
Data Residency for Transcription: Where Audio Lives
Summarize this article with:
When you upload audio to a transcription service, it typically lands in a US data center for processing, regardless of where the vendor's marketing says "EU data residency." A handful of providers now offer genuine EU endpoints where both storage and processing stay inside European borders, Deepgram, AssemblyAI, Google Cloud STT, and Happy Scribe among them. Residency (where the data physically sits) is not the same as sovereignty (which jurisdiction's courts can compel access), and the storage/processing split is the single most common gap in vendor claims.
When you hit upload, your audio file typically travels to a US data center within milliseconds. The transcription model runs there, the transcript is written there, and the result is returned to you. "EU data residency" appears prominently in many vendor marketing pages, but the gap between that claim and the full data flow is often significant.
This post maps where the audio actually goes across the main providers, separates residency from sovereignty, and explains when residency genuinely matters versus when it is an inherited policy requirement your team has never re-examined.
Residency, Sovereignty, and Localization Are Not the Same Thing
Three concepts get conflated constantly:
Data residency is the physical location of the data, which country's servers it sits on.
Data sovereignty is the legal jurisdiction over that data, which courts can compel disclosure. A US company storing data in Frankfurt still answers to US CLOUD Act orders. EU residency without sovereignty controls addresses one concern but not the other.
Data localization is a statutory requirement that certain categories of data must stay within a specific country. Russia's Federal Law 242-FZ and China's PIPL contain genuine localization requirements. GDPR does not, it regulates transfers, not location.
For most transcription compliance discussions, residency is the operational question, sovereignty is the harder legal question, and localization is the reason some government and critical-infrastructure contracts are categorically off-limits for global cloud providers.
What GDPR Actually Requires
GDPR does not mandate EU-only storage. It requires that any transfer of personal data outside the EEA be covered by a lawful transfer mechanism:
-
EU adequacy decisions: The European Commission has designated certain countries as providing adequate protection. The list currently includes the UK (post-Brexit), Switzerland, Japan, South Korea, Israel, New Zealand, and a handful of others. Data can move there without additional paperwork.
-
EU-US Data Privacy Framework (DPF): Launched in July 2023 after Schrems II invalidated Privacy Shield. US providers can self-certify under DPF, making them an approved destination. The framework has survived its first judicial challenge (September 2025) but faces continued pressure, and as of June 2026, NOYB has requested the European Commission begin reviewing it in light of recent US Supreme Court rulings. The CJEU is expected to rule on a separate challenge by late 2026 or early 2027. DPF is a viable mechanism now; it may not be permanently stable.
-
Standard Contractual Clauses (SCCs): Pre-approved EU Commission contract templates. The 2021 SCCs are required for any new contract and require a Transfer Impact Assessment (TIA) in addition to the clauses themselves.
-
Binding Corporate Rules (BCRs): Internal binding rules for multinational groups, approved by data protection authorities. Long process, mostly used by very large organizations.
Many EU organizations adopt internal EU-residency policies that go further than GDPR requires. That is a legitimate policy choice, but it is worth confirming whether your specific requirement is a legal obligation or an internal default before it drives vendor selection.
This post is for informational purposes only and is not legal advice. Consult your legal counsel for decisions about GDPR compliance.
Where Transcription Providers Actually Process Your Audio
The storage/processing split is where most "EU data residency" claims fall apart. A provider can store transcripts in an EU data center while routing the actual inference workload to US GPU clusters. These are not the same thing.
The table below lists what I was able to verify against vendor documentation as of July 2026. Cells marked "per vendor documentation" reflect cases where I could not find a specific public statement about a particular aspect.
| Vendor | EU storage | EU processing | How to invoke | Notes |
|---|---|---|---|---|
| Deepgram | Yes | Yes | api.eu.deepgram.com | GA; STT, TTS, Voice Agent, Text Intelligence all supported |
| AssemblyAI | Yes | Yes | api.eu.assemblyai.com | Audio + transcript never leave EU; ISO 27001 + SOC 2 Type 2 |
| Google Cloud STT | Yes | Yes | EU regional endpoint (e.g., europe-west2) | Data at-rest and in-use remain in-region; V2 API required for full residency controls |
| AWS Transcribe | Yes | Yes | Target an EU region endpoint (Frankfurt, Ireland, London) | Data stays in the selected region; AWS standard EU commercial regions |
| Happy Scribe | Yes | Yes | Default (EU-native company) | EU data center, Tier IV, ISO 27001 |
| Trint | Yes | Per vendor docs | Choose region at account level | EU or US storage (AWS-hosted); business tier |
| Fireflies.ai | Yes (Enterprise) | No (US) | Enterprise Private Storage | EU storage available; processing still in US, a meaningful gap for strict residency |
| Otter.ai | No | No | None documented | AWS us-east-1; SCCs used for EU transfers; no EU region option |
| Rev.com | No | No | On-premise for enterprise | US-hosted by default; on-premise deployment available for regulated enterprise use cases |
| Descript | Per vendor docs | Per vendor docs | Contact for DPA | No public region-specific statement found; request DPA and sub-processor list |
| OpenAI Whisper API | Yes (eligible accounts) | Yes (eligible accounts) | EU Project region in API Platform | Requires eligibility confirmation; ~10% price uplift on newer models; SCCs via API terms |
The Fireflies row is worth dwelling on. The company explicitly states in its knowledge base that Enterprise customers using Private Storage have their data "stored in the EU, but processed in the United States." That is EU residency without EU sovereignty or processing. For organizations where the concern is inference-time exposure, a model seeing the audio, this does not solve the problem.

The Seven Questions That Reveal Real Practice
Marketing pages routinely claim "EU data residency" without specifying what actually stays in the EU. When evaluating a vendor, ask for written answers to these:
-
Where does the upload terminate? Some providers terminate uploads at a global edge and then route to a central processing region.
-
Where is the audio processed? The AI model may run in a different region than storage. Audio living in EU storage but sent to a US model fails strict residency.
-
Where are transcripts stored? Sometimes audio is in-region but transcripts sync to a central US catalog.
-
Where are backups? Backups frequently cross regions for disaster recovery and are often missed in residency commitments.
-
Where are logs and metadata? Application logs containing filenames or partial content can fail residency requirements on their own.
-
What sub-processors are in scope? A transcription provider that uses a US-based AI model as a sub-processor passes your audio to that sub-processor's jurisdiction.
-
Is your audio used for model training? If so, the training infrastructure location is part of the residency picture.
A vendor that answers all seven with specific named regions for each step is making a real residency claim. A vendor that answers "we support EU residency" without that level of detail is making a vague one.
Also request: the current DPA, the sub-processor list with locations, and the mechanism being used for any cross-border transfer (DPF certification number, SCC confirmation, or adequacy basis). Update your own records when you re-evaluate vendors, the mechanisms are not static.
When Residency Actually Matters
High residency need: Public sector contracts with sovereignty requirements. Healthcare data in jurisdictions with local storage rules (German health data under the German Hospital Future Act, French health data under the HDS framework). Financial services regulated by the ECB or national regulators. Defense and government contractors. Critical infrastructure operators.
Moderate residency need: EU B2B customers with internal data policies that require EU storage even absent a legal mandate. Multinational customers with strict procurement requirements. Industries with sector-specific data protection rules that go beyond GDPR baseline.
Low residency need: Most B2B SaaS with no special compliance regime. Public-facing content (podcasts, conference recordings). Internal team communications without sensitive content. Individual voice notes.
If you are in the low category, residency is frequently presented as a need when it is actually a preference. Confirm with your legal team whether it is a hard requirement or an inherited procurement default.
For the cross-border transfer mechanisms, whether DPF, SCCs, or BCRs, check whether you need a Transfer Impact Assessment for your specific vendor and data flow. The 2021 SCCs require one; many organizations skip this step.
The Sovereignty Gap
Residency alone does not address the CLOUD Act. US companies operating under the Clarifying Lawful Overseas Use of Data Act can be compelled to produce data stored anywhere, including EU data centers. The same applies to UK companies under the UK's Crime (Overseas Production Orders) Act.
For most commercial transcription use cases, this is a theoretical concern. For government contracts, defense work, or any context where state-actor access is a genuine threat model, residency without sovereignty controls is insufficient.
The practical sovereignty options for transcription are limited: self-hosted infrastructure in your own jurisdiction, or providers subject only to the laws of a trusted jurisdiction with no conflicting foreign intelligence obligations. In practice this means EU-headquartered providers with EU-only infrastructure and no US corporate parent. Happy Scribe and Verbit (for specific enterprise configurations) fit this profile better than US-headquartered cloud providers with EU endpoints.
Self-Hosting for Strict Requirements
For genuinely non-negotiable residency plus sovereignty, self-hosting open-weight models is the most defensible path. OpenAI's Whisper model (large-v3) is available as open weights and can be deployed on your own hardware in your own jurisdiction.
The trade-offs are real:
- GPU inference is required for reasonable speed. Whisper large-v3 runs at roughly 2-3x real-time on an A100 GPU.
- Production deployments require infrastructure ops, scaling, and model-update maintenance.
- You get the model, not the service layer: speaker diarization, formatting, and accuracy on domain-specific vocabulary all need additional work.
- Cost scales with compute, not usage, which favors high-volume sustained workloads over occasional use.
For organizations in the low-to-moderate residency category, self-hosting is usually overkill. For regulated entities processing large volumes under strict domestic procurement mandates, it is often the only auditable option.
Several EU-based managed services run Whisper on EU infrastructure, offering a middle path between cloud convenience and full self-hosting. These exist but vary in maturity; evaluate the same seven questions above against their documentation.
Maintaining an Audit Trail
For any transcription work where residency matters, keep a record:
- The vendor name and the specific residency commitment in their DPA (version and date)
- The mechanism for any cross-border transfer (DPF cert ID, SCC confirmation)
- The sub-processor list and each location, dated
- Your retention and auto-deletion settings
- The date you last verified the above
When a compliance audit asks why you chose a particular vendor and how you ensure ongoing compliance, this record is the answer. Without it, even a technically-correct choice looks ad hoc.
Pair residency controls with clear auto-deletion of transcription files and review your encryption and transcription tools posture, encryption at rest and in transit is a baseline that residency does not substitute for.
What ConvertAudioToText Does and Does Not Offer
For full transparency: ConvertAudioToText currently runs on globally distributed infrastructure (Cloudflare R2 for storage, with transcription processed via AssemblyAI and Deepgram sub-processors). We do not currently offer a certified EU-only residency option where audio and transcripts are guaranteed to stay within EU borders end-to-end.
We provide: TLS encryption in transit, server-side encryption at rest, a no-AI-training policy on user audio, user-configurable auto-deletion, and a DPA on request for business customers.
If your requirement is "audio cannot leave the EU under any circumstances," this is not the right fit currently. For teams that need a clean transcript quickly with no sign-up friction and strong data minimization practices, ConvertAudioToText works well alongside a clear data handling policy. See is AI transcription private for the fuller privacy posture and GDPR-compliant transcription for GDPR-specific guidance.
The Practical Check Before You Commit
Most teams over-specify residency requirements without auditing the underlying regulation. Before locking in a more expensive or restricted provider, confirm:
- What regulation specifically requires residency for this data?
- Is it required for all data or only specific categories (health data, financial data, special-category data under GDPR Article 9)?
- Is it a statutory requirement or an internal policy that could be updated?
- Are the available transfer mechanisms (DPF, SCCs with TIA, adequacy decisions) sufficient for your risk posture?
For some teams, strict residency is non-negotiable and the answer to all of the above is clear. For more teams than you would expect, the requirement is an internal default that has not been reviewed against current regulatory guidance and can be relaxed without legal exposure.
The right transcription provider depends on the real obligation, not the inherited template.
FAQ
Does GDPR require transcription data to be stored inside the EU?
No. GDPR does not impose a blanket EU storage requirement. It requires that any transfer of personal data outside the EEA be covered by a lawful mechanism: an EU adequacy decision for the destination country, Standard Contractual Clauses, Binding Corporate Rules, or certification under the EU-US Data Privacy Framework. Many EU organizations impose internal EU-residency policies that are stricter than what GDPR actually mandates, confirm whether your requirement is legal obligation or internal policy.
What is the difference between data residency and data sovereignty?
Residency is a question of physical location: where the bytes sit on disk. Sovereignty is a legal question: whose courts can compel access to that data. A US-headquartered company can store your audio in a Frankfurt AWS data center (EU residency) while remaining subject to US CLOUD Act orders (US sovereignty). The distinction matters for high-sensitivity workloads; pure EU residency without sovereignty controls addresses the first concern but not the second.
Which transcription services offer true EU processing, not just EU storage?
As of mid-2026: Deepgram (api.eu.deepgram.com, GA, all major STT endpoints), AssemblyAI (api.eu.assemblyai.com, audio and transcript data stay in EU), and Google Cloud Speech-to-Text V2 (EU regional endpoints, data at-rest and in-use kept in-region). Happy Scribe is EU-native by default. Fireflies.ai offers EU storage for Enterprise customers but still processes in the US. Otter.ai has no documented EU option. Trint offers EU or US storage (business tier, AWS-hosted). AWS Transcribe is available in EU regions (Frankfurt, Ireland, London) and data stays in the region you target.
When is self-hosting Whisper the right answer for residency?
Self-hosting open-weight Whisper (large-v3) makes sense when residency is genuinely non-negotiable and no cloud provider in your jurisdiction meets the requirement, common for public sector, defense contractors, or domestic-only procurement mandates. The trade-off is real: GPU inference, model maintenance, scaling, and ops overhead. For occasional sensitive recordings, it is usually overkill. For regulated entities processing thousands of hours per month and needing formal audit trails over the full stack, self-hosting or an on-premise vendor deployment (Rev offers this for enterprise) is the more defensible choice.
Sources
- Deepgram EU endpoint general availability, verified July 2026
- AssemblyAI EU data residency docs, verified July 2026
- Google Cloud STT regional endpoints, verified July 2026
- AWS Transcribe endpoints and regions, verified July 2026
- HappyScribe security page, verified July 2026
- Fireflies data storage and transfer knowledge base, verified July 2026
- Trint security and data residency, verified July 2026
- Rev.com file encryption and storage, verified July 2026
- Otter.ai privacy and security, verified July 2026
- OpenAI EU data residency announcement, accessed July 2026
- EU-US Data Privacy Framework status and Schrems III challenge, IAPP, verified July 2026
- European Commission SCC guidance, verified July 2026
Try transcription free
Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.
Related Articles

GDPR-Compliant Transcription: A Practical Checklist (2026)
What GDPR actually requires for transcription workflows: lawful basis, DPAs, consent for recordings, retention limits, and data subject rights explained practically.

Best Free Transcription Tools With No Watermark (2026)
The best free transcription tools that produce clean, unwatermarked output. Compare CATT, TurboScribe, MacWhisper, and self-hosted options for unrestricted use.