Information Security

FAQs

Detailed description of processes, controls, and safeguards

What protocols, mechanisms, and controls does eAlicia employ to ensure that the transfer of recordings is carried out securely, efficiently, and in accordance with data protection requirements?

The platform receives and transmits recordings via SFTP and secure APIs, ensuring end-to-end encrypted transfer. In addition, all communications use TLS 1.3/SSL, ensuring confidentiality and integrity when sending audio or other files. The procedures used are SFTP and APIs encrypted under HTTPS/TLS 1.3.

Does the organisation have a role-based access control system that restricts access to sensitive information during data transfer processes in a granular and verifiable manner?

The platform implements role-based access control (RBAC) under the principle of least privilege, applicable to all processes, including data transfer. Furthermore, any access requires robust authentication, and connections are protected by MFA and secure credentials. This ensures that only authorised users can access sensitive information during transmission.

What protective measures and defence mechanisms have been implemented to prevent the interception of information or the execution of man-in-the-middle (MITM) attacks during the data transfer process?

The platform protects all transmissions using TLS 1.3/SSL and mutual certificate validation, preventing interception or tampering in transit. In addition, transfers via SFTP and encrypted HTTPS APIs ensure integrity and authenticity. The architecture incorporates firewalls, IDS/IPS, and network segmentation, mitigating MITM attacks and unauthorised access.

Are the architecture and processes defined for information transfer designed to handle high volumes of files without compromising established security levels?

Yes, transfer procedures are designed to handle large volumes of files without compromising security. eAlicia’s architecture uses asynchronous transfers encrypted by SFTP and APIs, designed to process large volumes of audio, text, and images without affecting security. The entire transfer is protected by TLS 1.3/SSL, along with network segmentation and perimeter controls. In addition, the acquisition and processing mechanisms are modularised and orchestrated, allowing high loads to be handled without compromising data protection.

Established procedures for patch management, anti-malware solutions, use of encryption for data in transit, and backups

What methodology or formal process does the organisation use to coordinate, apply and verify the installation of patches and updates on servers and other operating and application systems?

Patch management procedures are applied that prioritise security patches on systems that process Confidential Information (ICF) or Personal Data (DTPS), maintaining records of all audit, monitoring and security activities for 120 days and allowing for verification of the correct application of updates. These processes are integrated into a secure environment with strict access controls, ensuring that patches are installed in a controlled manner.

What is the defined frequency for applying patches, and what verification mechanisms does the organisation use to confirm that each update has been correctly and effectively installed on the target systems?

Patches are prioritised when they are security-related, and in other cases, every three months. Audit, monitoring, and security records are kept for 120 days, allowing verification that patches were applied correctly.

Does the organisation have a testing environment or pre-validation mechanisms in place to evaluate the behaviour of patches before they are deployed in production systems?

The platform maintains separate development, testing and production environments, which means that changes and updates — including patches — are first validated in non-production environments. In addition, the CI/CD model requires unit, functional and integration testing and security reviews prior to any production deployment. Therefore, controls in place to ensure that patches are tested and validated in advance.

Which antivirus and antimalware protection platforms, engines, or suites are deployed on the various systems to ensure threat detection, mitigation, and response?

TrendMicro.

What management and updating mechanisms does the organisation use to ensure that signature databases and malware definitions are kept permanently up to date on all protected systems?

The application itself automatically updates virus signatures on a scheduled basis, with centralised management.

Are security scans performed on a scheduled basis or continuously across the entire set of systems in order to proactively detect threats or anomalous activity?

The platform is continuously monitored 24/7 by the SOC and systems such as IDS/IPS, PRTG and centralised logs, which involves ongoing security and infrastructure analysis. In addition, internal audits, pentesting and periodic risk assessments are carried out to detect vulnerabilities. Although no particular frequency is specified for each system, the security policy confirms continuous and recurring controls across the entire infrastructure.

What cryptographic standards or algorithms are used to guarantee the confidentiality of data stored on servers and ensure that they meet the security requirements established by the organisation?

Backup media are encrypted, and data in transit uses TLS 1.3 with 2048-bit RSA key exchange. In addition, credentials are encrypted using AES-256. Data is stored encrypted at rest.

What cryptographic mechanisms or encryption standards are specifically applied to backups to ensure that the information stored in them remains protected against unauthorised access or integrity compromises?

All backups are encrypted. TLS 1.3 + RSA-2048 is used for data in transit and AES-256 for credentials. Therefore, backups are encrypted.

What procedures, tools, and controls does the organisation apply to manage the lifecycle of cryptographic keys and ensure their protection against unauthorised access or misuse?

Credentials are encrypted using AES-256.

What is the defined frequency for rotating cryptographic keys, and what control mechanisms are applied to ensure that this process does not affect the integrity, availability, or accessibility of data already stored or encrypted with previous keys?

Every three months.

Which profiles or roles are authorised to access cryptographic keys, and what control mechanisms—such as segregation of duties, access logs, or least privilege policies—are applied to restrict and monitor such access?

Access to encryption keys is restricted exclusively to authorised IT personnel, following strict security controls. Only these profiles can manage them, applying RBAC, the principle of least privilege and segregation of duties, ensuring that no other user or area has access to these keys. In addition, all actions related to their use or administration are recorded and audited to ensure traceability and control.

Are encryption mechanisms used to protect information during transmission, both in communication flows between servers and in data sending or retrieval operations associated with backups?

All data in transit is encrypted using TLS 1.3 with 2048-bit RSA, including internal transfers between servers and flows to/from backup systems. In addition, communications between zones in the architecture use SSL certificates and mutual validation, ensuring integrity and confidentiality. Therefore, mandatory encryption does exist for all data in transit, including backup-related data.

Do the encryption methods implemented comply with applicable technical standards and regulatory requirements—such as AES in its approved variants, FIPS 140-2 validations, or data protection obligations derived from the GDPR—and is there formal evidence to prove it?

TLS 1.3 with RSA-2048 and AES-256 encryption is used for credentials, in line with industry standards and frameworks such as GDPR, ISO 27001, ENS, SOC 2, and NIST SP 800-53. The encryption complies with the aforementioned security and data protection frameworks and regulations (GDPR, LOPDGDD, AI Act, etc.).

What protocols has the organisation defined to manage the loss, exposure or compromise of a cryptographic key, including the processes for revocation, replacement, notification and mitigation of the impact on the affected systems and data?

In the event of loss or compromise of an encryption key, an internal incident response procedure is implemented, managed by the IT team. This process includes immediate revocation of the affected key, its secure rotation/regeneration, and verification that there is no impact on data integrity or availability. All actions are logged and audited, ensuring traceability and compliance with security policies.

Independent databases with logical separation to isolate environments and ensure greater security in development and operation processes.

Is it necessary to have a more comprehensive description of the mechanisms that ensure segregation between environments — including logical controls, access restrictions, data isolation, and additional protection measures that effectively guarantee such separation?

Each customer’s data is stored in separate databases, and there are separate development, pre-production, and production environments, with their corresponding control mechanisms: firewall policies, schema separation, specific VLANs, and RBAC controls per instance.

What access control systems, authorisation policies and validation mechanisms are in place to ensure that only duly authorised personnel can interact with each environment or with the various databases that operate independently?

Access is protected by role-based access control (RBAC), applying the principle of least privilege to limit which users can enter each environment or database. In addition, robust authentication is required, including strong passwords and locking after failed attempts. All accesses are logged and audited, restricted only to roles defined for each system or resource.

Are there oversight mechanisms and audit systems in place that can continuously record, correlate, and review access, modifications, and activities carried out within the various segregated environments?

Yes. We have sub-version and system logs.
The servers maintain audit, monitoring, and security logs for 120 days, including accesses, insertions, and data modifications. In addition, the platform has continuous monitoring (SOC/NOC 24/7) and centralised logs to detect unauthorised changes or accesses. All logs are restricted by roles and are part of the internal audit and compliance processes.

What security controls, data protection mechanisms, and safeguards does the organisation apply within each segregated environment to ensure the confidentiality, integrity, and proper management of the sensitive information stored there?

Each separate environment protects sensitive data through encryption at rest and in transit (TLS 1.3, RSA-2048), along with role-based access control (RBAC) that strictly restricts who can view or modify information. In addition, all actions are recorded in auditable logs, and personal data is treated with anonymisation/pseudonymisation before any processing.

What incident management procedures does the organisation have in place to detect, contain, analyse and resolve security breaches that may occur within each segregated environment, including response, escalation and operational restoration protocols?

The platform has an internal SOC that monitors 24/7, generating automatic alerts for any anomaly or incident in any separate environment. In addition, there are documented incident management and response procedures, aligned with ISO 22301 and ISO 27001, which include analysis, containment, and customer communication. All events are recorded in auditable logs, allowing for complete investigation and traceability.

Critical aspects for the protection of AI-based systems. Additional information on security controls and practices.

What techniques, algorithms, and processes does the artificial intelligence system apply to anonymise or pseudonymise identifiable data, ensuring that personal information cannot be re-associated with the individuals to whom it belongs?

Anonymisation is carried out using automatic processes that detect patterns and entities that identify personal data and replace them with irreversible identifiers. This substitution is adapted to each case, upon request, according to the information to be protected (e.g. account numbers, ID numbers, numerical codes, proper names, dates or sensitive references such as medical information). When requested by the customer, this data may also be pseudonymised before processing.

How effective is the artificial intelligence system in identifying sensitive information and subsequently applying anonymisation or pseudonymisation techniques, and how is this performance measured or validated?

Through substitution processes, the rate is 100%.

What security controls, defence mechanisms and hardening measures have been put in place to prevent unauthorised access to the artificial intelligence model and to protect it from attempts at manipulation, parameter alteration or malicious interference in its operation?

AI models are isolated on the private network, with no connection to external services, and protected by network segmentation, firewalls, WAF, and IDS/IPS. Access is controlled through RBAC, MFA, and least privilege policies, with full traceability of all actions. All communications are encrypted with TLS 1.3/SSL, and changes go through secure CI/CD with validation and vulnerability scanning. In addition, a 24/7 SOC monitors any intrusion or tampering attempts. Only authorised IT department personnel have access to servers with AI models.

What protection mechanisms, cryptographic controls, and assurance measures are applied to ensure that artificial intelligence models maintain their integrity and confidentiality both during the training phases and in their subsequent deployment in operational environments?

Integrity and confidentiality are ensured through isolated environments, segmentation between training/validation/production, TLS 1.3/SSL encryption, and RBAC+MFA access control. Deployments go through secure CI/CD with auditing and vulnerability scanning, and a 24/7 SOC monitors for any anomalies or tampering attempts.

Are security assessments carried out periodically on artificial intelligence models—including robustness testing, vulnerability detection, and bias analysis—in order to identify potential risks that could compromise the exposure of sensitive data?

Yes, at least monthly. eAlicia performs periodic risk assessments, ethical audits, and bias reviews on all AI models, including generative, analytical, and transcription models. These analyses seek to detect vulnerabilities, deviations, discriminatory biases, or anomalous behaviour. In addition, monthly calibrations and validations with human supervision are applied to ensure security and fairness. All of this is part of a formal programme of continuous monitoring and compliance with the AI Act and GDPR, preventing accidental exposure of sensitive data.

What verification mechanisms, validation tests and quality controls are applied to confirm that the anonymisation and/or pseudonymisation processes are operating correctly before the system processes real information, thus ensuring the effectiveness of the techniques and the absence of re-identification risks?

Unit tests are performed to validate the anonymisation of the requested data.

What oversight, validation, and cleansing mechanisms does the organisation apply to ensure that, once training is complete, no sensitive data or traces remain in the model that could lead to unintentional leaks or residual storage of identifiable information?

At the customer’s request (not necessary in all cases), anonymisation is performed prior to sending data to AI models, replacing all personal data with irreversible identifiers. In addition, ethical audits, periodic bias reviews and human supervision are applied, ensuring that no sensitive data remains embedded or residual in the models.

Are differential privacy techniques or other advanced privacy preservation approaches used to minimise the possibility that the trained model could reveal sensitive information or allow re-identification of the data used during its training?

There is no need to apply differential privacy because models are not trained with customer data. Queries to the models (LLMs) are used solely to analyse the context received at that moment, without any retention or learning about that information. Furthermore, the data can be anonymised beforehand, and the analysis focuses exclusively on the behaviour of the agents, the conversations and the quality of the interactions, avoiding any risk of exposure.

What compliance processes, technical verifications, and regulatory controls does the organisation apply to ensure that artificial intelligence models operate in accordance with the privacy and data protection obligations required by regulatory frameworks such as the GDPR, LGPD, or other applicable regulations?

Compliance is guaranteed by a fully isolated architecture, where all data is processed exclusively within our private network and never sent to external services. Queries to the models are made solely from eAlicia’s internal processes, with no possibility of external access, ensuring absolute control over the flow of information. Furthermore, when requested by the client, data can be anonymised or pseudonymised before processing, reinforcing privacy protection and compliance with regulations such as GDPR and LGPD.

In relation to the process that converts the transcript into information that can be visualised on the dashboard, what artificial intelligence solution or analytical engine is used to process, interpret and structure the data generated?

Open source and proprietary models working locally.
Our AI is based on auditable open-source models (Whisper, Llama, Mistral) and proprietary models trained internally, all running exclusively on our servers within the data centre. The underlying technology uses frameworks such as PyTorch, TensorFlow and HuggingFace, installed locally and without connection to external services. We do not use third-party APIs or public clouds, so no data is sent outside our infrastructure. All processing is carried out in private, isolated environments under our complete control. This guarantees total confidentiality and data sovereignty.

What contractual mechanisms, technical controls, and operational restrictions ensure that the use of the tool is limited exclusively to the Client's project and that the processed information cannot be reused, integrated, or transferred to other developments, models, or initiatives of the organisation?

The tool is closed by design, because all AI models run solely on our private, isolated infrastructure with no connection to external services. Each client’s data is processed in logically separate instances, with independent databases that prevent any mixing between projects. There is no continuous training or cross-learning: the models do not reuse information or incorporate customer data into their internal operations. All access is regulated by RBAC, auditing and authorisation circuits, ensuring that only authorised personnel can interact with the environments. In addition, contractual commitments reinforce that customer information is used exclusively for their own service and is never shared or applied outside their perimeter.

What defence mechanisms, hardening techniques, and security strategies are applied to protect artificial intelligence models against targeted attacks—including attempts to extract sensitive information, reverse engineer, or manipulate their internal parameters—and ensure their resilience against advanced threats?

The platform protects models through total isolation on the private network, without exposure to external services, along with strict segmentation between training, validation and production. It also uses firewalls, WAF, IDS/IPS, TLS 1.3 encryption, RBAC, MFA and 24/7 SOC monitoring, preventing unauthorised access or extraction attempts. Finally, ethical audits, periodic bias reviews, and complete traceability of the model lifecycle ensure that sensitive information cannot be inferred or extracted.

Formal guidelines governing the secure storage and disposal of sensitive information in a controlled manner and in accordance with regulatory requirements.

Is it essential to have a comprehensive description of the retention policies applied, both to the data derived from the recordings and to the recordings themselves that are shared, in order to ensure their preservation, processing and disposal in accordance with established legal and operational requirements?

Yes. A distinction is made between original recordings and processed data, each with different retention policies (e.g., audio recordings for a maximum of three months and data only for auditing purposes). Therefore, it is necessary to have a detailed understanding of both policies to ensure secure deletion and regulatory compliance. Data is securely deleted at the end of the contract or when requested by the customer, ensuring compliance with GDPR and LGPD.

What retention period has been defined for the data—expressed in days or months—and under what specific conditions could this retention period be extended based on legal, operational, or compliance requirements?

Audio recordings are kept for a maximum of 3 months and may only be kept longer if the client expressly requests it. Processed data (transcripts, analyses, etc.) are only kept for as long as necessary for the purpose of the audit. Any extension of this period requires the client’s explicit request and authorisation.

Call transcription: To perform transcription, are calls recorded? What technology, engine, or transcription system is used to process and convert audio to text?

Yes, calls are recorded.
The platform uses AI transcription models installed and run locally, within the private environment and without sending information to external services.
The models used are open-source Whisper-type models, as well as variants and specific models developed internally, all run exclusively on eAlicia’s private infrastructure. These models process the audio within the data centre, without connection to third parties and under total control of the data flow.

What secure deletion techniques are applied—such as certified logical erasure, multiple overwriting, cryptographic destruction, or other equivalent procedures—to ensure that the information is irreversibly deleted and cannot be recovered by subsequent technical means?

The platform ensures secure disposal through verifiable destruction of data once its purpose has been fulfilled, including certified reports when requested by the customer. In addition, backups are immutable, encrypted and subject to limited retention, ensuring that no residual data remains after its life cycle. The process is carried out within private and controlled environments in accordance with GDPR, LOPDGDD and ISO 27001.

Do disposal policies and procedures also cover the purging of information stored in backup systems, ensuring that deleted data does not remain in backups or can be restored at a later date?

Backups are only kept for the defined period (90 days) and are then deleted in accordance with internal continuity and security policies. The copies are immutable, encrypted and periodically verified, ensuring that no information remains beyond the authorised cycle. Therefore, yes: the deletion process includes the removal of data from backups once their retention period has expired. Data is securely deleted at the end of the contract or when requested by the customer, ensuring compliance with GDPR and LGPD.

QUERIES RELATED TO INFRASTRUCTURE AND TECHNOLOGICAL ARCHITECTURE

What set of security architectures, operational controls, and physical and logical protection mechanisms are implemented in the Data Processing Centre (DPC) to ensure a robust, isolated, and resilient environment against internal and external threats?

The servers are housed in a data centre, which only the CTO and selected technicians can access, using an access card and physical key.
The data centre maintains a secure environment through advanced certifications and standards (ISO 27001, ENS high, GDPR, ISO 22301, ISO 27017), as well as reinforced physical infrastructure, biometric access control, CCTV and 24/7 surveillance. It also uses fire detection, electronic doors, biometric scanners and burglar alarms, ensuring perimeter protection. All access is documented and controlled, ensuring traceability and continuous compliance.

In which geographical locations or storage regions are the backups hosted, and what criteria were used to define this territorial distribution?

Backups are stored on the data centre’s own NAS, and a second copy is also made at an alternative geographical location. In terms of critical infrastructure, the platform maintains replicated backups between the VODAFONE and COLT data centres, located in Barcelona and Madrid, ensuring resilience and continuity.

What type of support technology is used for backup storage: tape-based systems, disk storage platforms, array infrastructures, or other equivalent media?

We do not use tapes. Backups are stored on the data centre’s own NAS, which means storage based on disks/storage arrays, not tapes. In addition, there is a second copy in an alternative geographical location, also managed on similar storage infrastructure.

More information

Download PDF for further information on Safety.