GDPR-Compliant Meeting Transcription: Zoom and Teams Without US Cloud

GDPR-Compliant Meeting Transcription: Zoom and Teams Without US Cloud

Every company in the EU runs meetings on Zoom or Microsoft Teams. Every company also wants searchable transcripts of those meetings — for project handoff, for sales coaching, for accessibility, for sheer institutional memory.

The default solution the market offers is Otter, Fireflies, Read.ai, or one of a dozen similar AI meeting assistants that join your calls, transcribe in real time, and summarize. They work well. They are also, almost without exception, US-based companies running on US cloud infrastructure — which makes them a GDPR liability for European customers, especially after Schrems II.

This article explains why the "AI notetaker" pattern is harder to make compliant than it looks, and how to get the same end result (good meeting transcripts) without sending your conversations across the Atlantic.

Why this matters more in 2026 than it did in 2022

Three things have changed since the early days of AI meeting assistants:

1. Schrems II is now four years old. The 2020 EuGH ruling (C-311/18) invalidated the EU-US Privacy Shield, and the successor framework (EU-US Data Privacy Framework, 2023) is widely expected to face the same fate. EU data protection authorities have been increasingly active in enforcement.
2. AI training has become a documented risk. Several meeting-assistant providers were caught using customer audio for model improvement. Even providers who say "we don't train on your data" often allow such use under broad terms-of-service language, with opt-outs buried deep in admin panels.
3. Bot policies are stricter. Both Zoom and Microsoft have introduced controls over which third-party bots can join meetings, partly in response to compliance pressure from large enterprise customers.

The result: a setup that worked fine in 2022 — "we use Otter, our IT signed off years ago" — is now a recurring item in GDPR audits.

What the law actually says

Audio is personal data — usually special-category data

Under GDPR Article 4(1), any information relating to an identified or identifiable natural person is personal data. A voice recording almost always meets this definition: voices are biometric, and even without voice biometrics, the content of meetings identifies the speakers by name, role, or context.

Article 9 raises the stakes further. Any meeting that contains discussion of health, ethnic origin, religious belief, political opinion, trade union membership, sexual orientation, or biometric data falls under Article 9 — special categories that require explicit consent or another specific legal basis. Health-tech standups, HR meetings, and union negotiations all qualify routinely.

Article 44 — international transfers

Sending recorded meetings to a US transcription provider is an international transfer of personal data. After Schrems II, such transfers require:

• Standard Contractual Clauses (SCCs), and
• Supplementary measures that compensate for the gap between EU and US protection levels.

For audio data, the supplementary measures bar is high. The European Data Protection Board's recommendations (06/2020) explicitly note that strong encryption with EU-held keys is one of the few measures that can sufficiently mitigate the risk — but most US transcription providers cannot offer that because they need the audio in cleartext to transcribe it.

Article 28 — processor obligations

Even when the transfer mechanism is in place, the processor (the transcription provider) must sign a Data Processing Agreement covering subject matter, duration, nature, purpose, types of data, categories of data subjects, and the controller's obligations. Many US notetaker providers offer a DPA only as a contractual add-on for enterprise plans. Their self-serve plans typically do not.

The CLOUD Act problem

The US CLOUD Act allows US authorities to compel US-headquartered companies to hand over data, regardless of where that data is physically stored. This means a meeting transcript stored on AWS servers in Frankfurt by a US company is still legally accessible to US law enforcement — without an EU court order, without notice to the data subject.

For meetings that include trade secrets, M&A discussions, legal strategy, or competitive intelligence, this is not a theoretical risk.

Why the popular AI notetakers fail GDPR scrutiny

Let's name the specific issues with the leading meeting-assistant products. We're going to be specific because vagueness doesn't help anyone.

• A bot joins your meeting. It receives the audio stream of every participant — including external participants who never opted into the recording. GDPR Article 7 (consent) is violated immediately unless every participant gives informed, specific, voluntary consent.
• Audio is processed in the US. Even when a European endpoint is offered, the model inference often runs in US regions. The DPA frequently allows this with a brief mention of "global infrastructure."
• AI training opt-outs are off by default or opt-in by default. A typical clause: "We may use de-identified content to improve our services." There is no robust definition of de-identification for raw audio.
• Retention is indefinite by default. Free-tier and even paid plans typically retain transcripts forever. GDPR Article 5(1)(e) requires storage limitation.
• Data subject requests are slow and incomplete. Try filing a deletion request that includes the requirement to remove backups and any derived models. The response time is often weeks.

None of these problems are unsolvable in principle. They're just unsolved in the products that dominate the market.

A compliant workflow for Zoom and Teams

There is a clear path to GDPR-compliant meeting transcription. It's slightly less convenient than letting Otter join your meetings, but only slightly — and the compliance posture is dramatically better.

Option 1: Native Zoom recording, then transcribe

1. Use Zoom's built-in cloud recording or local recording. Configure Zoom to store recordings in the EU region (Zoom offers EU data residency for Business and Enterprise plans). Have your Zoom DPA in place.
2. After the meeting, download the MP4 file. Or, with API access, fetch it automatically via the Zoom Recording API.
3. Upload to your EU-based transcription provider via API.
4. Receive the transcript with word-level timestamps, speaker diarization, and search.
5. Delete the original recording on a configured schedule (e.g., 30 days).

This pattern keeps audio inside your direct control. You sign one DPA with Zoom and one with the transcription provider. No third bot joins your meeting. Consent flows are simple.

Option 2: Native Teams recording, then transcribe

The same pattern works with Microsoft Teams. Teams recordings are stored in OneDrive/SharePoint, in your Microsoft 365 tenant's geographic region. You can configure the EU as your tenant region. You then fetch the recording via Microsoft Graph API and submit it to your transcription provider.

Teams has its own built-in transcription, but for languages other than English the quality is uneven, and the data flows to Microsoft are not always transparent. Many compliance teams prefer to disable Teams transcription and use a dedicated EU provider.

Option 3: Local recording for sensitive meetings

For meetings with elevated sensitivity — board calls, legal strategy, HR investigations — record locally on the host's machine, transfer to encrypted storage, and submit to transcription via API over TLS. This minimizes the number of parties handling the audio.

Consent and notice

Regardless of the technical path, GDPR consent rules apply. Best practices:

• A brief recording notice at the start of every meeting ("This meeting is being recorded and will be transcribed for note-taking purposes.").
• A written notice in the calendar invite explaining how recordings are stored and how long.
• Honoring objection: if a participant objects, stop the recording. The meeting still happens — you just take notes the old-fashioned way.
• For meetings with external participants, prefer explicit opt-in rather than implied consent. Article 7(2) requires that consent be "clearly distinguishable" from other matters.

What a compliant EU transcription provider should give you

The technical requirements are clear:

• All processing inside the EU. Not just storage — the actual transcription compute, including the model inference, must run in the EU. Ask specifically: "Where does the GPU running my audio physically live?"
• No US sub-processors for audio data. A vendor that runs an EU frontend but pipes audio through OpenAI's Whisper API in the US is not compliant.
• A real DPA. Article 28-compliant, signed before any data is processed, listing all sub-processors.
• No training on customer data. Written and binding, not buried in marketing.
• Configurable retention. You set the deletion timeline. The provider executes it automatically.
• Word-level timestamps and speaker diarization. Without these you can't audit transcripts back to the original audio.
• Export and deletion APIs. For when you need to honor data subject requests at scale.

Where DeepScript fits

We built DeepScript specifically for this scenario. Our setup:

• Servers in Germany. Hetzner, ISO 27001-certified. Not "EU region of US hyperscaler" — actual German company, actual German hardware.
• No third-party AI. Our speech recognition runs on our own infrastructure. No OpenAI Whisper API, no Google Speech-to-Text, no AWS Transcribe.
• DPA included. GDPR Article 28-compliant, sub-processor list, EU-only.
• Configurable retention. Default is 30 days for audio, immediate deletion option available. Transcripts kept as long as you want, deletable on demand.
• Zoom and Teams integration patterns. API-friendly, with a defined workflow for both native recording flows.
• REST API and MCP access. Build your meeting transcription pipeline programmatically, or expose transcripts to AI agents (Claude Desktop, custom tooling) via the Model Context Protocol — without sending the underlying audio to a foreign provider.

What this costs versus the US notetakers

A common objection: "But Otter is so cheap." Let's compare honestly.

• Otter Pro: about $17/user/month, unlimited transcription within fair-use, US data.
• DeepScript Standard: €0.18 per audio hour, pay-as-you-go.

If your team has 20 people each running 10 hours of meetings per month, Otter costs $340/month. DeepScript costs 20 × 10 × €0.18 = €36/month for the transcription portion. The DeepScript number scales with usage; Otter scales with seats.

The accuracy gap on European languages is now usually in DeepScript's favor, particularly for German, French, Italian, and Polish.

The honest summary

GDPR-compliant meeting transcription is not hard. It's just different from the default. The default is "let an AI bot join the call." The compliant version is "record natively, transcribe via an EU provider, delete on a schedule."

That's it. Two extra steps, no US cloud, no Schrems II exposure, no AI training on your conversations.

If you're rebuilding your meeting workflow and want to see how this plays out in practice — with a worked example for Zoom and one for Teams — we maintain a detailed use-case page with API examples and consent templates. No marketing fluff, just the wiring.