CYBORA
Document type: GDPR Article 30 Record
Last updated: 2026-01-30
Entity: CYBORA
1. Data Controller / Processor Identification
Company name: CYBORA
Address: Akademijos g. 4, 4th floor, North Wing, Vilnius, Lithuania, LT-08412
Phone: +370 640 12261
Email: support@cybora.tech
Role under GDPR:
☑ Data Processor
☑ Data Controller (for own operational activities)
Data Protection Officer (DPO):
📧 dpo@cybora.tech
2. Overview of Processing Activities
This Records of Processing Activities (“RoPA”) documents personal data processing activities carried out by CYBORA in accordance with Article 30 of the GDPR.
The RoPA covers processing performed as a data processor on behalf of clients and processing performed as a data controller for CYBORA’s own business operations.
Processing activities are aligned with CYBORA’s Terms & Conditions, Privacy Policy, and Data Processing Agreement (DPA).
The RoPA is maintained as a living document and updated as processing activities change.
3. Processing Activities – Data Processor Role
3.1 Call Center and Contact Center Services
- Purpose of processing:
Provision of inbound and outbound call center services, customer support, sales communications, and service quality management. - Categories of data subjects:
End customers, business contacts, call participants, representatives of client organizations. - Categories of personal data:
Identification data, contact data, call metadata, call recordings, communication content. - Legal basis:
Processing on documented instructions of the Controller (GDPR Art. 28). - Recipients:
Authorized CYBORA staff, approved sub-processors, client organizations. - International transfers:
EU, UK, United States, safeguarded by SCCs, UK IDTA, or adequacy frameworks. - Retention period:
As defined by client instructions or contractual agreements.
3.2 AI-Assisted Call Handling and Analytics
- Purpose of processing:
AI-supported call routing, voice bot interactions, speech-to-text processing, quality analytics. - Categories of data subjects:
Call participants and end users. - Categories of personal data:
Voice data, call transcripts, interaction metadata, technical usage data. - Legal basis:
Processing on behalf of the Controller; transparency obligations fulfilled. - AI Act risk classification:
Limited-risk AI systems. - Retention period:
Limited to operational necessity and client-defined requirements.
4. Processing Activities – Data Controller Role
4.1 Client and Business Contact Management
- Purpose of processing:
Contract management, client communication, sales inquiries, account administration. - Categories of data subjects:
Clients, prospects, business partners. - Categories of personal data:
Business contact details, communication records. - Legal basis:
Performance of a contract, legitimate interests. - Recipients:
Internal staff, authorized service providers. - Retention period:
Duration of the contractual relationship and statutory retention requirements.
4.2 Compliance, Security, and Governance
- Purpose of processing:
Compliance with legal obligations, security monitoring, incident management, audit readiness. - Categories of data subjects:
Employees, contractors, clients (where applicable). - Categories of personal data:
Identification data, access logs, audit records. - Legal basis:
Legal obligation, legitimate interests. - Retention period:
As required by applicable laws and internal policies.
5. Categories of Recipients
Personal data may be disclosed to the following categories of recipients:
- CYBORA group companies,
- approved sub-processors and technology providers,
- clients acting as data controllers,
- public authorities where legally required.
All recipients are subject to confidentiality and data protection obligations.
6. International Data Transfers
CYBORA may transfer personal data to countries outside the EU or UK, including the United States.
Transfers are conducted using approved safeguards such as Standard Contractual Clauses (SCCs) or UK IDTA.
Where applicable, adequacy decisions or recognized frameworks are applied.
Transfer mechanisms are documented and reviewed periodically.
7. Technical and Organizational Security Measures
CYBORA implements appropriate technical and organizational measures, including:
- role-based access control,
- encryption of data in transit and at rest where applicable,
- monitoring and logging,
- incident response and breach notification procedures.
Security measures are proportionate to the risks associated with the processing activities.
8. Data Retention and Deletion
Personal data is retained only for as long as necessary to achieve the stated processing purposes.
Retention periods are defined by contractual obligations, legal requirements, or internal policies.
Secure deletion or anonymization is performed when data is no longer required.
Retention schedules are reviewed regularly.
9. Review and Updates
This RoPA is reviewed at least annually and upon significant changes to processing activities.
Updates are approved through CYBORA’s internal governance process.
Historical versions may be retained for audit purposes.
The RoPA supports accountability and regulatory compliance.
10. Contact Information
For questions regarding this RoPA or personal data processing:
