Supernormal's pivot and the problem it carries
In 2026, Supernormal stopped selling itself as an "AI meeting notetaker" and repositioned as "AI agent for agencies — turn meetings into completed client work in a flash". The product now generates slides, documents, follow-up emails and calendar invites from your meeting context. Their site claims 700,000+ organizations use it, with BBDO, Pinterest and Snap logos visible on the homepage.
It's an interesting product pivot. But there's a question their site never answers, one a Data Protection Officer should ask before clicking "Get started":
Where, physically, does your audio, transcript and generated deliverable live?
The short answer is on their own /security page: "Supernormal uses Amazon Web Services for secure and available hosting for our software environments". No region mentioned. No "EU residency" claim. No "Frankfurt" or "Dublin" or any European place name. Supernormal Technologies, Inc. is a Delaware corporation. The reasonable default assumption is us-east-1 or us-west-2 — the most-used AWS data centers from the US.
If you move personal data of European clients to infrastructure whose effective controller is subject to the US CLOUD Act, you have a GDPR problem. And since 20 April 2026, the Spanish DPA has formally tightened how that problem is evaluated.
What the Spanish DPA April 2026 guidance says
On [20 April 2026](https://www.insideprivacy.com/artificial-intelligence/spains-supervisory-authority-issues-new-guidance-on-ai-based-voice-transcription/), the Spanish Data Protection Agency (AEPD) published specific guidance on GDPR compliance for AI-based voice transcription tools. Four key requirements:
- Session-specific consent. A generic notice when joining the service does not constitute valid consent. Each recording requires verifiable explicit acceptance.
- Right of access applies in multi-speaker scenarios. Access cannot be denied to a subject by arguing protection of third-party data appearing in the same recording.
- Mandatory vendor due diligence. The data controller (= you, the company or professional recording) must document that the transcription provider offers clear information about additional processing and where the data physically resides.
- Transcription ≠ a technical feature. It is personal data processing with ongoing governance, not a low-risk technical utility.
Point 3 is what hits Supernormal head-on. Their /security page talks about "AWS data centers" in the abstract, "encryption at rest with AES-256", "TLS 1.2+" and "GDPR compliance reviews". It does not document physical region. That means your internal documentation as data controller is incomplete, and the risk of an AEPD sanction sits in your lap.
Schrems II is still in force
The Schrems II judgment (CJEU, 16 July 2020) invalidated the EU-US Privacy Shield. The Data Privacy Framework of July 2023 reopened a channel under conditions, but the AEPD itself has warned repeatedly that the European controller is not released from its due diligence by the mere fact that the provider invokes the DPF.
In practice this means: when an American sub-processor accesses your European personal data — and AWS does legally access it when ordered to by US court order under CLOUD Act / FISA 702 — you must have:
- Transfer Impact Assessment (TIA).
- Standard Contractual Clauses (SCCs).
- Supplementary measures (European-controlled encryption keys, pseudonymization, etc.).
Supernormal does not publish a TIA. Does not publish a DPIA. Does not publish a detailed sub-processor list. If a client asks for these documents, it will be your legal team's job to extract them in DPA negotiations. And meanwhile, your decision to process client audio with Supernormal is already being recorded in your own internal log as "decision made without documented TIA". In an audit, that's not good.
Is Supernormal "GDPR compliant"?
Their /security says "Supernormal continues to provide a GDPR compliant experience" and shows the GDPR badge. Fine.
But "GDPR compliant" in the US means "I follow the law in my home country". It does not mean "your data is not accessible under CLOUD Act". The first is defensible by Supernormal; the second is not, while they run on AWS US.
For a Spanish or European regulated professional — tax, legal, medical, financial, education, healthcare, public sector — the difference between "GDPR compliant" (provider claim) and "data physically outside extra-EU jurisdiction" (verifiable guarantee) is the difference between a happy DPO and a worried DPO. The AEPD has learned to tell the two apart.
Why doesn't Supernormal show AWS region?
There are three plausible explanations:
- They don't have an EU region deployed. Their product runs by default in us-east-1 or us-west-2 and migrating takes months of work.
- They have multi-region but EU assignment is not default. Only activated in Enterprise plans with negotiated SLA, without public transparency.
- Deliberate decision not to commit publicly. Any public commitment to "EU residency" is reviewable and creates expectations they may breach.
Any of the three is problematic for a European DPO in 2026. Option 1 directly invalidates AEPD due diligence. Option 2 forces you into an enterprise contract with significant cost and still isn't public. Option 3 keeps the commitment out of the contract, where lawyers can't latch onto it.
The European alternative: why AudioMap is different
AudioMap was built with the opposite decision from the first commit. Every piece of the stack has documented European jurisdiction:
- Database: PostgreSQL on a dedicated Hetzner DE server (Falkenstein, Germany).
- Cloud transcription: AssemblyAI EU endpoint (Dublin, Ireland) — explicitly regional, not global.
- On-premise transcription: Whisper local on the same Hetzner DE as fallback (`large-v3-turbo` model, no external calls).
- LLM: Vertex AI europe-west1 region (Belgium) with Gemini.
- Audio storage: Cloudflare R2 bucket configured in EU jurisdiction.
- Embeddings: bge-m3 run on own infrastructure (not OpenAI USA).
- Monitoring: self-hosted Sentry at Codelabs Studio (Hetzner DE).
All of that is published at `/legal/subprocessors`, `/legal/data-residency`, `/legal/dpia`, `/legal/tia` and `/legal/aepd-compliance`. It's not marketing. They're live pages with named sub-processors and specific jurisdictions. Your DPO can paste them straight into your internal DPIA.
What this means in practice
If you're a European agency, a tax advisor, a law firm, a clinic or any professional with regulated clients, the choice between Supernormal and AudioMap is not a feature choice. Features are comparable — and the deliverable-generation layer (emails, docs, slides from notes) is arriving in AudioMap as our S1 release.
The choice is: where do you want your client's data to live when the AEPD examiner asks for documentation?
If your answer is "in Europe, with verifiable jurisdiction and documented due diligence", AudioMap is the only answer on the market in 2026. If your answer is "wherever, as long as the UI is pretty", Supernormal is one click away.
But the AEPD has shown in 2024-2025 that it prefers clients with the first answer. And since April 2026, the guidance is formally published for you to cite in your own documentation.
Next steps
If you made it this far and you work with European client data, I recommend:
- Ask Supernormal in writing for their sub-processor list and AWS region. If the answer takes more than 5 days or is ambiguous, you already have a signal.
- Document in your record of processing activities what tool you use, where the data resides, what TIA you have. If it's blank for your transcription, you have a gap.
- Compare against verifiable European alternatives ([/vs/supernormal](/en/vs/supernormal) has the feature-by-feature table).
- Read the full Spanish DPA April 2026 guidance. It's 30 pages. It saves you 30 years of fines.
And if after all this you still decide to stay with Supernormal, at least you'll have the documentation your DPO needs on audit day. Which is more than 90% of controllers who decided without reading their provider's /security page.