Data processing is purpose-bound to call execution and customer workflows.
Data categories
- Operational call metadata: call identifiers, status transitions, timestamps, routing metadata.
- Conversation artifacts: recordings (where enabled), transcript objects, extracted structured outcomes.
- Integration payloads: webhook payloads, CRM action inputs/outputs, runtime context variables.
- Administrative metadata: configuration events, API key metadata, audit-oriented request traces.
Data lifecycle stages
- Ingestion: request payloads and runtime context enter controlled API/runtime flows.
- Processing: agent runtime executes scripts, knowledge retrieval, and configured actions.
- Delivery: outcomes are exposed via API resources and webhook notifications.
- Retention or deletion: artifacts are retained per policy and can be exported/deleted through supported flows.
Customer governance checklist
- Define retention policy for recordings and transcripts.
- Validate who can access call artifacts and exports.
- Approve CRM fields that receive extracted data.
- Review cross-region transfer requirements for regulated workloads.
- Confirm deletion workflows (for example GDPR erasure operations).
Subprocessor and transfer review
Callaro integrations may involve telephony, storage, and customer-selected downstream systems. During enterprise review, document:
- subprocessors involved in your deployment
- data categories shared with each processor
- transfer regions and safeguards
- customer-managed integrations receiving webhook/API exports
Artifact and evidence requests
Use security/support channels to request review artifacts such as:
- data flow diagrams
- retention policy references
- access-control overview documents
Always use masked or synthetic data in sandbox and test systems. Never promote test payloads containing real customer PII into non-production workflows.
What to do next
