GDPR-compliant meeting tools in 2026 — the practical checklist

Most “GDPR-compliant” meeting tool claims do not survive a serious DPIA. This checklist is what you actually need to verify before adopting a meeting platform with audio recording or AI transcription in 2026 — not the marketing version.

Use it as a procurement filter. Ten yes-answers and you are probably fine. One critical no, and you have a problem your legal team will eventually inherit.

The 12 questions that matter

1. Where is the data physically stored?

Ask for the exact data center location of everydata type: meeting metadata, audio recordings, transcripts, AI summaries, account data, logs. “EU region” is not enough — get the country and the operator. Backups count.

2. Who is the data controller of the operator?

If the parent company is incorporated in the United States, the CLOUD Act applies regardless of where the servers are. This is the Schrems II issue in one sentence. EU hosting under a US-controlled entity is not sovereign data residency.

3. Is a DPA available, signed, and Article 28 compliant?

A Data Processing Agreement (DPA) is mandatory for any processor under GDPR. Make sure it lists sub-processors, retention periods, deletion procedures, and audit rights. “DPA available on request” means it is not part of the standard contract — push back.

4. Are sub-processors disclosed?

Most tools rely on AI providers, transcription engines, email senders, and analytics services. Each is a sub-processor. Get the full list. Each US sub-processor reactivates the Schrems II analysis. Three US sub-processors in the chain is three documents you need to write.

5. Is audio recorded? If yes, is it retained?

Audio recording is the highest-risk data type — voice is biometric data under GDPR Recital 51 and Article 9 if used for identification. The safest pattern: process audio in memory, transcribe, discard the audio buffer immediately, persist only the text transcript. Zero audio retention by design.

6. What is the lawful basis you will document?

For your own staff: usually legitimate interest with a balancing test and an information notice. For external participants: explicit consent before recording starts, with a clear purpose statement. If your tool starts recording before consent, that is a process flaw, not a GDPR-compliance feature.

7. Is participant data minimized?

Does the tool require participant accounts? Does it log IP addresses, browser fingerprints, or device identifiers? Minimum-necessary collection is GDPR Article 5(1)(c). A tool that lets participants join with just a link and a display name is more compliant than one that requires accounts.

8. How is data subject access (DSAR) handled?

A participant has the right to request a copy of all their personal data, free of charge, within one month (GDPR Art. 15). Ask the vendor: how does this work for meeting transcripts that mention this participant in passing? “Contact our support” is not a working answer if you have 50 customers asking.

9. Can data be deleted on request, including from backups?

Right to erasure (Art. 17) means recordings, transcripts, and any derivative summaries must be deletable. Backups are notoriously hard. Confirm the deletion SLA and whether it covers backups within a defined window.

10. Are AI models trained on your data?

This is the question that catches most enterprise SaaS. “We may use de-identified data to improve our models” in the ToS is incompatible with most enterprise DPAs. Get a written zero-training commitment from your transcription and summary AI providers, or pick providers that operate under zero-retention enterprise contracts.

11. What happens at end of contract?

Data export format, deletion timeline, attestation of deletion. Without these, end-of-contract becomes a slow data leak. Insist on a written deletion attestation in the DPA exit clause.

12. How are you notified of breaches?

GDPR Art. 33 gives you 72 hours to notify your supervisory authority. The vendor needs a faster SLA than that — typically 48 hours, ideally 24 — so you have time to assess and notify. Find the breach notification clause in the DPA and read it before signing.

Red flags that should kill the deal

• The tool uses your data to train its models “by default, opt-out only.”
• The DPA is not in the standard agreement and requires a sales call to obtain.
• Sub-processors are not disclosed or change without notice.
• Audio is stored on the vendor's infrastructure with unclear retention.
• Right-to-erasure requests must go through email support, no automated flow.
• Server location is “global” or “will be EU soon.”
• The DPA references US choice of law without SCCs.

Green flags worth paying for

• Servers operated by an EU-incorporated entity, not just hosted in the EU.
• Zero audio retention by design — the tool literally cannot keep your call audio.
• Short subprocessor list, all named, all EU or self-hosted.
• Default lawful basis explicit in onboarding (consent flow before recording).
• Open-source components for the parts that handle the most sensitive data.
• SLA on breach notification ≤24h.
• Standardized data export and deletion endpoints.

Where Punkto stands on this checklist

Full disclosure: we run Punkto, an EU-jurisdictional meeting platform, so we are not neutral. Here is how we score against the 12 questions, in plain text.

1. Where: European Union infrastructure, EU-only.
2. Operator: EU-incorporated, no US parent, not subject to the CLOUD Act.
3. DPA: available on Enterprise plans, Article 28 compliant, signed before contract.
4. Sub-processors: short list, fully disclosed, all EU.
5. Audio: processed in memory, then immediately discarded — not stored, anywhere, ever.
6. Lawful basis: participants are notified before any recording starts.
7. Participant data: joiners need only a link and a display name. No account required.
8. DSAR: account holder can export all data from the dashboard.
9. Deletion: account deletion cascades to all sessions, transcripts, and summaries; soft-deletes purged after a defined window.
10. AI training: never. Our AI providers operate under zero-retention enterprise contracts.
11. End of contract: data export available; deletion attestation provided on request.
12. Breach SLA: 24h, in the DPA.

If this list reads as obvious, that is the point. GDPR compliance is not magic — it is a series of boring boxes that need to be ticked, and a small number of architectural decisions made early.

Sources. Regulation (EU) 2016/679 (GDPR) gdpr-info.eu. EDPB Recommendations 01/2020 on supplementary measures for international transfers (Schrems II). EDPB Guidelines 03/2018 on territorial scope.