RCC (EN)
Regulatory Compliance Commitment (EN)
CallOnAlarm β Regulatory Compliance Commitment
Version 1.0 β February 2026
1. Introduction
CallOnAlarm is an alert notification platform that enables its clients to receive automated phone calls when an event is detected. These events may originate from physical devices (sensors, connected equipment, security control panels) or be triggered via our API by third-party applications.
Our service involves the processing of personal data (phone numbers, names of emergency contacts) and the transmission of automated phone calls. These activities are subject to strict regulations that we are committed to complying with scrupulously.
This document details the measures we have implemented to ensure our service's compliance with applicable regulations regarding the protection of personal data and electronic communications.
Note regarding North America: As of the publication date of this document, CallOnAlarm is available only in Europe. The sections relating to the United States and Canada (TCPA, CCPA, PIPEDA, CASL, etc.) describe the measures we will implement upon launching the service in these regions. We have chosen to anticipate these regulatory requirements to ensure full compliance from the first day of availability in these markets.
2. Our Commitment
CallOnAlarm is committed to:
Respecting the privacy of all individuals whose data is processed by our platform
Obtaining and documenting consent from each person before any phone call
Protecting personal data through appropriate technical and organizational measures
Ensuring transparency about our data processing practices
Facilitating the exercise of rights by data subjects
Cooperating with competent supervisory authorities
Maintaining a relationship of trust with our technology partners
3. Compliance in Europe
3.1 General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) constitutes the main legal framework applicable to our activity within the European Union.
3.1.1 Legal Basis for Processing
In accordance with Article 6 of the GDPR, any processing of personal data must rely on a legal basis. CallOnAlarm bases its processing on:
a) Explicit Consent (Article 6.1.a)
For emergency contacts designated by our clients, we obtain explicit, freely given, specific, informed, and unambiguous consent through our phone verification system.
b) Performance of a Contract (Article 6.1.b)
For our direct clients, processing is necessary for the performance of the service contract they have subscribed to.
c) Legitimate Interest (Article 6.1.f)
In certain limited cases (system security, fraud prevention), we may invoke our legitimate interest, after conducting an appropriate impact assessment.
3.1.2 Fundamental Principles Observed
Lawfulness, fairness, transparency
Art. 5.1.a
Consent verified by call, clear privacy policy
Purpose limitation
Art. 5.1.b
Data used solely for alert notifications
Data minimization
Art. 5.1.c
Only strictly necessary data is collected
Accuracy
Art. 5.1.d
Phone numbers verified before use
Storage limitation
Art. 5.1.e
Defined and applied retention policy
Integrity and confidentiality
Art. 5.1.f
Encryption, access controls, security audits
Accountability
Art. 5.2
Complete documentation, records of processing
3.1.3 Data Subject Rights
We guarantee the effective exercise of rights provided for in Articles 15 to 22 of the GDPR:
Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)
Details of these rights and how to exercise them are presented in Section 8.
3.1.4 International Transfers
In accordance with Chapter V of the GDPR, any transfer of data to a third country is subject to appropriate safeguards:
Our main servers are hosted within the European Union (Hetzner, Germany)
Transfers to the United States (Twilio) are governed by the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses
No transfer is made to countries without an adequate level of protection without appropriate safeguards
3.2 ePrivacy Directive
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) specifically governs electronic communications.
3.2.1 Unsolicited Communications (Article 13)
Article 13 of the ePrivacy Directive states that automated calling and communication systems for direct marketing require prior consent.
Our Compliance:
CallOnAlarm does not engage in any commercial solicitation. Our automated calls are exclusively intended to verify consent (single validation call) and notify security alerts to contacts who have previously consented.
These purposes are based on explicit prior consent and legitimate security interests and do not constitute commercial solicitation.
3.3 National Regulations
3.3.1 France
Data Protection Act (Law No. 78-17 of 6 January 1978, as amended)
CNIL is the competent supervisory authority. We comply with CNIL recommendations regarding data retention periods, methods for obtaining consent, and information provided to data subjects.
Postal and Electronic Communications Code
Article L. 34-5 governs direct marketing by automatic calling machines. Our security notification calls do not fall into this category as they pursue no commercial purpose.
3.3.2 Germany
Federal Data Protection Act (BDSG)
The BDSG supplements the GDPR. We comply with BDSG requirements, particularly regarding appointment of a Data Protection Officer and enhanced documentation obligations.
Act Against Unfair Competition (UWG)
Section 7 prohibits harassment through electronic communications. Our security calls, based on explicit consent and limited to emergency situations, comply with this framework.
3.3.3 Other Member States
We adapt our practices to the regulatory specificities of each Member State where we operate, consulting the recommendations of local supervisory authorities (AEPD in Spain, Garante in Italy, ICO in the United Kingdom, etc.).
4. Compliance in North America
4.1 United States β TCPA
The Telephone Consumer Protection Act (TCPA) of 1991 (47 U.S.C. Β§ 227) is the main U.S. federal regulation governing automated telephone calls.
4.1.1 TCPA Requirements
The TCPA prohibits, with certain exceptions, calls made using an "automatic telephone dialing system" (ATDS) or a prerecorded voice, without the prior express consent of the recipient.
4.1.2 Our TCPA Compliance
a) Prior Express Written Consent
For any call to a U.S. number, we will require documented written or electronic consent, clear disclosure that automated calls will be made, and the ability to revoke consent at any time.
b) Do Not Call Registry
We will comply with the National Do Not Call Registry and maintain an internal exclusion list.
c) Caller Identification
All our calls will display a valid callback number identifying CallOnAlarm.
d) Calling Hours
Consent verification calls will be made only between 8:00 AM and 9:00 PM local time of the recipient. Security alerts may occur at any time depending on the emergency.
4.1.3 Emergency Purposes Exception
The TCPA provides an exception for "emergency purposes." Our security alert notification calls may fall under this exception when they concern an imminent threat to the safety of persons or property. Nevertheless, we maintain our prior consent requirement to ensure the best legal protection.
4.2 United States β State Regulations
4.2.1 California Consumer Privacy Act (CCPA)
CCPA grants California residents rights such as the right to know, delete, opt-out of sale, and non-discrimination.
Our commitment: CallOnAlarm does not sell personal data and guarantees the exercise of CCPA rights.
4.2.2 Other States
We monitor regulatory developments in states with data protection laws (VCDPA, CPA, CTDPA, UCPA).
4.3 Canada β PIPEDA and CASL
4.3.1 PIPEDA
PIPEDA principles we follow:
Accountability β Designation of a compliance officer
Identifying Purposes β Clearly defined purposes
Consent β Informed consent obtained
Limiting Collection β Collection limited to what is necessary
Limiting Use, Disclosure, and Retention β Use consistent with stated purposes
Accuracy β Data kept up to date
Safeguards β Appropriate data protection
Openness β Publicly accessible policies
Individual Access β Right of access guaranteed
Challenging Compliance β Complaint mechanism in place
4.3.2 CASL
CASL governs commercial electronic messages. Although our communications are not commercial, we apply CASL's express consent principles by analogy.
4.3.3 National Do Not Call List (DNCL)
We will comply with the CRTC's DNCL for calls to Canada.
5. Consent Verification System
5.1 Fundamental Principle
CallOnAlarm has developed a consent verification system via phone call that ensures each emergency contact has expressly agreed to receive calls from our platform.
This system meets a dual requirement:
Legal: documenting explicit, freely given, specific, and informed consent
Ethical: ensuring no one receives unwanted calls
5.2 How the System Works
Prior information
Before adding an emergency contact, our client (the connection holder orchestrating the calls) must:
Personally inform the contact that they wish to designate them as an emergency contact
Explain the nature of the service: automated calls in case of security alert
Confirm this information by checking a box attesting that they have informed the contact
This preliminary step ensures that the contact is forewarned and is not surprised by the verification call.
Verification call
An automated phone call is made to the contact with the following example message (English):
"Hello, you are receiving this call from the Call On Alarm platform. [Client name] wishes to add you as an emergency contact to receive notifications in case of an alert on their system.
If you agree to receive these calls, press 1.
If you decline, press 9."
5.3 Right to Withdraw Consent
In accordance with Article 7.3 of the GDPR, we guarantee the right to withdraw consent in several ways:
a) During an Alert Call
During each alert call, the contact can press key 9 to unsubscribe immediately. A message confirms that their request has been recorded and no further calls will be made to them.
b) Through Our Client
The contact can ask the client (connection holder) to remove them from the emergency contact list.
c) Direct Contact
The contact can contact us directly at [email protected] to request their removal.
5.4 Protection Against Abuse
Blacklist Mechanism
If the same phone number refuses verification (key 9) on two different connections, that number is automatically added to a global blacklist for that client. This prevents harassment and repeated non-consensual additions.
Attempt Limitation
A minimum delay of one hour is imposed between two verification attempts for the same contact.
Each attempt consumes credits, discouraging abuse.
6. Technical and Organizational Measures
6.1 Data Security
In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
6.1.1 Encryption
Data in transit
TLS 1.3 for all HTTP communications
Passwords
bcrypt hashing with unique salt
Authentication tokens
Signed JWTs with key rotation
Connection security keys
Randomly generated, non-reversible
6.1.2 Access Control
Strong authentication for all administrative access
Principle of least privilege applied
Logging of all access to personal data
Periodic review of access rights
6.1.3 Infrastructure
Hosting within the European Union (Hetzner, Germany)
High availability architecture with redundancy
Encrypted daily backups
Documented and tested disaster recovery plan
6.1.4 Monitoring and Detection
24/7 infrastructure monitoring
Intrusion detection and automated alerts
Security log analysis
Annual penetration tests
6.2 Fraud Protection
6.2.1 Phone Number Validation
Format verification (European numbers only for now)
Detection of premium-rate numbers (prohibited)
Validation through actual call
6.2.2 Rate Limiting
Maximum number of calls per connection per day
Detection of abnormal behavior
Automatic suspension in case of detected abuse
6.2.3 Traceability
Each call is logged with:
Unique identifier
Precise timestamp
Called number
Call result
Actions performed (DTMF)
These logs are retained in accordance with our legal obligations and allow us to respond to any audit or verification request.
6.3 Privacy by Design
In accordance with Article 25 of the GDPR, we integrate data protection from the design stage of our systems:
Minimization: only strictly necessary data is collected
Pseudonymization: use of internal identifiers rather than directly identifying data
Privacy-protective defaults: the most protective options are enabled by default
Data separation: isolation of data between clients
7. Partnership with Twilio
7.1 Our Technology Partner
CallOnAlarm uses the services of Twilio Inc. for making phone calls. Twilio is a global leader in cloud communications, recognized for its reliability and regulatory compliance.
7.2 Twilio's Acceptable Use Policy
Twilio maintains a strict Acceptable Use Policy (AUP) that we fully comply with. This policy prohibits:
Unsolicited calls (voice spam)
Telephone harassment
Caller ID spoofing
Calls to numbers that have requested not to be contacted
Any illegal use of the services
7.3 Our Commitments to Twilio
Documented Consent
We never make an alert call via Twilio without having explicit and documented consent from the recipient.
The only call made without prior consent from the recipient is the single verification call, whose purpose is to obtain that consent. That call is initiated only after our client has attested to having personally informed the contact and will not result in further calls if the contact refuses or does not respond.
Honoring Opt-Out Requests
When a recipient requests not to be contacted (key 9 or direct request), we immediately cease all calls to that number, record the request, and prevent any future contact attempts.
Caller Identification
All our calls display a valid and identifiable phone number, allowing the recipient to identify the origin of the call, contact us back, or file a complaint.
Content Quality
The content of voice messages is the responsibility of our clients when they customize messages. Clients must ensure content is clear, not misleading, lawful, and respectful. We reserve the right to suspend accounts using messages that violate our acceptable use policy.
Controlled Call Volume
Verification calls: maximum 1 per contact per hour
Alert calls: only in case of actual security event
No calls for commercial or promotional purposes
7.4 Twilio Compliance β Trust Hub
CallOnAlarm participates in Twilio's Trust Hub: identity verification, declared use case (security alert notifications with consent), and registered numbers in accordance with requirements.
7.5 A2P 10DLC (United States)
For calls and SMS to the United States, we will comply with the A2P 10DLC program: brand registration with The Campaign Registry, campaign declaration, and compliance with carrier throughput rules.
7.6 Commitment to Transparency
In case of any request from Twilio regarding our practices, we commit to responding promptly, providing requested documentation, cooperating with investigations, and taking corrective measures as necessary.
8. Data Subject Rights
8.1 Right of Access
Any person whose data we process may request confirmation that data concerning them is being processed, access to that data, and information about purposes, categories of data, recipients, and retention period.
Response time: 30 days maximum
8.2 Right to Rectification
Any person may request correction of inaccurate or incomplete data concerning them.
Response time: 30 days maximum
8.3 Right to Erasure
Any person may request erasure of their data in cases provided by Article 17 of the GDPR, including withdrawal of consent, data no longer necessary, or objection to processing.
Exceptions: Certain data may be retained to comply with legal obligations or for the establishment, exercise, or defense of legal claims.
8.4 Right to Restriction
Any person may request restriction of processing in cases provided by Article 18 of the GDPR.
8.5 Right to Data Portability
Any person may request to receive their data in a structured, commonly used, and machine-readable format.
8.6 Right to Object
Any person may object to the processing of their data. For emergency contacts, this right is exercised by pressing key 9 during a call or by contacting us directly.
8.7 Exercising Your Rights
To exercise these rights, contact us:
Email: [email protected]
We may request additional information to verify the identity of the requester.
9. Data Retention
9.1 Retention Periods
Client account data
Duration of relationship + 5 years
Accounting and tax obligations
Active emergency contacts
Duration of relationship
Necessary for service performance
Deleted/unsubscribed contacts
3 years after deletion
Proof of consent/withdrawal
Call logs
5 years
Legal obligations, proof of consent
Technical logs
1 year
Security and debugging
Consent records
5 years after end of relationship
Legal proof
9.2 Data Deletion
Upon expiration of retention periods, data is securely deleted or irreversibly anonymized for statistical purposes.
10. Audit and Transparency
10.1 Records of Processing Activities
In accordance with Article 30 of the GDPR, we maintain records of processing activities documenting processing purposes, categories of data subjects and data, data recipients, transfers to third countries, retention periods, and security measures.
10.2 Data Protection Impact Assessment (DPIA)
For processing likely to result in high risk, we conduct a DPIA in accordance with Article 35 of the GDPR.
10.3 Breach Notification
In case of a personal data breach, we:
Document the breach in our internal register
Notify the supervisory authority within 72 hours if the breach presents a risk
Inform affected data subjects if the risk is high
Take necessary corrective measures
10.4 Compliance Audits
We regularly conduct internal GDPR compliance audits, security tests (pentests), and access rights reviews.
11. Contact and Complaints
11.1 Data Protection Contact
For any questions regarding the protection of your data or to exercise your rights:
Email: [email protected]
11.2 Complaints
If you believe that the processing of your data constitutes a violation of applicable regulations, you may:
Contact us at [email protected] to resolve the matter amicably
Lodge a complaint with the competent supervisory authority:
France: CNIL (www.cnil.fr)
Germany: BfDI or the relevant Land authority
United Kingdom: ICO (ico.org.uk)
Other countries: local supervisory authority
11.3 Updates to This Policy
This compliance policy may be updated to reflect regulatory changes or changes in our practices. The date of last update is indicated at the top of the document.
Substantial changes are communicated to our clients by email.
Appendix: Reference Texts
Europe
Regulation (EU) 2016/679 (GDPR)
Directive 2002/58/EC (ePrivacy)
Law No. 78-17 of 6 January 1978, as amended (France)
Federal Data Protection Act β BDSG (Germany)
United States
Telephone Consumer Protection Act (47 U.S.C. Β§ 227)
Telemarketing Sales Rule (16 CFR Part 310)
California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-199)
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada's Anti-Spam Legislation (CASL)
Document issued on February 7, 2026
Last updated: February 7, 2026
CallOnAlarm β All rights reserved
Last updated