The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of individuals in the European Economic Area, regardless of where the organization is based. As an AI infrastructure company that processes enterprise customer data including voice recordings, conversation transcripts, and PII retrieved through MCP server tool calls, Point11 implements comprehensive GDPR controls across the platform.
Legal Basis for Processing
GDPR Article 6 requires a valid legal basis for every processing activity. Point11 relies on the following bases depending on the processing context:
Contractual Necessity (Article 6(1)(b))
The primary legal basis for processing data through Point11's AI agents and MCP servers is contractual necessity. When an enterprise deploys Point11 to power its customer-facing AI agents, the processing of end-user data is necessary to fulfill the service contract. This covers voice agent conversations, chat interactions, and data retrieved through MCP tool calls during those interactions.
Legitimate Interest (Article 6(1)(f))
Point11 relies on legitimate interest for platform security monitoring, fraud detection, and service improvement. A Legitimate Interest Assessment (LIA) is documented for each processing activity under this basis, balancing Point11's interest against the data subject's rights. Processing for security and fraud prevention is recognized as a legitimate interest under GDPR Recital 47.
Consent (Article 6(1)(a))
Where consent is the appropriate basis, such as for optional analytics, voice recording for quality assurance, or marketing communications, Point11 implements GDPR-compliant consent mechanisms. Consent is freely given, specific, informed, and unambiguous. It is collected through clear affirmative action, not pre-ticked boxes or inactivity. Withdrawal of consent is as easy as giving it.
Data Subject Rights
GDPR grants individuals specific rights over their personal data (Articles 15-22). Point11 provides the technical infrastructure for enterprises to fulfill these rights:
Right of Access (Article 15)
Data subjects can request a copy of all personal data Point11 processes about them. The platform provides a self-service data export tool that generates a machine-readable JSON package containing conversation transcripts, voice interaction metadata, and any PII stored in the system. Exports are delivered within 30 days.
Right to Erasure (Article 17)
Data subjects can request deletion of their personal data. Point11's deletion workflow removes data from primary databases, backup systems, vector stores, and conversation logs. Deletion propagates to all sub-processors including cloud storage, voice providers, and LLM providers within 30 days. A deletion confirmation is provided in writing.
Right to Data Portability (Article 20)
Data subjects can request their data in a structured, commonly used, machine-readable format. Point11 exports data in JSON format with a documented schema, enabling transfer to alternative service providers.
Right to Restriction (Article 18) and Right to Object (Article 21)
Data subjects can restrict or object to specific processing activities. Point11's platform supports granular processing flags that allow enterprises to pause specific processing operations for individual data subjects without affecting the broader service.
Data Protection Impact Assessments for AI
GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in a high risk to the rights and freedoms of individuals. AI-powered processing, including automated decision-making, profiling, and large-scale processing of voice data, typically triggers the DPIA requirement.
Point11 conducts and maintains DPIAs for the following processing activities:
- AI voice agents: Processing of voice recordings, real-time transcription, and voice biometric data. Voice data is classified as high-sensitivity and subject to additional safeguards.
- AI chat agents: Processing of conversation content that may contain PII, health information, financial data, or other sensitive categories depending on the enterprise's use case.
- MCP server data retrieval: Automated retrieval of enterprise data that may include customer records, transaction histories, and account information.
Each DPIA follows the methodology defined in Article 35(7): a systematic description of the processing, an assessment of necessity and proportionality, an assessment of risks to data subjects, and the measures to address those risks. DPIAs are reviewed annually or when the processing changes materially.
The EU AI Act, which entered into force in August 2024, introduces additional requirements for AI systems classified as high-risk. Point11 monitors the EU AI Act's implementing regulations and aligns its DPIA methodology with both GDPR Article 35 and the EU AI Act's conformity assessment requirements. ISO/IEC 42001, the international standard for AI management systems, provides the framework for this alignment.
Consent Management
Point11 provides a consent management layer that enterprises can configure for their specific regulatory requirements:
- Granular consent collection: Consent is collected per processing purpose (e.g., voice recording, analytics, personalization) with clear descriptions of each purpose.
- Consent records: Every consent event (grant, withdrawal, modification) is timestamped and stored in an immutable audit log.
- Preference center: End users can review and modify their consent preferences at any time through a self-service interface provided by the enterprise.
- CCPA support: The consent management system also supports California Consumer Privacy Act requirements, including the "Do Not Sell or Share My Personal Information" mechanism.
Data Residency
Point11 supports data residency requirements across three regions:
- United States: Primary infrastructure on AWS us-east-1 and us-west-2, with Google Cloud us-central1 as an alternative.
- European Union: Dedicated EU infrastructure on AWS eu-west-1 (Ireland) and eu-central-1 (Frankfurt). Data processed in the EU region never leaves the EEA boundary.
- India: Infrastructure on AWS ap-south-1 (Mumbai) for enterprises subject to India's Digital Personal Data Protection Act (DPDPA) 2023, which requires certain categories of personal data to be stored within India.
Enterprise customers select their data residency region during onboarding. The selection determines where all data is stored, processed, and backed up. Cross-region data transfers are prohibited unless explicitly configured by the controller with appropriate safeguards in place.
Sources
- GDPR Full Text: https://gdpr-info.eu/
- GDPR Article 6 (Lawfulness of Processing): https://gdpr-info.eu/art-6-gdpr/
- GDPR Article 35 (Data Protection Impact Assessment): https://gdpr-info.eu/art-35-gdpr/
- EU AI Act: https://artificialintelligenceact.eu/
- ISO/IEC 42001 AI Management System: https://www.iso.org/standard/81230.html
- NIST AI Risk Management Framework (AI 100-1): https://airc.nist.gov/AI_RMF_Interoperability/Framework
- India Digital Personal Data Protection Act 2023: https://www.meity.gov.in/data-protection-framework