AEPD compliance

The AEPD has clarified four key points that affect any business or professional using AI transcription tools to record conversations with third parties (clients, patients, advisors, employees):

1. Session-specific consent. A generic notice when joining the service does not constitute valid consent.
2. Right of access in multi-speaker recordings. You cannot deny access to a subject on the grounds of protecting third-party data in the same audio.
3. Mandatory vendor due diligence. The data controller must document the actual jurisdiction of processing.
4. Transcription ≠ technical feature. It is personal data processing with ongoing governance.

AudioMap is built to meet these four requirements by design, not by configuration.

• Per-note consent, not global. Each uploaded or recorded note requires explicit acceptance of the relevant consent types before processing.
• Immutable audit log in PostgreSQL: every acceptance is recorded with IP, User Agent, legal text version, and timestamp. The current text version is 2.0.
• Consent types segregated per GDPR Art. 7 and Art. 9: audio_storage, processing, marketing, third_party_sharing, biometric_data, recording_party_acknowledgement.
• Biometric consent is opt-in, default false. If not granted, the worker skips speaker attribute inference even if the provider is configured to extract them.
• Legality acknowledgment modal in live recording flows: the user confirms that they have consent from the rest of the participants before starting.
• Revocation tracked: when a user revokes consent, a row with revokedAt set is inserted instead of modifying the original. The full timeline is preserved for legal audit.

• Full user access to their notes, transcriptions, metadata, and diarization through the dashboard.
• Public deletion request endpoint for non-user third parties (under construction, May 2026 deadline): a recorded participant without an account will be able to request deletion directly without going through the host.
• Individual biometric deletion already operational: DELETE /me/biometric-data purges all biometric fingerprints for the user.
• Portable export (GDPR Art. 20) on Q3 2026 roadmap: ZIP with all notes + transcriptions + metadata in JSON format.
• Diarization with identified speakers: enables segregation by speaker in case of Data Subject Access Request.

Our entire processing chain is in EU territory under our direct control or that of EU subprocessors:

• Storage: Cloudflare R2 with EU jurisdiction explicitly (not global).
• Database and workers: dedicated Hetzner server in Germany (Falkenstein).
• Primary transcription: AssemblyAI via European endpoint (api.eu.assemblyai.com).
• Fallback transcription: local Whisper (faster-whisper large-v3-turbo) running on our Hetzner DE server. If AssemblyAI does not respond, no byte leaves Germany.
• Language models: Google Vertex AI in europe-west1 (Netherlands).
• Monitoring: Sentry in EU region.

We publish the full subprocessor list and our data sovereignty policy. For B2B customers with signed DPAs we can jointly audit the network traces of a specific job.

• Documented legal basis: contract with the user (GDPR Art. 6.1.b) + explicit per-note consent (Art. 7) + legitimate interest where applicable. For biometric data, specific Art. 9 consent.
• We do not train models with your content. We contractually prohibit our vendors from doing so.
• Encryption: TLS in-transit, at-rest encryption on R2 and Hetzner volumes.
• Retention: 30 days after account closure for all data. Operational logs are purged per documented policy.
• Public DPIA (under construction for Q3 2026): data protection impact assessment for high-risk processing (biometric, multi-speaker).
• Security breach notification workflow (GDPR Art. 33 — 72 hours): documented internally, public policy coming soon.
• Subprocessors with prior change notification: we notify B2B customers with signed DPAs at least 30 days before adding or changing a subprocessor.

As of 11 May 2026, none of the main meeting bots and transcription tools process in EU jurisdiction with the complete architecture:

• Fireflies — processes in the US, 2 active Illinois BIPA biometric lawsuits.
• Otter — processes in the US (AWS), 4 active California federal wiretapping lawsuits.
• Fathom — processes in the US.
• Read.ai — processes in the US, includes emotional analytics (additional GDPR Art. 22 automated decision risk).
• tl;dv — has a DE option but default processing is US.
• Granola — local capture but US cloud processing.
• Plaud / Limitless — hardware with US cloud processing.

All of them can sign DPAs and all of them are adhered to the EU-US Data Privacy Framework. That is not enough to meet the AEPD due diligence requirement when what is being recorded are client conversations in EU jurisdiction under professional secrecy or special categories of data.

If you are a data controller (GDPR Art. 4.7) and need additional documentation, DPA, TIA, or joint audit, write to [email protected]. We respond within 72 hours.