Converse Logo
Security & Compliance

GDPR — EU & UK Data Protection

The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of EU or UK residents, regardless of where the organization is based. This page explains how Converse supports your GDPR obligations.

Roles under GDPR

Understanding who is responsible for what:

Your organization — Data Controller

You determine the purpose and means of processing personal data. You are responsible for obtaining consent, responding to data subject requests, and maintaining records of processing activities. You instruct Converse on how to process data on your behalf.

Converse — Data Processor

Converse processes personal data only on your documented instructions. We implement appropriate technical and organizational measures to protect the data. We do not use your customers' data for any purpose other than providing the platform to you.

Data Processing Agreement (DPA)

GDPR requires a written contract between controllers and processors. Contact us to execute a Data Processing Agreement (DPA). Do not process EU/UK personal data without an executed DPA in place.

Personal data processed by Converse

When you use Converse to contact EU/UK residents, the following personal data may be processed:

GDPR principles and how we support them

Lawful basis & consent

Converse provides a Consent Tracking feature (enable in Settings → Security). When active:

Your organization must ensure the lawful basis for processing (consent, contract, legitimate interest) is documented and appropriate for each use case.

Data minimization

Storage limitation & retention

Configure data retention policies to automatically delete personal data after the required retention period:

Right of access & portability

When a data subject requests access to their data:

Right to erasure ("right to be forgotten")

To delete all data for a specific individual:

Data breach notification

GDPR requires notification to your supervisory authority within 72 hours of becoming aware of a breach that affects EU personal data. Our obligations:

Data transfers outside the EU

If Converse processes EU personal data on infrastructure located outside the EU/EEA, appropriate transfer mechanisms must be in place. Contact us to understand our current data center locations and available transfer mechanisms (Standard Contractual Clauses, adequacy decisions, etc.).

Recommended GDPR configuration

Execute DPA with Converse before processing EU/UK personal data

Enable Consent Tracking in Settings → Security for calls that involve recording

Enable PHI Protection to redact identifiers from stored transcripts

Enable Tamper-evident Audit Log

Set transcript and recording retention periods to match your retention policy

Document the lawful basis for each type of call (support, campaigns, etc.)

Ensure outbound campaign contacts have provided consent for automated calling

Create a data subject request procedure using the History and Campaign APIs

Configure campaign opt-out handling — contacts who say "do not call" are auto-marked