Hedy AI has implemented the contractual and technical framework to support the lawful and compliant processing of personal data under GDPR. This framework provides all safeguards required for using Hedy AI as a data processor under European data protection law.
Hedy AI has implemented the contractual and technical framework to support the lawful and compliant processing of personal data under the European Union's General Data Protection Regulation (GDPR). This means our users—whether in Berlin, Barcelona, or Boston—can use Hedy with the confidence that their conversation data is handled according to one of the world's strictest privacy frameworks. This framework provides all safeguards required for using Hedy AI as a data processor under European data protection law.
When you use an AI meeting coach like Hedy, you're sharing conversation transcripts, meeting insights, and potentially sensitive business information. GDPR compliance isn't just about checking regulatory boxes—it's about establishing concrete safeguards for this data.
For AI applications specifically, GDPR presents unique challenges. Unlike simple data storage services, AI tools process and analyze your information to generate insights. This requires careful consideration of:
European organizations can now rely on a strengthened processor framework that supports them in meeting their own obligations under the General Data Protection Regulation (GDPR). As always, the final responsibility for GDPR compliance remains with the customer as the data controller — Hedy AI provides the safeguards required on the processor side.
To provide a robust foundation for GDPR-compliant use of Hedy AI, we have established and published the following contractual and technical components:
Our Data Processing Addendum defines exactly how we handle your data as a processor. This legally binding agreement ensures we only process data according to your instructions and for the specific purposes you've authorized—namely, providing you with real-time meeting intelligence.
SCCs are included as the transfer mechanism for personal data sent from the EU/EEA to the United States. These clauses contractually bind Hedy AI to EU-level protections and ensure enforceable rights for data subjects.
We have documented and implemented comprehensive security measures including:
We've conducted a thorough Transfer Impact Assessment that evaluates the relevant US laws and practices affecting access to transferred EU personal data. Based on the initial TIA we have identified risk-mitigation steps and implemented additional measures to protect your data. This assessment, available in our Trust Center, demonstrates how we protect EU data even when it crosses borders.
All sub-processors are contractually bound to the same protections, fully documented, and listed with their respective roles. Changes follow the legally required notification and objection process.
European companies can use Hedy within their own GDPR framework and compliance assessment. The documentation we provide — including DPA, SCCs, TOMs and our TIA — helps compliance teams assess and integrate Hedy into their existing data-protection processes.
Our GDPR-aligned framework is an important step toward enabling the responsible use of Hedy in regulated environments. While additional certifications such as HIPAA and SOC 2 Type 2 are in preparation (expected Q1 2026), the GDPR safeguards we have implemented already provide a strong baseline for organizations with elevated data-protection requirements.
Your meeting transcripts, insights and personal data are processed under clear safeguards. You retain full control over your information with the ability to access, export or delete your data at any time, and you have full transparency into how and why it is processed.
To ensure full GDPR compliance, customers must continue to fulfil their own obligations as data controllers. These include, among other things:
Our framework is specifically designed to support these obligations and to provide all processor-side safeguards required by the GDPR.
With this framework, Hedy AI delivers a complete processor-side compliance setup — contractual, technical and organisational. Combined with the customer's own compliance measures as data controller, Hedy AI can be used for the processing of personal data in full accordance with European data protection law.
We know legal documents can be dense. To help you navigate our GDPR compliance framework, we've created a comprehensive guide that walks you through each document and your responsibilities as a data controller.
Access our "Guidance on Fulfilling Your GDPR Accountability When Using Hedy AI":
This guide provides a practical checklist for reviewing our Data Processing Addendum, Transfer Impact Assessment, Technical and Organizational Measures, and Sub-processor List. It's designed to help your compliance team efficiently complete their GDPR assessment and documentation requirements.
If you're using Hedy within your organization, here's how to ensure GDPR compliance on your end:
We provide detailed guidance in our Trust Center to help your compliance team complete these steps.
GDPR compliance represents our commitment to privacy-first development. When we built Hedy's automatic suggestions feature, we designed it to process conversations without storing unnecessary data. When we implemented Topics for organizing sessions, we ensured users maintain full control over their grouped conversations.
This approach—privacy by design rather than retrofitted compliance—means GDPR principles are embedded in how Hedy works, not just how we document it.
GDPR compliance is one milestone in our ongoing commitment to data protection. We're currently working toward:
All GDPR compliance documentation is available in our Trust Center, accessible through your Hedy account settings. If you're not yet a customer but need to review our compliance framework, request access at trust.hedy.ai.
Questions about our GDPR compliance or data protection practices? Contact our data protection team through the Trust Center or email privacy@hedy.ai.
