1) Scope and purposes
Telecajas uses artificial intelligence (AI) to support customer service, document and data analysis, assisted writing, and process automation. For these purposes, strictly necessary personal data may be processed (for example, names, orders, addresses, and billing information ) in accordance with the principles of the General Data Protection Regulation (GDPR) .
2) Roles in the treatment
-
Telecajas acts as the Data Controller .
-
AI providers act as Processors , under a Data Processing Addendum (DPA) that incorporates instructions, confidentiality, technical and organizational measures, assistance in exercising rights, and data deletion/return (Art. 28 GDPR).
3) Technical and organizational safeguards
Telecajas applies "privacy by design and by default" and requires its suppliers to provide, at a minimum, the following guarantees:
-
No default training of business content: our prompts and results are not used to train models unless there is express and documented activation/consent.
-
Encryption in transit using TLS (Transport Layer Security) and encryption at rest using AES-256 (Advanced Encryption Standard, 256 bits) or equivalent.
-
Access controls with MFA (Multi-Factor Authentication) and SSO (Single Sign-On) ; SAML (Security Assertion Markup Language) and/or OIDC (OpenID Connect) support; role and permission management and audit logs .
-
24/7 monitoring and incident response , security testing (including red-teaming , controlled offensive testing), and a defense-in-depth approach.
-
Minimum retention and secure deletion ; when the service allows it, no content retention .
-
Data residency/location (e.g., in the EU ) where feasible, and international transfers with Standard Contractual Clauses (SCCs) and supplementary measures.
-
Data Protection Impact Assessments – DPIA when the use of AI may pose a high risk to rights and freedoms.
4) Required standards and certifications
We prioritize providers with international accreditations such as ISO/IEC 27001 (ISMS), ISO/IEC 27017 (cloud controls), ISO/IEC 27018 (PII in public cloud) and ISO/IEC 27701 (privacy management); SOC 2 Type 2 audits (operational controls evaluated over time, security control, availability, data confidentiality) and CSA STAR registry (Cloud Security Alliance – Security, Trust, Assurance and Risk) ; as well as alignment with GDPR and equivalent frameworks (e.g., CCPA in the US). For new AI tools, we demand substantially equivalent levels.
5) Integrations and connectors
Integrations with corporate repositories (e.g., Google Drive , SharePoint , GitHub , Notion ) are enabled and limited by the IT team , applying the principle of least privilege and segregation of permissions . All connections are subject to access controls and traceability.
6) Legal bases and minimization
We process personal data based on contract execution and/or legitimate interest (Art. 6.1.b/f GDPR), applying minimization , pseudonymization and masking where appropriate. We conduct DPIAs in AI uses that require it and document mitigation measures (including human review).
7) Rights of individuals
Telecajas guarantees the exercise of access, rectification, erasure, objection, restriction and portability . We collaborate with the Data Processors to respond on time and with traceability.
8) Preservation and Deletion
Data processed by AI tools is retained only for the time strictly necessary , depending on the purpose and legal/contractual obligations. We implement secure deletion and non-retention configurations when available.
9) Incident management and transparency
We have procedures in place for detection, response, and notification . In the event of a breach with risk, Telecajas will notify the AEPD (Spanish Agency for Data Protection) and those concerned in accordance with the GDPR. We maintain human review in decisions with significant effects, controls against misuse, and validation of generative results.
10) Updates to the appendix
This appendix will be reviewed and updated when we incorporate new AI tools or when the guarantees offered by the providers materially change, maintaining the same security, privacy, and compliance threshold described.
