Sales Lab · Trust center
Data Processing Agreement.
This is the public summary of how Sales Lab processes customer personal data. The full signed DPA is available on request from legal@saleslab.cloud and is incorporated by reference into the MSA.
What we process
Sales Lab acts as a Processor on behalf of the customer (the Controller). We process the following categories of personal data, only to provide the Service:
- Account data
- Full name, work email, role, hashed auth token
- Contract
- Conversation data
- Transcripts + audio of training calls
- Contract
- Scorecard data
- Categorical scores, headlines, quoted lines
- Contract
- Operational metadata
- Request logs, user agent, IP, timestamps (90-day retention)
- Legitimate interest (security, debugging)
What we do NOT process: payment card data (Stripe handles it; Sales Lab is out of PCI scope), biometric voiceprints (voice audio is processed for transcript + scoring only; no voiceprint stored), or Special Category Data under GDPR Art. 9 unless explicitly contracted in writing.
Sub-processors
Sales Lab uses the following sub-processors. We notify customer admins at least 30 days before adding a new one. If an objection cannot be accommodated within 60 days, the customer may terminate without penalty.
The current sub-processor list — each party with its purpose, region, and transfer mechanism — is provided to customers on request and under the signed DPA. Email legal@saleslab.cloud.
International transfers
For data originating in the EU/UK, the parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module Two (Controller-to-Processor). For data originating in the UK, the ICO’s International Data Transfer Addendum applies on top of Module Two.
Security measures
- TLS 1.3 in transit; AES-256 at rest.
- Company-level permission checks on customer data.
- Emergency production access is time-bound, MFA-required, and visible in an audit log the customer admin can review.
- MFA can be required by an admin.
- First external penetration test scheduled for Q3 2026, annually thereafter; bug bounty at saleslab.cloud/security.
- SOC 2 Type 1 audit in progress (Q3 2026 target); Type 2 follows.
Data subject rights
We assist customer admins in responding to data-subject requests (access, correction, deletion, restriction, portability, objection) at no charge. Initiate via privacy@saleslab.cloud.
Breach notification
Sales Lab notifies the customer admin without undue delay, and in any event within 72 hoursof becoming aware of a personal-data breach affecting that customer’s data. Notification includes the nature of the breach, categories and approximate count of records affected, likely consequences, and measures taken.
Termination & deletion
On termination, customer data is retrievable for 30 days via tenant export (/admin/data) or the public API. Sales Lab deletes customer data within 90 days of termination, including derived state in sub-processors, except where law requires retention. Written certification of deletion is available on request.
Last updated 2026-05-23. The full signed DPA template is at docs/legal/DPA-template.md in our repository; request a redlined version from legal@saleslab.cloud.