GDPR / RGPD
Full GDPR compliance with documented legal bases, consent audit log, DPO contact and DSR endpoints.
Privacy policy →Trust center
Privacy as architecture, not as a feature
Everything your DPO needs to evaluate AudioMap, in one place. No NDA required, no sales call. If the documentation isn't here, ask — we'll write it.
Data residency
🇪🇺 EU
Primary infra
Hetzner DE
LLM provider
Vertex EU
Embeddings
bge-m3 on-prem
Founded
2024
Incorporation
🇪🇸 España
Compliance status
Spanish DPA April 2026 guidance
Compliance with the 4 requirements of AEPD's April 2026 guidance on AI voice transcription: session-specific consent, multi-speaker right of access, vendor due diligence, transcription as processing.
AEPD compliance page →EU data residency
All data (audio, transcripts, embeddings, AI Notes, deliverables) stays in the European Union. Primary infrastructure on Hetzner DE; cloud sub-processors limited to EU regions.
Data residency page →Public sub-processor list
Full list of every entity that may process customer data, with location, purpose and DPA link. Updated when sub-processors change.
Subprocessors →Public DPIA
Data Protection Impact Assessment published openly. No need to negotiate access — your DPO can paste it directly into your internal documentation.
DPIA →Public TIA (Transfer Impact Assessment)
Transfer Impact Assessment for non-EU sub-processors (only Stripe for payments, with strict scope). Verifiable by your legal team.
TIA →Third-party deletion endpoint
Public endpoint where someone who appears in a recording — without being an AudioMap user — can request deletion of their voice and transcribed segments. AEPD April 2026 requirement most competitors do not implement.
Request deletion →Immutable consent audit log
Each consent acceptance is registered with timestamp, IP, user agent and content version. Survives 6 years after account closure. Defensible in audit.
Encryption at rest (AES-256) + in transit (TLS 1.2+)
All persistent data encrypted at rest. All network traffic encrypted in transit. Postgres + R2 + filesystem.
Formal DPA template (legally reviewed)
Standard DPA template covering Spain + EU jurisdictions, reviewed by external counsel. Available on request meanwhile.
SOC 2 Type II
SOC 2 Type II audit on the roadmap for 2027. Not blocking for European customers — AEPD-grade compliance is the applicable standard.
HIPAA
HIPAA certification on the roadmap for US healthcare expansion (2027+). For Spanish/EU healthcare professionals, GDPR art. 9 + AEPD April 2026 is what applies.
ENS (Esquema Nacional de Seguridad)
Spanish public sector security framework certification — evaluating for sector público clients.
Security practices
Penetration testingAnnual external audit (in progress)
Vulnerability disclosurePublic program at /security
2FAAvailable for all users
Production accessRestricted to 2 engineers, audit-logged
Backup retention7 days rolling, encrypted at rest
Incident responseOn-call coverage, 4h initial response SLA
Data breach notification72h to AEPD + affected users (GDPR art. 33)
Transparency commitments
🚫
No training on your data
Your transcripts, audio and AI Notes are never used to train models — ours or third parties'.
📤
Export everything, any time
One-click export to JSON, TXT, SRT, Markdown. No lock-in.
🔔
Sub-processor changes notified 30 days ahead
If we add or replace a sub-processor, paid customers receive 30 days' notice and can opt out by canceling without penalty.
🔍
Source-available audit invitation
For enterprise customers, we provide read access to the relevant parts of our codebase under NDA. Verify what we claim.
Have a question your DPO is asking?
Write to [email protected] — we respond within 48h.