
- End User means an individual whom the Customer contacts or interacts with through the Services, such as the recipient of a call.
- Personal Data means information relating to an identified or identifiable natural person.
- Special-category data means the categories of Personal Data listed in Article 9(1) of the GDPR, and the equivalent "special personal information" under section 26 of POPIA.
- Services or Platform means the SmartAlex platform, websites, applications, and APIs.
- Subprocessor means a third party engaged by SmartAlex to process Personal Data in connection with the Services.
- Supervisory Authority means a public authority responsible for monitoring the application of data-protection law, including the Singapore PDPC, the South Africa Information Regulator, and the competent authority of an individual in the European Union, the United Kingdom, or Switzerland.
3. Roles, jurisdiction, and governing law
3.1 Controller and processor roles
SmartAlex holds two distinct roles, and this DPIA covers both:
- For the Personal Data of a Customer's End Users captured during call handling (call audio, transcripts, contact records, and message content), SmartAlex acts as a Processor on the documented instructions of the Customer, who is the Controller of that data.
- For account, billing, security, and product-analytics data, and for any data a Customer opts in to use for AI training, SmartAlex (THERCSGROUP PTE. LTD.) acts as an independent Controller.
Where this DPIA fixes a lawful basis, designs a consent flow, or accepts residual risk, it does so only in respect of the processing for which SmartAlex is the Controller. For processing in which SmartAlex is a Processor, the Customer remains the Controller and is responsible for the lawfulness of the processing, for establishing any condition required to process special-category data, and for giving End Users the notices the law requires. The allocation of responsibilities between SmartAlex and the Customer is set out in full in our Data Processing Addendum.
3.2 Jurisdiction and governing law
SmartAlex is established in the Republic of Singapore, which is the governing law of the Services. Personal Data is processed and stored with our cloud infrastructure providers in the region identified in our Subprocessor List, and further regions are available on request to Customers with data-residency requirements. The transfer analysis in the section "Data flows, storage locations, and international transfers" below proceeds from this position. Because the Services are offered to Customers in Singapore, the European Economic Area, the United Kingdom, the United States, and South Africa, the processing falls within several regimes at once, and this DPIA is drafted to satisfy the most demanding of them.
3.3 Consultation and advice
The advice of the SmartAlex Privacy Contact, who performs our data-protection function, was sought in the preparation of this DPIA and is reflected throughout. Input was also drawn from our engineering, security, and customer-facing teams, who own the relevant systems and Customer relationships. We have not, at the date of this DPIA, identified a residual high risk that would require prior consultation with a Supervisory Authority under Article 36 of the GDPR. Where a future change in the processing would create such a risk that we cannot mitigate, we will consult the competent Supervisory Authority before that processing begins.
4. Description of the processing activities
4.1 Nature of the processing
The processing includes the capture, transmission, storage, and AI-based analysis of voice, text, and metadata, for purposes such as call handling, lead qualification, customer engagement, and analytics. A typical call flow is as follows: a call is connected through our telephony provider; live audio is carried by our real-time voice infrastructure provider to an AI voice agent; the agent's responses are synthesised by a text-to-speech provider; the audio is transcribed by a speech-to-text provider; and the resulting transcript and any extracted fields are stored in the Customer's tenant and may be summarised or analysed by a language-model provider. Each of these providers is engaged under written terms and is listed, with its region and transfer safeguard, in our Subprocessor List.
4.2 Categories of personal data and sources
The categories of Personal Data processed, and their sources, are set out below.
| Category | Examples | Source | Role |
|---|---|---|---|
| Account and user data | Name, work email, role, login credentials, authentication tokens | Customer's platform users | SmartAlex as Controller |
| Contact records | End User name, phone number, email, notes, campaign membership | Customer upload or integration | SmartAlex as Processor |
| Call audio | Recorded voice of the End User and of the AI agent | Generated during a live call | SmartAlex as Processor |
| Transcripts and extracted fields | Text of the call, qualification answers, sentiment and summary | Derived from call audio | SmartAlex as Processor |
| Call metadata | Phone numbers, call direction, duration, timestamps, outcome, signalling | Generated by the telephony layer | SmartAlex as Processor |
| Configuration and knowledge-base content | Agent prompts, scripts, uploaded documents | Customer configuration | SmartAlex as Processor |
| Billing data | Billing contact, payment-method metadata, transaction history | Customer and payment processor | SmartAlex as Controller |
| Technical and security data | IP address, device and browser identifiers, audit logs | Generated by use of the Services | SmartAlex as Controller |
Free-form call audio and transcripts may, without solicitation, contain special-category data within the meaning of Article 9 of the GDPR and section 26 of POPIA. Voice may also constitute biometric data where it is used for the purpose of uniquely identifying an individual. These possibilities are assessed in the risk register below.
4.3 Data subjects
The data subjects are the End Users contacted by or interacting with Customers through the Services, and the Customer's own employees or representatives who use the Platform. End Users are the more vulnerable population because they do not have a direct relationship with SmartAlex and may not expect their call to be handled by an AI agent or recorded; the controls in this DPIA give particular weight to their interests.
4.4 Purposes of the processing
The purposes are to deliver AI-enabled voice communication, automate call handling, record and transcribe calls, run campaigns, generate analytics, secure the Platform, bill for the Services, and improve their efficiency and quality for Customers.
4.5 Processing operations
The operations include collection, recording, transcription, storage, retrieval, transmission, AI interpretation and summarisation, anonymisation or de-identification, disclosure to Subprocessors, and deletion.
4.6 Purposes and lawful bases (controller processing)
For the processing in which SmartAlex is the Controller, each purpose is mapped to a lawful basis under Article 6 of the GDPR. The controlling statement of lawful bases and of data-subject rights is the SmartAlex Privacy Policy; this DPIA does not vary it.
| Purpose | Lawful basis |
|---|---|
| Providing and administering the Services to the Customer | Performance of a contract (Article 6(1)(b)) |
| Securing the Platform, preventing fraud and abuse, and product analytics | Legitimate interests (Article 6(1)(f)) |
| Keeping tax, accounting, and statutory records | Legal obligation (Article 6(1)(c)) |
| Marketing communications to business contacts | Consent or soft opt-in (Article 6(1)(a)); never bundled into account creation |
| Using opted-in data to train or tune AI models | Consent (Article 6(1)(a)) |
Where SmartAlex is a Processor, the lawful basis for the underlying processing is determined by the Customer as Controller. Where special-category data is processed, the relevant Article 9(2) condition (typically explicit consent) is the Customer's responsibility to establish.
4.7 Retention
Retention is set per category so that data is kept no longer than is necessary for the purpose for which it was collected.
| Category | Retention |
|---|---|
| Live call recordings and transcripts | Retained for the active life of the Customer account and tenant-configurable by the Customer; where a Customer sets no shorter period, our platform default applies |
| Contact records and configuration | Retained while the Customer keeps them in its tenant; deleted on Customer instruction or on account closure |
| Call metadata and analytics | Retained for the active life of the account; aggregated or de-identified analytics may be kept longer |
| Post-termination deletion of Customer Data | Deleted within ninety (90) days of account termination |
| Backups and archived logs | Retained for up to one hundred and eighty (180) days, then purged on a rolling cycle |
| Account and billing data | Retained for the life of the account and thereafter only as long as required to meet legal, tax, and accounting obligations |
| Security and audit logs | Retained for the period needed for security and accountability, then deleted or anonymised |
5. Necessity and proportionality
This section addresses the assessment required by Article 35(7)(b) of the GDPR: whether the processing is necessary and proportionate to its purposes.
5.1 Necessity
Call audio is necessary to operate an AI voice agent: the agent must receive the caller's speech in order to respond, and a recording supports quality assurance, dispute resolution, and the Customer's own compliance record. Transcripts are necessary to make calls searchable, to drive qualification and analytics, and to reduce the need to replay raw audio. Contact and metadata are necessary to route calls, run campaigns, and report outcomes to the Customer. Account, billing, security, and analytics data are necessary to provide, secure, and bill for the Services.
5.2 Proportionality and data minimisation
We considered less intrusive alternatives and built controls so that the processing is proportionate to its purpose:
- Call recording is configurable by the Customer, who can disable it where a metadata-only or transcript-only record is sufficient for the use case.
- Retention is configurable and time-bounded (see "Retention" above), so audio and transcripts are not held indefinitely.
- Only data necessary to the purpose is captured; we do not enrich recordings with additional profiling beyond what the Customer configures.
- Access is restricted on a least-privilege basis, multi-tenant isolation keeps each Customer's data segregated, and transcripts can be subject to redaction of obvious identifiers.
- We do not use call content to train shared models, and our AI Subprocessors are engaged on terms that prohibit using our data to train their models.
On this basis we assess that the processing is proportionate to the stated purposes and that no less intrusive means would achieve them with equivalent effectiveness.
6. Data flows, storage locations, and international transfers
6.1 Storage locations
Personal Data is processed and stored with our cloud infrastructure providers in the region identified in our Subprocessor List. Some of our Subprocessors operate from the United States and other regions for hosting, telephony routing, and speech and language AI. Customers with data-residency requirements may request available regional options.
6.2 Transfer mechanisms
Where Personal Data is transferred out of the country of origin to a region without an equivalent adequacy finding, we rely on the following safeguards, supplemented by encryption in transit and at rest and by access controls:
- For data originating from the European Economic Area, United Kingdom, or Switzerland: the EU Standard Contractual Clauses (Module Two, controller to processor, and Module Three where onward), the UK International Data Transfer Addendum, and the Swiss addendum.
- For data originating from Singapore: the PDPA Transfer Limitation Obligation, met through comparable contractual protection.
- For data originating from South Africa: the safeguards in section 72 of POPIA.
A copy of the relevant safeguards is available on request from privacy@getsmartalex.com. The contractual chain that underpins these transfers, and the current list of Subprocessors and their regions, are set out in our Data Processing Addendum and Subprocessor List.
6.3 Supplementary measures
In addition to the transfer mechanisms above, we apply supplementary technical and organisational measures to protect data that crosses regions: encryption of data in transit and at rest, strict access controls and authentication, logging of access to Personal Data, and contractual commitments from Subprocessors to notify us of any binding government request for access and to challenge requests that are unlawful or overbroad. We keep these measures under review in light of guidance from Supervisory Authorities.
7. Risk assessment
The risks below are rated by likelihood and by impact on the rights and freedoms of data subjects, with the mitigations applied. Likelihood and impact are each rated low, medium, or high.
7.1 Unauthorised access
The risk is a breach of call or account data by unauthorised persons. Likelihood: low. Impact: high. Mitigations: encryption in transit and at rest, multi-factor authentication, access logging, multi-tenant isolation, and a least-privilege access model.
7.2 Data leakage through subprocessors
The risk is exposure of data through a third-party hosting, telephony, or AI Subprocessor. Likelihood: medium. Impact: high. Mitigations: written data-processing terms incorporating Standard Contractual Clauses with all Subprocessors, due-diligence review before engagement, ongoing monitoring, and a commitment from AI Subprocessors not to use our data to train their models.
7.3 Over-retention of data
The risk is keeping Personal Data longer than necessary. Likelihood: low. Impact: medium. Mitigations: configurable and time-bounded retention, automated post-termination deletion within 90 days, a 180-day backup purge cycle, and de-identification routines.
7.4 Cross-border transfer risk
The risk is transfer to a jurisdiction without equivalent protection or subject to disproportionate government access. Likelihood: medium. Impact: high. Mitigations: the transfer safeguards and supplementary measures described in "Data flows, storage locations, and international transfers" above, regional storage options, encryption, and restricted access.
7.5 Inadvertent special-category data in recordings
The risk is that End Users volunteer health, financial, religious, political, or other special-category data within free-form audio or transcripts, where there may be no Article 9 condition for that category. Likelihood: medium. Impact: high. Mitigations: SmartAlex processes such data only on the Customer's documented instructions; transcripts can be subject to redaction of obvious identifiers; access is restricted on a least-privilege basis; and Customer guidance discourages soliciting sensitive data and recommends agent scripts that do not invite it. The Customer, as Controller, is responsible for establishing an Article 9(2) condition (typically explicit consent) and for giving End Users the required notices.
7.6 Biometric data and re-identification from voice
The risk is that recorded voice is treated as biometric data, or that a voiceprint could be derived and used to re-identify an individual across calls. Likelihood: low. Impact: high. Mitigations: SmartAlex does not create or use voiceprints to uniquely identify individuals, and the Services are not configured for voice-based biometric identification; recordings are stored as audio for quality, dispute, and compliance purposes only; access is restricted and logged; and the prohibition on biometric identification is reflected in our internal controls. Where a Customer wished to use voice for identification, that would be a distinct processing activity requiring the Customer to establish an Article 9 condition and its own assessment, and it is outside the scope of the standard Services.
7.7 Inaccurate transcription or AI output
The risk is that automated transcription or summarisation produces an inaccurate record that is then relied on, to the detriment of an End User. Likelihood: medium. Impact: medium. Mitigations: the original audio is retained alongside the transcript so the source can be checked; transcripts and AI summaries are presented as machine-generated and not as a verbatim legal record; Customers can correct records in their tenant; and data-subject rights to rectification are supported as described below.
7.8 AI model bias and automated decision-making
The risk is bias in AI outputs, or the perception that the AI makes decisions about individuals without human involvement. Likelihood: low. Impact: medium. SmartAlex does not make solely automated decisions that produce legal or similarly significant effects on End Users within the meaning of Article 22 of the GDPR. AI is used for call handling, routing, transcription, qualification, and analytics under the Customer's control, and the Customer is responsible for any decision it takes on the basis of those outputs, with a human able to review, override, or escalate. Mitigations: limiting any AI training to opt-in data, de-identification, human oversight in the Customer's workflow, and periodic review of model behaviour.
7.9 Undisclosed AI interaction
The risk is that an End User does not realise they are speaking with an AI agent. Likelihood: medium. Impact: medium. Mitigations: an AI-disclosure prompt is configured to play at the start of the call so the End User is told, clearly and unconditionally, that they are interacting with an AI system, in line with Article 50 of the EU AI Act and applicable US state bot-disclosure laws. The Customer must enable and permit this disclosure and must not disable or qualify it. This obligation is reinforced in our Acceptable Use Policy and our AI Usage Policy.
7.10 End-user consent and transparency
The risk is inadequate disclosure to End Users about the recording and processing of their call. Likelihood: low. Impact: medium. Mitigations: standard consent and recording notices, Customer guidance templates, and clear configuration controls. The Customer, as Controller, is responsible for obtaining all legally required call and recording consents, including two-party or all-party recording consent where the relevant jurisdiction requires it. These responsibilities are detailed in our Telephony and Call Recording Notice.
7.11 Unlawful or unsolicited telephony
The risk is that the Services are used for calls that breach telephony and marketing law, exposing End Users to unwanted contact. Likelihood: medium. Impact: medium. Mitigations: the Customer is contractually responsible for obtaining all legally required call consents (including prior express written consent for AI or prerecorded marketing calls under applicable rules), for honouring Do Not Call registries and internal opt-outs, and for not using misleading caller identification. The Services are not a substitute for, and cannot reliably reach, emergency services such as 911 or 112, and Customers are told not to rely on them for emergency contact.
7.12 Loss of availability or integrity
The risk is loss, corruption, or unavailability of Personal Data. Likelihood: low. Impact: medium. Mitigations: managed, redundant infrastructure provided by our cloud infrastructure providers, regular backups, monitoring and alerting, and a documented recovery process.
8. Technical and organisational measures
The following measures, which form part of the safeguards relied on above, are maintained on a continuing basis.
8.1 Access control
Role-based permissions and multi-factor authentication on a least-privilege basis, with multi-tenant isolation so that one Customer cannot access another Customer's data.
8.2 Encryption
AES-256 encryption at rest and TLS 1.2 or higher in transit.
8.3 Data minimisation and segregation
Only data necessary to the purpose is processed and retained, and Customer Data is logically segregated by tenant.
8.4 Logging and monitoring
Infrastructure-level intrusion detection provided by our cloud infrastructure providers, supplemented by audit logging of access to Personal Data and alerting on anomalous events.
8.5 Vendor management
Security and compliance review for all Subprocessors, governed by written data-processing terms that bind each Subprocessor to maintain security measures at least equivalent to those described in this DPIA, to process Personal Data only on SmartAlex's documented instructions, and to support audits.
8.6 Incident response
A documented incident-response plan with breach notification on the timetable set out in "Data breach and incident management" below.
8.7 Resilience and backup
Regular backups, redundancy at the infrastructure level, and a tested process for restoring data and Services after an incident.
8.8 Security testing
Internal security testing on a regular cadence, supplemented by external assessments as our security programme matures. SmartAlex is working towards SOC 2 readiness and does not currently hold its own SOC 2 or ISO 27001 attestation; our infrastructure Subprocessors maintain SOC 2 or ISO 27001 attestations.
8.9 Employee training and confidentiality
Mandatory privacy and data-security training, and confidentiality obligations binding all personnel with access to Personal Data.
9. Data subject rights and redress
9.1 Exercising rights
Requests for access, correction, deletion, restriction, objection, and portability may be made to privacy@getsmartalex.com. Where SmartAlex receives a request relating to data it processes on a Customer's behalf, it refers the request to the Customer as Controller and assists the Customer in responding. The controlling statement of data-subject rights, and the procedure for making a request, is the SmartAlex Privacy Policy and our Data Subject Access Request Procedure.
9.2 Verification and timing
We verify identity before fulfilling a request and respond within 30 days, or sooner where the law requires, extending only where the law permits for complex requests and telling the requester why.
9.3 Complaints to a supervisory authority
A data subject's statutory right to complain to a Supervisory Authority and to a judicial remedy is not affected by any commercial dispute-resolution clause and cannot be routed into arbitration. Data subjects may complain to:
- their local Supervisory Authority in the European Union, United Kingdom, or Switzerland;
- the Singapore Personal Data Protection Commission (PDPC); or
- the South Africa Information Regulator, at complaints.ir@inforegulator.org.za (JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa).
9.4 Commercial disputes
Commercial disputes between SmartAlex and a Customer are handled under the dispute-resolution provisions of the SmartAlex Terms of Service, which provide for SIAC arbitration seated in Singapore. That route applies to the contracting parties only and never to a data subject's statutory privacy rights.
10. Subprocessors
10.1 Categories engaged
SmartAlex engages Subprocessors across the following categories: cloud hosting and storage (primary infrastructure), telephony connectivity, real-time voice infrastructure, speech and language AI (transcription, synthesis, and language-model inference), email delivery, fraud and abuse prevention, and payment processing through our payment processor, Stripe.
10.2 Subprocessor obligations
Each Subprocessor is bound by written terms to:
- maintain security measures at least equivalent to those described in this DPIA;
- process Personal Data only on SmartAlex's documented instructions;
- support audits and provide the assurances we reasonably request; and
- where the Subprocessor is located outside the country of origin of the data, enter into the transfer safeguards described above.
10.3 Disclosure of identities and changes
The current named list of Subprocessors, with their purposes, regions, and transfer safeguards, is published in our Subprocessor List and governed by our Data Processing Addendum. Customers may subscribe to be notified in advance of any addition or replacement of a Subprocessor and may object to a change as set out in the Data Processing Addendum.
11. Data breach and incident management
11.1 Detection and containment
We maintain an incident-response plan and a documented runbook that prioritise containment on detection, supported by the logging and monitoring described above.
11.2 Notification
On becoming aware of a personal-data breach, we act without undue delay and notify as follows:
- where SmartAlex is a Processor, we notify the affected Customer (the Controller) without undue delay so that it can meet its own notification duties;
- where SmartAlex is a Controller, we notify the competent Supervisory Authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33), and we notify the Singapore PDPC as required under the PDPA data-breach regime; and
- where a breach is likely to result in a high risk to data subjects, we notify affected data subjects without undue delay (GDPR Article 34).
11.3 Records and remediation
We keep an internal record of all personal-data breaches, including the facts, effects, and remedial action taken, regardless of whether notification was required. We provide a root-cause analysis and remediation report after an incident and cooperate with the competent authorities as the law requires.
12. Residual risk evaluation
After implementing the measures in this DPIA, SmartAlex assesses the residual risk to Personal Data, for the processing in which it is the Controller, as low. The processing is not likely to result in a high risk to individuals' rights and freedoms that the measures described do not address, and no prior consultation with a Supervisory Authority under Article 36 of the GDPR is required at the date of this DPIA. The highest-rated residual risks, namely inadvertent special-category data in recordings, subprocessor exposure, and cross-border transfer, are reduced to an acceptable level by the combination of configurable recording and retention, redaction, least-privilege access, contractual safeguards, encryption, and Customer responsibility for consents and notices. For processing in which SmartAlex is a Processor, the Customer as Controller remains responsible for its own risk assessment and acceptance.
13. Approval and review
The advice of the SmartAlex Privacy Contact was sought and is reflected in this assessment. This DPIA will be reviewed annually, and sooner following any material change in processing activities, technology, or infrastructure, or following any significant incident. The next scheduled review is before 31 May 2027.
Approved by: SmartAlex Privacy Contact, THERCSGROUP PTE. LTD.
160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914
Privacy Contact: privacy@getsmartalex.com
This Data Protection Impact Assessment is version 1.1 and is effective from 1 June 2026.