GDPR AI compliance with Audact
Last updated: 8 April 2026 · 8 min read · Reviewed by Audact compliance team
Privacy by design, not by afterthought.
How Audact handles GDPR
EU-only data storage
All data is stored exclusively in the EU. Primary region: AWS Frankfurt (eu-central-1). Backup region: AWS Amsterdam (eu-west-1). No data leaves the European Union.
No conversation content stored
Audact never stores conversation content. Only compliance metadata and cryptographic evidence hashes are retained — enough to prove compliance, nothing more.
Crypto-shredding for erasure
Data subject erasure requests are handled via crypto-shredding (Patent P7). The encryption key is destroyed, rendering all associated data permanently unrecoverable — while the evidence chain integrity is maintained.
Evidence chain integrity
Even after personal data is destroyed, the compliance evidence chain remains intact. Cryptographic hashes prove that compliance obligations were met, without retaining any personal data.
GDPR Article 22: automated decision-making and AI
Article 22 gives every data subject the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects them. For AI deployers this is the most consequential provision in GDPR: an AI system that declines a loan, rejects a job applicant, triggers a fraud block or schedules a disciplinary hearing without meaningful human review falls squarely within Article 22.
Lawful routes exist: explicit consent, necessity for a contract, or authorisation under Union/Member-State law with adequate safeguards. In all cases the controller must provide meaningful information about the logic involved, the significance of the processing, and give the subject the right to obtain human intervention, express a point of view and contest the decision. The European Court of Justice confirmed in SCHUFA (C-634/21, 2023) that probability scoring used by third parties to drive a decision is itself "automated decision-making" — broadening Article 22 for AI vendors.
How AI systems trigger GDPR data protection obligations
Training, fine-tuning and inference on personal data are each distinct processing activities under Article 4(2), and each requires its own lawful basis under Article 6. Voice agents, chatbots and agentic workflows routinely ingest names, phone numbers, voice biometrics and content revealing health, beliefs or sexuality — which can escalate processing to special-category data under Article 9, requiring a stronger basis such as explicit consent or substantial public interest.
A Data Protection Impact Assessment (Article 35) is effectively mandatory for most customer-facing AI deployments: they combine systematic monitoring, new technology and often vulnerable data subjects. Controllers must also satisfy the transparency duties of Articles 13–14 at the point of data collection — a duty that AI voice agents frequently fail to meet because the disclosure happens too late in the conversation.
Cross-border data transfers under GDPR for AI providers
Chapter V of GDPR restricts transfers of personal data outside the EEA. Following Schrems II, controllers must conduct a Transfer Impact Assessment whenever using Standard Contractual Clauses, and the EU–US Data Privacy Framework currently provides the only adequacy bridge to the United States. Many popular AI providers (OpenAI, Anthropic, Google) process EU data on US-based infrastructure under DPF or SCCs, which shifts the due-diligence burden onto the customer.
Audact solves this by operating exclusively inside the EU: inference traffic, metadata, keys and backups remain within AWS Frankfurt and Amsterdam. No Chapter V transfer ever occurs, eliminating TIA overhead and removing dependence on the DPF's ongoing political stability.
Data processing roles
Audact operates as a data processor. The customer remains the data controller at all times. Audact processes data solely on behalf of and under the instructions of the controller.
Data Processing Agreement
Our standard DPA is available at /legal/dpa. Enterprise customers can request a custom DPA.
Contact
For privacy-related enquiries, reach us at privacy@audact.ai.
Frequently asked questions
Does Audact store conversation content?
No. Audact retains only compliance metadata and cryptographic evidence hashes — enough to prove compliance, nothing more.
Where is data stored?
Exclusively in the EU. Primary region AWS Frankfurt (eu-central-1), backup AWS Amsterdam (eu-west-1). No data leaves the European Union.
How are erasure requests handled?
Via crypto-shredding (Patent P7): the encryption key is destroyed, rendering the associated data permanently unrecoverable while the evidence chain integrity is preserved.
Is Audact a data processor or controller?
Audact acts as a data processor. The customer remains the data controller and Audact processes data solely on the controller's documented instructions.
Compare EU AI compliance laws
| Law | Deadline | Who | Penalty |
|---|---|---|---|
| EU AI Act Art. 50 | 2 Aug 2026 | All AI deployers in EU | €7.5M / 1.5% turnover |
| NL Telecomwet | 1 Jul 2026 | Outbound marketing to NL consumers | €900k / 10% turnover |
| GDPR | In force | Any processor of EU personal data | €20M / 4% turnover |
| DSA | In force (Feb 2024) | Intermediaries & VLOPs | 6% global turnover |
| ePrivacy | In force | Senders of electronic communications | Varies by Member State |
Related compliance resources
Disclaimer: This page is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific compliance obligations.