Skip to content
Julian Pscheid · · Updated May 1, 2026

Hedy GDPR Compliance: DPA, Standard Contractual Clauses, and EU Privacy Standards

Hedy implements the contractual and technical framework for GDPR-compliant processing of personal data: Data Processing Addendum, EU Standard Contractual Clauses, Transfer Impact Assessment, and Technical/Organizational Measures.

GDPR shield and lock icon surrounded by EU stars over a world map
Quick answer Hedy implements the full processor-side framework required for GDPR-compliant processing of personal data: a Data Processing Addendum (Article 28), EU Standard Contractual Clauses (Module 2, 2021/914), a Transfer Impact Assessment, documented Technical and Organizational Measures, and a transparent sub-processor list. EU data residency is available, and all documentation is published at trust.hedy.ai.

Hedy AI has implemented the contractual and technical framework to support the lawful and compliant processing of personal data under the European Union’s General Data Protection Regulation (GDPR). This means our users—whether in Berlin, Barcelona, or Boston—can use Hedy with the confidence that their conversation data is handled according to one of the world’s strictest privacy frameworks. This framework provides all safeguards required for using Hedy AI as a data processor under European data protection law.

What GDPR Compliance Actually Means for AI Tools

When you use an AI meeting coach like Hedy, you’re sharing conversation transcripts, meeting insights, and potentially sensitive business information. GDPR compliance isn’t just about checking regulatory boxes—it’s about establishing concrete safeguards for this data.

For AI applications specifically, GDPR presents unique challenges. Unlike simple data storage services, AI tools process and analyze your information to generate insights. This requires careful consideration of:

  • How data flows between your device and AI processing systems
  • What happens to your transcripts after they’re analyzed
  • How third-party AI providers handle your information
  • Your ability to control, export, or delete your data

A Strong Foundation for European Businesses

European organizations can now rely on a strengthened processor framework that supports them in meeting their own obligations under the General Data Protection Regulation (GDPR). As always, the final responsibility for GDPR compliance remains with the customer as the data controller — Hedy AI provides the safeguards required on the processor side.

What We Implemented

To provide a robust foundation for GDPR-compliant use of Hedy AI, we have established and published the following contractual and technical components:

Data Processing Addendum (Art. 28 GDPR)

Our Data Processing Addendum defines exactly how we handle your data as a processor. This legally binding agreement ensures we only process data according to your instructions and for the specific purposes you’ve authorized—namely, providing you with real-time meeting intelligence.

EU Standard Contractual Clauses (Module 2, 2021/914)

SCCs are included as the transfer mechanism for personal data sent from the EU/EEA to the United States. These clauses contractually bind Hedy AI to EU-level protections and ensure enforceable rights for data subjects.

Technical and Organizational Measures (Art. 32 GDPR)

We have documented and implemented comprehensive security measures including:

  • End-to-end encryption for data in transit and at rest
  • Zero Data Retention where possible
  • Strict access controls and authentication protocols
  • Regular security audits and vulnerability assessments
  • Clear data retention and deletion policies
  • Incident response procedures
  • Infrastructure safeguards

Transfer Impact Assessment (TIA)

We’ve conducted a thorough Transfer Impact Assessment that evaluates the relevant US laws and practices affecting access to transferred EU personal data. Based on the initial TIA we have identified risk-mitigation steps and implemented additional measures to protect your data. This assessment, available in our Trust Center, demonstrates how we protect EU data even when it crosses borders.

Sub-Processor Transparency (Art. 28(2) and (4) GDPR)

All sub-processors are contractually bound to the same protections, fully documented, and listed with their respective roles. Changes follow the legally required notification and objection process.

What This Means for Different Users

For European Businesses

European companies can use Hedy within their own GDPR framework and compliance assessment. The documentation we provide — including DPA, SCCs, TOMs and our TIA — helps compliance teams assess and integrate Hedy into their existing data-protection processes.

For Healthcare and Regulated Industries

Our GDPR-aligned framework is an important step toward enabling the responsible use of Hedy in regulated environments. While additional certifications such as HIPAA and SOC 2 Type 1 are in preparation (expected Q2 2026), the GDPR safeguards we have implemented already provide a strong baseline for organizations with elevated data-protection requirements.

For Individual Professionals

Your meeting transcripts, insights and personal data are processed under clear safeguards. You retain full control over your information with the ability to access, export or delete your data at any time, and you have full transparency into how and why it is processed.

Customer Responsibilities Remain Unchanged

To ensure full GDPR compliance, customers must continue to fulfil their own obligations as data controllers. These include, among other things:

  • establishing a legal basis for processing,
  • providing transparency information to data subjects,
  • maintaining records of processing activities,
  • implementing internal access and deletion procedures,
  • conducting DPIAs where required.

Our framework is specifically designed to support these obligations and to provide all processor-side safeguards required by the GDPR.

Designed for Compliance, Built for Trust

With this framework, Hedy AI delivers a complete processor-side compliance setup — contractual, technical and organisational. Combined with the customer’s own compliance measures as data controller, Hedy AI can be used for the processing of personal data in full accordance with European data protection law.

Understanding the Compliance Documentation

We know legal documents can be dense. To help you navigate our GDPR compliance framework, we’ve created a comprehensive guide that walks you through each document and your responsibilities as a data controller.

Access our “Guidance on Fulfilling Your GDPR Accountability When Using Hedy AI”:

This guide provides a practical checklist for reviewing our Data Processing Addendum, Transfer Impact Assessment, Technical and Organizational Measures, and Sub-processor List. It’s designed to help your compliance team efficiently complete their GDPR assessment and documentation requirements.

Implementation for Organizations

If you’re using Hedy within your organization, here’s how to ensure GDPR compliance on your end:

  1. Review and approve our DPA and its annexes
  2. Document your assessment of our Transfer Impact Assessment
  3. Verify our Technical and Organizational Measures meet your security requirements
  4. Review and approve our current sub-processor list
  5. Establish a process for reviewing sub-processor changes

We provide detailed guidance in our Trust Center to help your compliance team complete these steps.

Privacy by Design, Not by Obligation

GDPR compliance represents our commitment to privacy-first development. When we built Hedy’s automatic suggestions feature, we designed it to process conversations without storing unnecessary data. When we implemented Topics for organizing sessions, we ensured users maintain full control over their grouped conversations.

This approach—privacy by design rather than retrofitted compliance—means GDPR principles are embedded in how Hedy works, not just how we document it.

What’s Next

GDPR compliance is one milestone in our ongoing commitment to data protection. We’re currently working toward:

  • SOC 2 Type 1 Certification: Expected Q2 2026, providing third-party validation of our security controls
  • HIPAA Compliance: Also targeting Q2 2026, enabling healthcare organizations to use Hedy
  • EU data residency is now live — new users can choose European or US storage during onboarding

For a buyer-side evaluation framework, see our GDPR checklist for AI meeting tools, or our deep-dive on the best GDPR-compliant AI meeting tool to understand where most tools fall short.

Frequently Asked Questions

Is Hedy GDPR compliant?

Hedy implements the full processor-side framework required by GDPR: a Data Processing Addendum aligned with Article 28, EU Standard Contractual Clauses for transfers to the US, a Transfer Impact Assessment, documented Technical and Organizational Measures, and sub-processor transparency. Customers remain controllers and retain their own obligations (lawful basis, transparency, DPIA where required, data subject rights).

Does Hedy provide a Data Processing Addendum (DPA)?

Yes. The Hedy DPA defines exactly how we handle your data as a processor under Article 28 GDPR, including processing only on your instructions, the duration of processing, security obligations, sub-processor terms, assistance with data subject rights, and breach notification. It’s available through the Trust Center and is automatically incorporated for business accounts.

Where can I get Hedy’s GDPR compliance documentation?

All compliance documentation — DPA, EU Standard Contractual Clauses (Module 2, 2021/914), Transfer Impact Assessment, Technical/Organizational Measures, and the current sub-processor list — is available through the Trust Center at trust.hedy.ai. Customers can also access the documentation via account settings and request access by emailing privacy@hedy.ai.

Who are Hedy’s sub-processors and where do they operate?

All sub-processors are listed in the Trust Center with their roles and processing locations, and they are contractually bound to the same protections as Hedy. Changes follow the legally required notification and objection process under Article 28(2) and (4). For users who choose EU data residency, AI processing also runs through European infrastructure.

Is Hedy a data controller or a data processor under GDPR?

Hedy acts as a data processor when handling customer conversation data on your behalf. You — the user or your organization — are the data controller. Hedy provides the technical, organizational, and contractual measures to support your obligations; you retain controller-side responsibilities including establishing a lawful basis, providing transparency to data subjects, and handling rights requests.

Access the Documentation

All GDPR compliance documentation is available in our Trust Center, accessible through your Hedy account settings. If you’re not yet a customer but need to review our compliance framework, request access at trust.hedy.ai.

Questions about our GDPR compliance or data protection practices? Contact our data protection team through the Trust Center or email privacy@hedy.ai.

Back to News

Your next meeting is your best one yet

Start free. No credit card, no bot joining your calls, no recordings sent anywhere. Just real-time coaching on your device.

Download MacOS