Frequently Asked Questions & Key Terms

To help you quickly find answers to common questions about data protection, processing practices, and terminology used in connection with SallyAI, we’ve compiled this FAQ section.

Here you’ll also find explanations of key legal and technical terms that appear in our agreements and documentation — always clearly worded and easy to understand.

If your question isn’t listed here, feel free to contact our data protection team at:
📧 privacy@sally.io

🔒 General Data Protection

Sally AI operates under a GDPR-compliant Data Processing Agreement (DPA) with all customers and subprocessors.
The General Data Protection Regulation (GDPR) is the EU’s data privacy law, regulating how personal data must be collected, processed, and protected.

Compliance measures include:

Formal DPAs with customers and all subprocessors
Comprehensive technical and organizational measures (TOMs) – see Appendix 1 of the DPA
A documented Data Protection Impact Assessment (DPIA, Art. 35 GDPR)
Regular internal audits and security reviews
Transparent communication to users on what data is processed and for what purposes
Processing of personal data exclusively within the EU data boundary

2. What types of personal data does Sally AI process?

Depending on usage, the following categories of personal data may be processed:

Audio and video data from online meetings
Transcriptions of spoken content
Metadata such as participant list, time, duration, meeting ID
Names and contact details of participants (if provided)

Sally AI acts as a data processor (GDPR Art. 4(8)), processing personal data on behalf of the customer.
The customer is the data controller (GDPR Art. 4(7)), defining the purposes and means of the processing.

4. How long does Sally AI retain data? Is there a data deletion policy?

During the contract term: Data is stored according to agreed usage terms and retention periods
After contract termination: Personal data is deleted within 30 days, unless legal retention obligations apply
Deletion is carried out according to the DPA and confirmed in writing

5. What technical and organizational measures (TOMs) does Sally AI use to protect customer data?

Examples (see full list in Appendix 1 of the DPA):

AES-256 encryption at rest and TLS/SSL encryption in transit
Role-based access control and multi-factor authentication
Logging of all access and changes
Separation of development and production systems
Regular backups and disaster recovery testing

🌍 Data Locations & Transfers

6. Where is customer data stored when using Sally AI?

All data is stored in data centers located within the European Union (primarily Microsoft Azure and Hetzner).

7. Is it possible to store all data exclusively within the European Union (EU)?

Yes. For all EU customers, all data traffic remains entirely within the EU data boundary.

8. Does Sally AI transfer data to third countries (e.g., the United States)?

No, personal data is not processed outside of the European Union.

9. What safeguards does Sally AI use for international data transfers?

Not applicable, as no personal data is transferred outside the EU.

10. Can customers choose where their data is stored (e.g., Germany, Ireland)?

The default storage is within the EU. Specific EU locations (e.g., Germany, Ireland) can be selected based on hosting options.

🏠 On-Premise & Self-Hosting

11. Does Sally AI offer an on-premise or self-hosted deployment option?

Currently, no on-premise or self-hosting option is offered automatically. If you are interested in having a on-premise or self-hosted instance please make an appointment with us thorugh our sally.io Website.

12. What are the requirements for running Sally AI in a local environment?

Not applicable, as no local installation is available.

13. Are there any data protection differences between the cloud and on-premise versions?

Not applicable, as only a cloud-based version is available.

👥 User Rights & Assistance

14. How does Sally AI support data subject requests (e.g., access, deletion)?

Sally AI supports the data controller (customer) in fulfilling data subject rights under GDPR Articles 12–23, including:

Access requests
Rectification
Erasure (“right to be forgotten”)
Data portability
Objection to processing

15. How can I inform my end users about the use of Sally AI?

By providing a clear privacy notice that explains the purpose, scope, legal basis, and recipients of the data processing.
Sally AI can provide template wording to customers.

16. Does Sally AI offer features for data anonymization or pseudonymization?

Yes. Sally AI supports pseudonymization of sensitive data.
Full anonymization can be performed upon customer request.

📄 Contracts & Subprocessors

Yes. A GDPR-compliant DPA (equivalent to an EU “AVV”) is signed with all customers.

18. Which subprocessors does Sally AI use?

The list of subprocessors is included in Appendix 3 of the DPA (e.g., Microsoft Azure, Hetzner, AWS, DeepL, Stripe).

19. Can I request a copy of the DPA or a list of subprocessors?

Yes. These can be provided upon request.

20. Does Sally AI perform regular security reviews or audits?

Yes. Technical and organizational measures are reviewed and documented at least quarterly.

⚠️ Security Incidents

21. How will I be notified in the event of a data breach?

In the event of a personal data breach, Sally AI will notify the customer without undue delay, including details of the nature, scope, affected data, and measures taken.

22. What are the notification timelines in case of a security incident?

Notification will occur within 72 hours of becoming aware of the breach, if notification is legally required (GDPR Art. 33).

23. Who is the main contact for data protection at Sally AI?

Data Protection Officers:
Names: Fabian Kissel & Norton Engele
Email: privacy@sally.io

Data Processing Agreement (DPA)
Technical and Organizational Measures (TOMs)
List of subprocessors
Data Protection Impact Assessment (DPIA)
AI Act compliance statement

🔒 General Data Protection​

1. How does Sally AI ensure compliance with the GDPR (EU data protection law)?​

2. What types of personal data does Sally AI process?​

3. Is Sally AI a data controller or a data processor under the GDPR?​

4. How long does Sally AI retain data? Is there a data deletion policy?​

5. What technical and organizational measures (TOMs) does Sally AI use to protect customer data?​

🌍 Data Locations & Transfers​

6. Where is customer data stored when using Sally AI?​

7. Is it possible to store all data exclusively within the European Union (EU)?​

8. Does Sally AI transfer data to third countries (e.g., the United States)?​

9. What safeguards does Sally AI use for international data transfers?​

10. Can customers choose where their data is stored (e.g., Germany, Ireland)?​

🏠 On-Premise & Self-Hosting​

11. Does Sally AI offer an on-premise or self-hosted deployment option?​

12. What are the requirements for running Sally AI in a local environment?​

13. Are there any data protection differences between the cloud and on-premise versions?​

👥 User Rights & Assistance​

14. How does Sally AI support data subject requests (e.g., access, deletion)?​

15. How can I inform my end users about the use of Sally AI?​

16. Does Sally AI offer features for data anonymization or pseudonymization?​

📄 Contracts & Subprocessors​

17. Is there a GDPR-compliant Data Processing Agreement (DPA) available?​

18. Which subprocessors does Sally AI use?​

19. Can I request a copy of the DPA or a list of subprocessors?​

20. Does Sally AI perform regular security reviews or audits?​

⚠️ Security Incidents​

21. How will I be notified in the event of a data breach?​

22. What are the notification timelines in case of a security incident?​

23. Who is the main contact for data protection at Sally AI?​

24. What privacy-related documentation is available?​