GDPR-compliant meeting summarization for EU teams
What GDPR actually requires from a meeting summarization tool, where the popular options fall short, and what compliant by default looks like.
The procurement review goes like this. Engineering wants to ship a meeting note-taker to the team. Legal looks at the data-flow diagram, sees "audio uploaded to US-based data center", and the conversation is over before it started. Not because the tool is bad. Because the data path is not GDPR-shaped.
If your team is in the EU, this happens roughly every quarter. The market leader in meeting AI ships from US data centers by default; EU residency is an enterprise upsell, or in some cases not available at all. For organizations that take GDPR seriously, that is friction.
A meeting summarization tool is GDPR-compliant by default when audio and summaries stay in EU infrastructure, retention is short and explicit, and user data is never used to train the underlying models. Anything less is a procurement debate waiting to happen.
What GDPR actually requires
Three articles do most of the work for an audio-AI workflow.
- Article 5(1)(b), purpose limitation. The audio is collected to produce a summary. That is the purpose. Using it to train a model is a different purpose, and that requires a fresh legal basis. Most US-based meeting AIs reserve the right to use your data for "service improvement", the polite term for training.
- Article 5(1)(c), data minimization. Keep what you need, for as long as you need it. A summary takes minutes to produce; keeping the source audio for thirty days, ninety days, or "indefinitely while encrypted" is data hoarding, not minimization.
- Article 5(1)(f) + Articles 44–50, security and international transfers. EU data sent to US infrastructure travels under the EU-US Data Privacy Framework. That framework has been struck down twice and is under legal challenge again. Vendors who keep EU customers' data in EU infrastructure spare you the framework dependency entirely.
GDPR does not forbid US-based AI vendors. It does require you to document, justify, and accept the risk every time you process personal data outside the EU. For most teams, the easier path is a vendor that does not create the risk in the first place.
Where the popular tools fall short
| Tool | Default storage | EU residency option | Trains on user data | Default retention |
|---|---|---|---|---|
| Otter.ai | US | Enterprise tier | Aggregated / anonymized data used | Indefinite, until user deletes |
| Fireflies.ai | US | Enterprise "Private Storage", storage only, processing remains US | Zero Data Retention claim, US processing | Until user deletes |
| Read.ai | US | Limited | No training by default | Until user deletes |
| Sembly AI | US + EU options | Paid plan | EU-US DPF | Plan-dependent |
| EnClair | EU | Default for everyone | Never | 24 hours, audio and summaries |
Sources: each vendor's published security and data-handling pages. The fact patterns above are what the procurement reviewer will assemble; it is better to read them now than to read them in a contract.
What "compliant by default" looks like
"By default" is the operative word. A vendor with an EU storage option on the enterprise tier is not the same as a vendor that stores in the EU for everyone. The difference matters when the engineering team running a thirty-person trial is one tier below the storage option.
Three checks the procurement team will run:
- Where does the audio go between upload and summary? If the answer is "EU infrastructure throughout", the conversation is short. If the answer involves a US-region inference call, the conversation moves to legal.
- What is the retention policy by default? Anything over 24 to 72 hours for source media is hard to defend under data minimization. "Encrypted at rest forever" is encrypted hoarding.
- Is user data used for training, evaluation, or model improvement? The right answer is "no, never". The acceptable answer is "yes, with explicit per-tenant opt-out". Anything else is a slow procurement.
A two-minute checklist before you sign
Before any meeting AI lands in your stack, the answers to these should be in your DPA, the Data Processing Agreement, the contract that spells out how the vendor handles your data, not in marketing copy.
- Where is audio stored, and where is it processed? (separate questions, see Fireflies)
- What is the source-media retention period in hours?
- Is the summary retained, and for how long?
- Is user data used to train any model, on any schedule, in any aggregation?
- Are sub-processors, the third-party companies the vendor uses to deliver the service, like cloud hosting or transcription engines, EU-based or DPF-bound, and how is the list maintained?
- Is there a per-tenant audit log of access to source media?
If the vendor cannot answer in writing within a week, the answer is no.
A note on retention
EnClair stores audio and summaries for 24 hours, then deletes both. We do not train models on user inputs or outputs. Hosting is in Europe. The full retention and privacy posture is documented on the security page, and the GDPR section of the FAQ covers the buyer-side questions that come up most often.
What to take from this
The GDPR answer is not "is the vendor compliant", it is "is the vendor compliant by default, for everyone, with a retention period a regulator would not blink at, without using your data to train". When the answer to all three is yes, the tool ships. When any of them is no, you negotiate or you switch. A meeting AI built for EU teams shortens that conversation to one Friday afternoon.
Tags
- gdpr
- comparison
- Industry