scryp
All posts
7 min read

Why Your Transcripts Should Stay in the EU

Audio recordings of meetings, interviews or dictation almost always contain personal data – voices, names, opinions, sometimes health data or trade secrets. Nevertheless, most transcription services process this data on servers in the United States.

For European companies, law firms, medical practices and public authorities, this is not just a theoretical risk – it is a tangible data-protection problem. This article explains why the location of data processing is decisive and what you should look out for.

The problem with US servers

European data on US servers is subject to the US CLOUD Act. US authorities can demand its disclosure – even without a European court order. This directly contradicts the GDPR and was confirmed by the Court of Justice of the EU’s Schrems II ruling.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US authorities to demand the disclosure of data from American companies – regardless of which country the servers are in. A transcription service based in the US is subject to this law even if it operates data centers in Europe.

The Schrems II ruling of the European Court of Justice (Case C-311/18, July 2020) confirmed that the US does not offer an adequate level of data protection within the meaning of the GDPR. The Privacy Shield was declared invalid. The EU-US Data Privacy Framework (DPF) of 2023 is intended to solve the problem, but is already facing legal challenge.

For companies this means: anyone who hands audio recordings containing personal data to a US service bears the risk that the legal basis for the data transfer will once again disappear.

What “data in the EU” actually means

Not every service that advertises “EU data centers” offers genuine data sovereignty. Three points are decisive:

  • The company’s registered office: A US company with EU servers is still subject to the CLOUD Act. Only a company based in the EU is fully subject to European law.
  • The infrastructure operator: Who physically operates the servers? A European host like Hetzner is subject exclusively to European law. AWS, Google Cloud or Azure – even with EU regions – are US companies.
  • Certifications: ISO 27001 is the international standard for information security management systems. It confirms that the data center operator has implemented systematic protective measures for confidentiality, integrity and availability.

Why Hetzner as the data center

scryp processes and stores all data exclusively at Hetzner in Germany. This is a deliberate architectural decision:

  • ISO/IEC 27001 certified – The information security management system is regularly audited by independent auditors.
  • 100 % German company – No US parent company, no CLOUD Act access. Hetzner is subject exclusively to German and European law.
  • Geo-redundant data centers in Germany – Your data never leaves the EU.
  • Own hardware – Hetzner operates its own servers and network infrastructure. No dependence on US hyperscalers.

An Austrian company, European values

scryp is an Austrian company. Our entire team, our management and our legal structure are located in the EU. That means:

  • We are subject exclusively to European law – GDPR, the DSG (Austria), no CLOUD Act.
  • No US parent company can be compelled to disclose data.
  • Our privacy policy follows Austrian and European law – not the data protection laws of California or Delaware.

Encryption as an additional safeguard

The server location alone is not enough. Even on EU servers, data can be compromised – through hacking attacks, insider access or technical errors. That is why scryp combines the EU location with client-side encryption:

  • Audio is encrypted in the browser before it reaches the server.
  • Transcripts are stored encrypted– the server never sees the plain text.
  • Even in the event of a data breach, the data would be worthless without the user’s personal key.

This is the decisive difference from services that advertise “AES-256 at rest” but process the plain text on the server, where they can potentially view it.

Checklist: data sovereignty in transcription services

  • Where is the company headquartered? (EU vs. US)
  • Who operates the servers? (EU host vs. US hyperscaler)
  • Is the data center ISO 27001 certified?
  • Is the provider subject to the US CLOUD Act?
  • Is data encrypted client-side or only server-side?
  • Are original recordings deleted after processing?
  • Is there a data processing agreement (DPA) under Art. 28 GDPR?

Conclusion

The location of data processing is not a marketing detail – it determines which legal system your data is subject to. For European companies, the combination of an EU-based provider, an EU data center with ISO 27001 certification and client-side encryption is the safest way to process audio data in a privacy-compliant manner. Anyone who does not offer this protection shifts the risk onto you.

Why Your Transcripts Should Stay in the EU