GDPR Art. 35
Data Protection Impact Assessment
Executive summary of the AudioMap DPIA. The full signed version is shared with B2B customers under signed DPA and NDA, and with the AEPD upon request.
Version 0.1 — internal draft. Pending review by external certified DPO and specialised data-protection counsel before final publication. This page shows only the executive summary. The signed 1.0 version will be published after full legal review.
What is a DPIA and why does AudioMap have one?
GDPR Art. 35 requires a Data Protection Impact Assessment when the processing is high-risk. The AEPD guidance of 20 April 2026 makes explicit that automated AI voice transcription is high-risk when any of the following apply:
- Large-scale processing
- Sensitive data (biometric, health, professional secrecy)
- Automated decisions (AI summaries and analysis)
- Systematic processing
AudioMap meets the criteria. Hence we maintain an active DPIA reviewed annually.
Processing scope
- Data processed: audio uploaded by the user, text transcription, AI analysis, basic user identifiers, optional opt-in voice biometric attributes.
- Purpose: provide the user with augmented memory over their own recorded conversations.
- Legal basis: contract (Art. 6.1.b) + per-note specific consent (Art. 6.1.a). For biometrics, opt-in Art. 9 GDPR consent.
- Location: 100% European Economic Area, except payments (Stripe US) and observability (Sentry US, data in EU region). Detail in the TIA.
- Retention: configurable. Default 30 days after account closure for all data.
Main identified risks and mitigations
| ID | Riesgo | Severidad | Mitigación |
|---|---|---|---|
| R1 | Subprocessor breach data leakage | Medium-High | Certified subprocessors, at-rest encryption, local Whisper fallback |
| R2 | Internal unauthorised access (permission bug) | Medium | Keycloak auth, SQL by-userId authorisation, audit log, periodic reviews |
| R6 | DSAR ignored beyond 30 days | Medium | Append-only table + 25/30d cron + admin dashboard |
| R7 | Subprocessor trains AI model with content | Low-Medium | Explicit contractual clauses, local Whisper removes dependency |
| R9 | Host records without third-party consent | Medium | RecordingLegalityModal + host-as-controller DPA + public deletion endpoint |
| R10 | Prompt injection in transcription extracts data from other notes | Low-Medium | Per-note sandboxing, LLM output treated as data, periodic prompt review |
Conclusion
After evaluating the identified risks and the technical and organisational measures applied, the processing is viable and proportionate. Residual risks are low in terms of probability and impact on data subjects' rights and freedoms.
No prior consultation to the AEPD (Art. 36 GDPR) is required because no mitigation leaves a "high" risk unaddressed.
Next scheduled review: 12 May 2027, or earlier if there is substantial change (new subprocessor, jurisdiction change, new AEPD guidance).
Access to the full document
B2B customers with a signed DPA can request the full signed version of this DPIA. Write to [email protected].
Related documents: TIA (Transfer Impact Assessment), AEPD compliance, Subprocessors, Data residency.