Security

Sales Stage AI is committed to protecting the data of customers and candidates through appropriate technical and organisational security measures. Security and data protection considerations are integrated into the design and operation of our platform from the ground up.

This page is intended for business owners, hiring managers, HR professionals, and those responsible for IT or legal compliance, who are evaluating this platform. For legal data protection obligations and candidate rights, please refer to our Privacy Policy. For contractual data processing terms, please refer to our Data Processing Agreement, available on request.

All customer and candidate data — including transcripts, AI-generated analyses, performance metrics and candidate profiles — is stored in database infrastructure operated exclusively in Germany (Frankfurt am Main, EU). Voice recordings are stored in cloud storage infrastructure, also operated in Germany (Frankfurt am Main, EU).

We do not store personal candidate data outside the European Union. Where certain processing operations involve service providers based outside the EU — in particular AI-assisted transcription and analysis — these transfers take place exclusively under Standard Contractual Clauses (SCCs) approved by the European Commission and data is not permanently retained outside the EU by those providers.

All data transmitted between users and the platform is encrypted in transit using TLS (Transport Layer Security). All data stored on our infrastructure is encrypted at rest, using AES-256 encryption. This applies to voice recordings, transcripts, analysis results and all candidate and customer account data.

Payment data is handled exclusively by our payment processor, which operates to PCI-DSS (Payment Card Industry Data Security Standard) certification. Sales Stage AI does not store, process, or have access to complete card or account data at any point.

Access to customer data within the platform is governed by role-based access control. Each organisation's data is logically isolated from all other customers through our multi-tenancy architecture — no customer can access another customer's data under any circumstances.

Internal access to production systems and customer data is restricted to personnel, for whom access is strictly necessary. We apply the principle of least privilege throughout our infrastructure. Administrative access requires authentication and is logged.

We treat candidate data with particular care, given its sensitive nature in the context of hiring processes.

• Simulation links are valid for 14 days from the time of creation, after which they expire automatically and can no longer be used to access the simulation.
• All candidate data — including voice recordings, transcripts, and AI-generated analyses — is automatically and irreversibly deleted 90 days after the simulation is completed. Deletion can be requested at any time before this deadline, by the client or the candidate.
• Upon account deletion, all associated candidate data and account information is permanently deleted within 30 days.
• Certain encrypted backup copies may temporarily persist for a short additional period for technical and disaster recovery purposes, before being automatically purged.
• No candidate data is retained beyond these periods unless a statutory obligation requires otherwise — such as billing records, which are retained for 10 years under German tax law.

Candidate data — including voice recordings, transcripts and AI-generated analyses — is never used to train, fine-tune, or improve AI models, neither by Sales Stage AI nor by any of our sub-processors.

We have actively disabled training data usage with all AI service providers we engage and this prohibition is a binding component of our Data Processing Agreements with those providers. This applies without exception — neither automatically nor on an optional basis.

Sales Stage AI is designed as a decision-support platform and not as an autonomous hiring system.

The platform:

• does not make automated hiring or rejection decisions
• does not autonomously accept, reject, rank or recommend any candidate
• does not perform emotion recognition
• does not perform lie detection
• does not conduct psychological or personality profiling
• does not create biometric profiles
• requires meaningful human review of all AI-generated results, before any hiring decision is made

Customers remain solely responsible for all hiring and employment-related decisions.

We engage a limited number of carefully selected sub-processors, who process data strictly on our behalf and under our documented instructions. Data Processing Agreements pursuant to Art. 28 GDPR are in place with all sub-processors.

Sub-processors fall into the following categories:

• Database infrastructure (EU-based)
• Cloud storage (EU-based)
• AI speech processing and analysis services
• AI voice synthesis
• Web hosting and content delivery
• Payment processing (US-based, PCI-DSS certified)

A complete list of sub-processors, including provider names and further processing details, is available to our customers upon request, within the framework of a Data Processing Agreement.

We maintain documented incident response procedures covering detection, containment, investigation and recovery. In the event of a personal data breach, we are committed to notifying the competent supervisory authorities within 72 hours of becoming aware of the incident, in accordance with Art. 33 GDPR. Affected individuals are notified without undue delay where there is a likely high risk to their rights and freedoms, pursuant to Art. 34 GDPR.

Sales Stage AI is incorporated and operates under German law and is fully subject to the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Under the EU AI Act (Regulation (EU) 2024/1689), this platform may fall within the scope of AI systems used in employment and personnel management (Annex III, No. 4). We take this classification very seriously. All AI-generated evaluations are intended exclusively as decision-support tools — the platform makes no automated hiring or rejection decisions and a qualified human reviewer must evaluate all results before any hiring decision is made.

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available to all customers. Enterprise customers may additionally request detailed security documentation and completed security questionnaires under a Non-Disclosure Agreement.

If you believe you have identified a technical or legal issue affecting Sales Stage AI, please contact us directly. We will review all reports promptly and get back to you within two business days

For any security-related questions, vulnerability disclosures or to request further security documentation:

Email: [security@domain.com]

For full details on data processing, legal bases, and candidate rights, please refer to our Privacy Policy. For our contractual terms, please refer to our Terms of Service.