GDPR splits responsibility for personal data between two roles. The data controller decides the purposes and means of processing, what data to collect, why, and what to do with it. The data processor acts under the controller's instructions, doing the actual work without independent purpose.
In a CX-AI deployment, the customer (the clinic, the shop, the home-services company) is almost always the controller. They decide what to ask callers, what to record, what to retain. The vendor is the processor, executing those decisions on the controller's behalf. The distinction is the basis for the Data Processing Agreement (DPA), which is mandatory under GDPR.
The line gets blurry when the vendor uses customer data for its own purposes, training shared models, building benchmarks, improving the product. Doing this without explicit controller consent makes the vendor a joint controller, which is a meaningfully different legal posture. A serious vendor stays cleanly on the processor side, or upgrades the contract structure to reflect joint-controller reality.
Vorel operates as a data processor under a standard DPA. Customer audio and transcripts are not used to train shared models without per-tenant opt-in; the opt-in is rare and contractually scoped.

