GDPR & Natalia Analytics on-premise
In strict disconnected mode, Natalia is neither controller nor processor under the GDPR. No DPA to sign, no downstream sub-processor chain to audit.
1. Legal qualification: Natalia as software publisher
Natalia SAS distributes a virtual appliance (VM image) that the customer deploys on its own infrastructure. The customer alone determines the purposes and means of the processing operations carried out by the appliance on its CDR (Call Detail Records). Natalia has no access to the data, no remote control of the appliance, and no telemetry on customer phone numbers, call content or any other personal data.
This qualification rests on three converging foundations:
- GDPR Recital 26 : a publisher of standard software cannot be qualified as a processor when it has no access to the data processed by its software.
- EDPB / CEPD 07/2020 §28-29 : the European Data Protection Board explicitly excludes the publisher-processor qualification when the supplier provides only the tool and never sees the data. The strict disconnected mode meets this test by design.
- GDPR art.28 : the article applies only when there is an actual processing operation carried out "on behalf of" a controller. In strict disconnected mode, Natalia carries out no operation on the customer's data, on its own behalf or on anyone else's.
2. Strict disconnected mode — data flows
In strict disconnected mode, the appliance has no outbound internet connection except the licence verification channel. The following table lists every data category and shows that none of the customer's personal data leaves the customer's infrastructure.
| Data category | Source | Outbound flow | Leaves customer infra? |
|---|---|---|---|
| CDR (phone numbers, dates, durations) | PBX OXE / OXO | — | ✓ No |
| Aggregated KPIs | On-prem appliance | — | ✓ No |
| User accounts (RBAC) | Customer admin | — | ✓ No |
| Audit log | On-prem appliance | — | ✓ No |
| MCP queries (DSI LLM) | Customer-side LLM | Customer LAN only | ✓ No |
| Licence verification | Customer organisation ID + signed token | Natalia (UE) | ⚠ Org ID only, no personal data |
The licence verification channel carries only the customer's organisation identifier (a UUID), a signed token, and an anonymous heartbeat. It is detailed in section 4 below.
3. Connected mode — art.28 processing
In connected mode (opt-in, contractually scoped), the customer authorises Natalia to perform additional processing operations on aggregated CDR data, including LLM-assisted analysis. Natalia then qualifies as a processor under art.28 GDPR, and a full DPA is signed.
Processor — Natalia SAS
- Role : art.28 processor
- Processed data : aggregated CDR uploaded by the customer for analysis
- Hosting : EU only (Belgium)
- DPA : Connected mode DPA
Sub-processor — Gemini (Google Ireland)
- Role : LLM analysis sub-processor
- Region : eu-west (Belgium / Netherlands)
- Retention : no training on customer data, 0-day retention
- Contract : Google Cloud DPA + EU SCC
4. Licence channel & telemetry
The licence verification channel is the only outbound flow active in strict disconnected mode. It carries the customer organisation identifier (a UUID assigned to a legal entity, not to a natural person) and an anti-fraud heartbeat. The data it processes is qualified as follows:
- customer_org_id (UUID) — identifier of a legal entity. Not personal data in the strict sense (GDPR art.4-1).
- Source IP (logs side) — qualified as personal data by the CJEU in Breyer C-582/14 because of the possibility of re-identification via the ISP. Legal basis: legitimate interest under art.6-1-f GDPR (anti-fraud + service integrity).
- Anonymous heartbeat — counter of errors over 24h, appliance version, hardware fingerprint hash. No phone number, no call content, no user identifier.
Source IP retention
- 0–30 days : full IP kept (incident investigation window)
- 30 days+ : IP anonymised (last octet zeroed for IPv4, /64 truncation for IPv6)
- 13 months : log entry deleted entirely
Customer rights
- Right of access to the licence channel log entries identifying its organisation: request to [email protected]
- Right to object: switch off the heartbeat in connected mode (the licence channel itself is contractually necessary and cannot be disabled).
5. Legal mentions (art.13 & 14 GDPR)
Publisher
- Natalia SAS
- Simplified joint-stock company
- 3 rue Jean Jaurès, 85000 La Roche-sur-Yon, France
- SIREN : 990 566 499
- SIRET (headquarters) : 990 566 499 00010
- TVA : FR40990566499
DPO & legal contact
- DPO : [email protected]
- Legal : [email protected]
- Supervisory authority : CNIL — cnil.fr
- Publication director : François-Guillaume Ribreau, CEO Natalia SAS
Information collected under art.13 & 14 GDPR: the data the customer organisation transmits to the licence channel is processed for licence verification and anti-fraud purposes, on the basis of legitimate interest (art.6-1-f). Retention: 13 months maximum, IP anonymisation after 30 days. Rights of access, rectification, erasure, limitation and objection may be exercised with the DPO above.
6. IT lawyer FAQ
The questions below are the seven we receive most often during DPO onboarding of mid-market companies and hospitals.
1. Do we need to add Natalia to our processor register?
Strict disconnected mode: no. Natalia is a software publisher under Recital 26 and EDPB 07/2020 §28-29 — same logic as for your text editor or your database engine. Support 72h mode: yes, but as a punctual processor scoped to the support intervention only. Connected mode: yes, as a full art.28 processor.
2. What sub-processors should we audit?
Strict disconnected and support 72h modes: none. There is no sub-processor chain because Natalia does not process your data. Connected mode: Gemini (Google Ireland Ltd, eu-west region) for LLM-assisted analysis, with EU SCC and a contractual 0-day retention on customer prompts.
3. The licence channel sends an IP address — is that not a transfer of personal data?
The IP is qualified as personal data by CJEU Breyer C-582/14. We rely on legitimate interest (art.6-1-f) for anti-fraud purposes, anonymise the IP after 30 days, and delete the log entry after 13 months. The processing is documented in our art.30 record and the legitimate interest balancing test (LIA) is available on request.
4. Do we need a DPIA?
CNIL guidelines consider that the systematic processing of CDR for more than ~5000 phone lines may meet the systematic monitoring of work criterion. Below this threshold, a documented art.6-1-f balancing test is usually enough. Above, a DPIA is recommended — we provide a pre-filled template.
5. AI Act — does Natalia Analytics fall under high-risk?
No. The strict disconnected mode is out of scope because Natalia does not supply an AI system. The connected mode falls under the limited-risk regime (art.50 transparency obligations) for analytical Q&A. Only an explicit use case of automated HR decisions (scoring employees) would trigger the high-risk regime — and this is explicitly excluded from our product scope.
6. Can our CISO audit the source code of the appliance?
Yes, on demand under a confidentiality agreement. The appliance ships with cryptographically signed binaries (Cosign-verified) and the build manifest is reproducible. A targeted penetration test by an independent firm (Synacktiv-style) is available for an additional fee.
7. What happens to CDR if we terminate the contract?
They remain in your appliance, on your hypervisor, until you decide to delete them. There is no remote data destruction by Natalia — we have no access. See the reversibility page.