DeepScript
Back to the Trust Center
FAQ

Privacy FAQ

Answers to the most common questions about GDPR compliance, AI training, storage location, sub-processors, data subject rights and security. If your question isn't answered here, just get in touch.

GDPR & Compliance

Is DeepScript GDPR-compliant?
Yes. DeepScript has been built to be GDPR-compliant from day one: processing in Germany, no third-country transfer of content data, a DPA under Art. 28 available, documented technical and organisational measures under Art. 32, a transparent sub-processor list and full support for all data subject rights.
Is DeepScript a controller or a processor?
Both – depending on which data is meant. For content data (audio, transcripts) we are a processor under Art. 28 GDPR and act exclusively on our customer's instructions. For processing our customers' own account and billing data, we are the controller.
Is customer data used for AI training?
No. Never. Neither for training our own models nor for training third-party models. This assurance is contractually binding and technically safeguarded through clearly separated inference pipelines – training processes have no read access to production customer data.
Is there a data processing agreement (DPA)?
Yes. You can request the DPA directly online on the Trust Center page. Within a few minutes you receive a pre-filled PDF contract signed by us via email. Including all four annexes (TOMs, record of processing activities, sub-processors, AI compliance).
Do you have ISO 27001?
Yes. DeepScript is certified to ISO/IEC 27001, ISO 9001 and ISO 14001. Our infrastructure partner Hetzner is also ISO/IEC 27001 certified.

Hosting & Storage Location

Where is my data stored?
Exclusively in Germany – in the Hetzner data centres in Nuremberg and Falkenstein. Both locations are ISO/IEC 27001 certified. The application, database, transcription engine, object storage and backups all remain within these locations.
Does DeepScript transfer data outside the EU?
No content data. The only third-country transfer happens for payment processing via Stripe (EU → USA), safeguarded by EU Standard Contractual Clauses (SCCs) and Stripe's DPF certification. No audio or transcripts are transferred, only billing metadata (name, address, token, amount).
Do you use AWS, Azure or Google Cloud?
No. We do not use any US hyperscaler for processing or storing customer data. The entire infrastructure runs on Hetzner in Germany.
Which external AI services do you use?
None. Our Whisper-compatible speech-to-text engine runs entirely on our own infrastructure. We do not send any audio or transcripts to OpenAI, Anthropic, Google or similar providers. AI-assisted summaries happen exclusively client-side via the Model Context Protocol – the AI client chosen by the customer (e.g. Claude Desktop) brings its own model connection.

Security

How is my data encrypted?
In transit: TLS 1.3 (at least TLS 1.2) between all components, HSTS on all public endpoints. At rest: AES-256 for backups; fully encrypted database volumes. Passwords are stored with bcrypt; API keys exclusively as hashes.
Who on your team has access to my data?
In normal operation, no one. Administrative access to production systems requires two-factor auth and is fully audited. Read access to content data only happens when it is strictly necessary for error analysis and explicitly requested by the customer.
How quickly are we informed of a data breach?
Within 24 hours of becoming aware. The notification contains the nature of the breach, affected categories, measures taken and a point of contact. The obligation to notify supervisory authorities (Art. 33 GDPR, 72-hour deadline) remains with the controller; we provide all necessary information.
Does DeepScript conduct penetration tests?
Yes. Every year we commission an independent external security provider to run a penetration test against the web application and the public REST API. We make an executive summary available to business customers on request under NDA.

Retention Periods & Deletion

How long is my data stored?
Audio: deleted immediately after transcription. Transcripts: 30 days auto-deletion by default, configurable between 7 and 365 days – or kept permanently with the Pro plan. Billing data: 10 years (statutory retention obligation under § 147 AO / § 257 HGB). Audit logs: 12 months after account deletion.
Can I request deletion of my data?
Yes. Under Settings → Data & Privacy you'll find buttons for a complete data export and account deletion. The deletion takes effect immediately. In backups the data disappears within 14 days with the backup rotation.
What happens after the contract ends?
All customer data is deleted within 30 days. If the contract ends with an active Pro plan, auto-deletion is reset to 30 days. You can request a written confirmation of deletion.

Data Subjects

How does DeepScript support data subject requests?
Self-service via the settings (export, deletion) – effective immediately. We answer email requests to datenschutz@deepscript.com within 5 business days. If the controller is a business customer, we coordinate requests through their data protection officer.
How do I inform conversation partners about the recording?
That is the controller's responsibility (= you or your employer). Notification obligations arise from Art. 13/14 GDPR as well as from Art. 50 EU AI Act for AI-assisted processing. On request we provide template texts for privacy notices.
What about recordings that mention people who were not asked?
The controller must have a lawful basis (consent, legitimate interest, etc.) for the processing – including for third parties who are merely mentioned. DeepScript does not review this in terms of content; we process exclusively on instruction. When in doubt: anonymise or redact data before uploading.

Sub-Processors & Documents

Which sub-processors does DeepScript use?
You'll find the current list at /datenschutz/subprozessoren. Currently: Hetzner (hosting, Germany) and Stripe (payment, EU + USA with SCCs).
Will I be informed before a change to the sub-processor list?
Yes. Business customers with an active DPA are informed by email at least 30 days before a new sub-processor with access to personal data is added, and can object within 14 days for good cause.
Which privacy documents are available?
DPA (with 4 annexes) on online request. TOMs as part of the DPA (Annex 1). Sub-processor list on this website. Privacy policy at /datenschutzerklaerung. Penetration test summary on request under NDA.
Who is the contact for data protection?
Aliru GmbH, Julius-Hatry-Straße 1, 68163 Mannheim. Email: datenschutz@deepscript.com. Managing Director: Julian Kissel.

Questions?

Send us an email at datenschutz@deepscript.com – we reply within one business day.

Privacy FAQ – DeepScript Trust Center