Compliance
GDPR compliance at every layer
TorqueShift processes sensitive customer conversations on behalf of EU enterprises. Data residency, right-to-erasure, privacy by design, and our Data Processing Agreement are standard — available to all customers.
How TorqueShift meets GDPR requirements
Art. 5 — Principles
Lawfulness, fairness, and transparency
Every data processing activity is documented in our records of processing activities (ROPA). We process personal data only on a valid legal basis and communicate our practices clearly to data subjects.
Art. 13–14 — Information
Transparent privacy notices
Our Privacy Policy and in-product notices describe what data we collect, why, how long we keep it, and your rights. Call recording and IBC disclosure notices are presented to callers at the start of each session.
Art. 17 — Erasure
Right-to-erasure workflows
Enterprise customers can submit erasure requests through the admin panel. TorqueShift anonymises or deletes the relevant personal data across all datastores within 30 days and provides a completion certificate.
Art. 20 — Portability
Data export in structured format
Customer data is exportable in JSON and CSV format from the admin panel at any time. On subscription termination, a full data export is provided for 30 days before secure deletion.
Art. 25 — Privacy by design
Privacy built into the architecture
PII masking, field-level encryption, and minimum-necessary access controls are default behaviours, not configuration options. Privacy impact assessments are conducted for new features that process personal data.
Art. 28 — Processors
Data Processing Agreement
A comprehensive DPA is available for all enterprise customers, covering the scope of processing, security measures, sub-processor list, and data subject rights procedures. Request via privacy@torqueshift.ai.
Art. 32 — Security
Technical and organisational measures
AES-256-GCM encryption at rest, TLS 1.3 in transit, role-based access control, immutable audit logs, annual penetration testing, and SOC 2 Type II certification. Full details on our Security page.
Art. 44–49 — Transfers
Data residency and transfer safeguards
EU tenant data is pinned to EU infrastructure on first interaction. Cross-border transfers are covered by Standard Contractual Clauses (SCCs). Sub-processors are listed in the DPA and reviewed annually.
Need a Data Processing Agreement?
Our DPA covers processing scope, security measures, sub-processor list, and data subject rights procedures. Contact us to receive a signed copy.
Request DPA