Sales Lab · Trust center
Data Processing Agreement.
This is the public summary of how Sales Lab processes customer personal data. The full signed DPA is available on request from legal@saleslab.cloud and is incorporated by reference into the MSA.
What we process
Sales Lab acts as a Processor on behalf of the customer (the Controller). We process the following categories of personal data, only to provide the Service:
- Account data
- Full name, work email, role, hashed auth token
- Contract
- Conversation data
- Transcripts + audio of training calls
- Contract
- Scorecard data
- Categorical scores, headlines, quoted lines
- Contract
- Operational metadata
- Request logs, user agent, IP, timestamps (90-day retention)
- Legitimate interest (security, debugging)
What we do NOT process: payment card data (Stripe handles it; Sales Lab is out of PCI scope), biometric voiceprints (voice audio is processed for transcript + scoring only; no voiceprint stored), or Special Category Data under GDPR Art. 9 unless explicitly contracted in writing.
Sub-processors
Sales Lab uses the following sub-processors. We notify customer admins at least 30 days before adding a new one. If an objection cannot be accommodated within 60 days, the customer may terminate without penalty.
| Sub-processor | Purpose | Region | Transfer |
|---|---|---|---|
| Supabase | Database, auth, storage | US East 1 | SCCs |
| ElevenLabs | Voice synthesis + WebRTC | US East | SCCs + zero-retention |
| Anthropic | LLM scoring | US | SCCs + zero-retention |
| Resend | Transactional email | US | SCCs |
| Upstash | Rate-limit storage | US (multi-region) | SCCs |
| Stripe | Billing | US | SCCs |
| Vercel | Hosting + CDN | US (primary), global edge | SCCs |
| Sentry | Error monitoring | US | SCCs |
| PostHog | Product analytics (post-auth only) | US | SCCs |
International transfers
For data originating in the EU/UK, the parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module Two (Controller-to-Processor). For data originating in the UK, the ICO’s International Data Transfer Addendum applies on top of Module Two.
Security measures
- TLS 1.3 in transit; AES-256 at rest.
- Row-level security bound to tenant ID on every tenant-scoped table.
- Broken-glass production access — time-bound, MFA-required, logged in a tamper-evident audit log the customer admin can review.
- Per-rep TOTP MFA, optionally enforced by admin.
- Annual external penetration tests; bug bounty at saleslab.cloud/security.
- SOC 2 Type 1 audit in progress (Q3 2026 target); Type 2 follows.
Data subject rights
We assist customer admins in responding to data-subject requests (access, correction, deletion, restriction, portability, objection) at no charge. Initiate via privacy@saleslab.cloud.
Breach notification
Sales Lab notifies the customer admin without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting that customer’s data. Notification includes the nature of the breach, categories and approximate count of records affected, likely consequences, and measures taken.
Termination & deletion
On termination, customer data is retrievable for 30 days via tenant export (/admin/data) or the public API. Sales Lab deletes customer data within 90 days of termination, including derived state in sub-processors, except where law requires retention. Written certification of deletion is available on request.
Last updated 2026-05-23. The full signed DPA template is at docs/legal/DPA-template.md in our repository; request a redlined version from legal@saleslab.cloud.