Insights

GDPR and Meeting Tools: Where Is Your Data Stored?

Most meeting recording tools process your audio in the US. Here is what that means for GDPR compliance and what alternatives exist.

GDPRprivacydata residencymeeting toolscompliance

You press record at the start of a meeting. A colleague shares a client's phone number. Someone mentions an employee's health situation. A participant discusses a pending contract with identifiable details. Within minutes, your meeting recording contains personal data — names, opinions, potentially sensitive information — all captured in an audio file.

Now, where does that file go?

For most meeting recording tools, the answer is: to a server in the United States. Your European meeting, with European participants discussing European business matters, is processed on American servers under American jurisdiction. Under GDPR, this is not a minor technical detail. It is a compliance question that many organizations are ignoring.

The Data Flow Problem

How Most Meeting Tools Work

When you use a meeting recording tool — whether it is Otter.ai, Fireflies, Fathom, or a similar service — the typical data flow looks like this:

  1. Audio is captured during the meeting
  2. The recording is uploaded to the tool's servers for processing
  3. The audio is transcribed (often by a third-party AI model)
  4. The transcript and recording are stored on the tool's infrastructure
  5. The data may be retained indefinitely, depending on the tool's policies
  6. The data may be used to train or improve the tool's AI models

Each of these steps involves a data processing operation. Under GDPR, each operation requires a lawful basis, and transfers outside the EU/EEA require additional safeguards.

Where the Major Tools Store Data

Let us be specific about where popular meeting tools process and store data.

Otter.ai — US-based. Data processed and stored in the United States. Their privacy policy states data may be shared with third-party service providers.

Fireflies.ai — US-based. Data processed and stored on US servers. Offers SOC 2 compliance but this is not the same as GDPR compliance.

Fathom — US-based. Records Zoom meetings with data processed in the US.

Microsoft Teams Transcription — Processed through Microsoft's cloud infrastructure, which can include EU data centers for EU tenants, but the configuration and data residency guarantees vary.

Google Meet Transcription — Processed through Google's infrastructure. Google offers data region selection for some Workspace plans, but the default may route data through US servers.

Proudfrog — All data processed and stored in Sweden. Audio never leaves the EU. No data is used for model training.

This is not to suggest that US-based companies are careless with data. Many have strong security practices. The issue is jurisdictional: US law (including FISA Section 702 and Executive Order 12333) allows US intelligence agencies to access data stored by US companies, and this access is not subject to the same protections that GDPR requires.

What GDPR Actually Requires

Lawful Basis for Processing

Recording a meeting and transcribing it involves processing personal data. Under GDPR Article 6, you need a lawful basis. The most common bases for meeting recording are:

  • Legitimate interest (Article 6(1)(f)): You have a legitimate business interest in keeping a record of meetings, balanced against participants' rights
  • Consent (Article 6(1)(a)): Participants explicitly consent to being recorded

Legitimate interest is generally the stronger basis for business meetings, as consent can be withdrawn at any time and may not be freely given in an employer-employee context.

Data Transfer Restrictions

GDPR Chapter V restricts transfers of personal data outside the EU/EEA. After the Schrems II ruling in 2020, the EU-US data transfer landscape has been uncertain. The EU-US Data Privacy Framework, adopted in 2023, provides a mechanism for transfers to certified US companies, but:

  • Not all companies are certified
  • The framework's long-term stability is uncertain (it could face legal challenges similar to Safe Harbor and Privacy Shield)
  • Individual data protection authorities have varying interpretations of adequacy

For organizations that want to avoid these complexities entirely, the simplest approach is to use tools that process data within the EU.

Data Minimization

GDPR requires that you process only the data you need and keep it only as long as necessary. Some meeting tools retain recordings and transcripts indefinitely by default. Check whether your tool allows you to set retention periods and whether data is actually deleted when you request it.

Right to Erasure

Meeting participants have the right to request deletion of their personal data. If a participant asks you to delete their contributions from your meeting records, you need to be able to comply. This is more complex than deleting a document — it may require editing transcripts and deleting portions of audio recordings.

The Practical Implications

For Small Companies

If you are a small Nordic company using Otter.ai or Fireflies for convenience, you are likely transferring personal data to the US without adequate safeguards. In practice, enforcement has been limited for small companies, but the risk is real — and growing. Data protection authorities in the Nordic countries have become increasingly active.

The Swedish Authority for Privacy Protection (IMY) has issued significant fines for unauthorized data transfers. The Norwegian Data Protection Authority (Datatilsynet) and the Danish Data Protection Agency (Datatilsynet) have similarly tightened enforcement.

For Regulated Industries

If you work in healthcare, finance, legal services, or the public sector, the stakes are higher. Meeting recordings in these sectors routinely contain sensitive personal data — patient information, financial details, privileged communications. Using a US-based meeting tool for these recordings is a significant compliance risk that auditors and regulators will eventually notice.

For Organizations With International Clients

If you discuss European clients' data in meetings, transferring those recordings to US servers may violate your obligations to those clients. Many B2B contracts include data processing agreements that restrict sub-processing and cross-border transfers. Your meeting recording tool is a sub-processor, and its data handling affects your compliance posture.

What to Do About It

Step 1: Audit Your Current Tools

Start by understanding where your meeting data currently goes. For each tool you use, check:

  • Where is data processed? (Not where the company is headquartered — where the servers are.)
  • Where is data stored?
  • Is data used for model training?
  • What is the retention policy?
  • Can you actually delete data when requested?

Step 2: Evaluate EU-Based Alternatives

If your current tools process data outside the EU, look for alternatives that keep data within the EU. The key questions:

  • Is data processed and stored in the EU? (Specifically which country?)
  • Is the processing company subject to EU jurisdiction?
  • Does the tool offer data deletion capabilities?
  • Is data used for model training? (If yes, you need a separate legal basis for this.)

Proudfrog processes and stores all data in Sweden. The infrastructure is EU-based, the company is Nordic, and the data handling is designed for GDPR compliance from the ground up — not bolted on as a feature.

Step 3: Implement Recording Policies

Regardless of which tool you use, your organization should have a clear policy on meeting recording:

  • When is recording appropriate?
  • How are participants informed?
  • What is the lawful basis?
  • What is the retention period?
  • How are deletion requests handled?

Step 4: Inform Participants

Transparency is both a GDPR requirement and good practice. Participants should know:

  • That the meeting is being recorded
  • What tool is being used
  • Where the data will be stored
  • How long it will be retained
  • How they can request access or deletion

This does not need to be a formal speech. A simple "I'm recording this meeting for transcription — the recording stays in the EU and you can ask me to delete it" is sufficient for most contexts.

The Data Sovereignty Question

Beyond GDPR compliance, there is a broader question about data sovereignty. Your meeting recordings contain your organization's knowledge — strategies, decisions, plans, opinions, relationships. This is valuable intellectual property.

When you store this data with a US-based cloud service, you are trusting that:

  • The service will not be compelled to share your data with a foreign government
  • The service will not use your data to train models that benefit your competitors
  • The service will continue to exist and provide access to your data
  • The service's terms will not change in ways that disadvantage you

These are not paranoid concerns. They are reasonable risk assessments that any organization should make about where it stores sensitive information.

Proudfrog's Approach

We built Proudfrog in the Nordics, for Nordic users, and we made data residency a fundamental design decision rather than an optional configuration.

  • All data in Sweden. Audio files, transcripts, knowledge base — everything is stored and processed in Sweden.
  • No US data transfers. Your meeting data does not touch US servers.
  • No model training. We do not use your audio or transcripts to train AI models.
  • Full deletion. When you delete your data, it is deleted. Not archived, not retained "for service improvement," not kept in a backup that persists indefinitely.
  • Pay-per-use. €0.36 per hour of audio, no subscription. You are a customer, not a product.

Read our privacy policy for the complete details.

Moving Forward

GDPR compliance for meeting tools is not optional, and it is not going away. The enforcement trend in the Nordic countries is toward stricter interpretation and larger fines. The time to evaluate your meeting data handling is now, not after you receive a complaint or an audit finding.

The good news: EU-based alternatives exist, and they work well. You do not need to sacrifice functionality for compliance. You need to make a deliberate choice about where your meeting knowledge lives.

Download Proudfrog for iOS or learn about the macOS app. Your first recording is the first step toward GDPR-compliant meeting knowledge.

Frequently Asked Questions

Does GDPR apply to internal meetings, or only meetings with external participants?

GDPR applies to any processing of personal data, including internal meetings. If your meeting recording captures names, opinions, personal circumstances, or any information that identifies or could identify a person, it is personal data under GDPR. Internal meetings with employees are no exception — in fact, the employer-employee relationship adds additional considerations under Article 88.

Is consent always required to record a meeting under GDPR?

No. Consent is one lawful basis, but it is not always the most appropriate one, especially in employment contexts where consent may not be freely given. Legitimate interest (Article 6(1)(f)) is often more suitable for business meeting recordings, provided you conduct a balancing test and document your reasoning. However, informing participants is always required under GDPR's transparency principles.

What happens if a meeting participant requests that their data be deleted?

You need to comply, unless an exception applies (such as a legal obligation to retain the data). In practice, this means you need a tool that supports granular deletion — not just deleting the entire recording, but potentially editing out a specific person's contributions. Proudfrog supports data deletion, and you should check that any tool you use provides this capability.

Are meeting recordings considered "special category data" under GDPR?

Not by default, but they can be. If a meeting discussion reveals health information, political opinions, trade union membership, ethnic origin, or other categories listed in Article 9, then the recording contains special category data with stricter processing requirements. For organizations in healthcare, HR, or other sensitive areas, this is a realistic scenario that requires attention.

Can I use a US-based meeting tool if I get participants' consent?

Consent to recording is separate from consent to international data transfer. Even with recording consent, you need a valid transfer mechanism for sending personal data to the US. The EU-US Data Privacy Framework covers certified companies, but relying on consent for data transfers is problematic under GDPR because consent must be freely given, specific, and withdrawable — conditions that are hard to meet for an ongoing service relationship.

How does Proudfrog handle data from meetings with participants in multiple countries?

Proudfrog stores all data in Sweden regardless of where participants are located. This simplifies compliance because Sweden is within the EU/EEA, so data protection is governed by GDPR throughout. For meetings involving participants outside the EU, the usual GDPR rules about informing data subjects and maintaining records of processing activities apply, but there is no cross-border transfer to manage on Proudfrog's side.