We finished our GDPR audit. Here's what we actually closed. — Blog

A few weeks ago we wrote that "GDPR-compliant" on a video tool's homepage means less than you think — that GDPR is a set of obligations on you, the data controller, that a vendor either helps you meet or quietly leaves on your desk. The honest way to back that claim is to do the work on our own side and show it, line by line.

So we did. We ran a full audit of the InterMIND codebase against the obligations that fall on us as a data processor, fixed every gap that had code behind it, and verified each one against the running product. This post is the close-out report — not a badge, a checklist with our answers.

We're deliberately not claiming "100% GDPR-certified." GDPR isn't a certificate you pass — and we won't wave an ISO badge we don't yet hold. What we can say: the architectural and process obligations a DPO works through now have concrete, verifiable answers, each checked against the running code.

What we closed

Right to erasure (Art. 17) — the cascade actually runs

Deleting your account doesn't just deactivate it. POST /api/user/delete-account runs a real cascade: it nukes your meetings → participants, messages, conferences, transcriptions; it sweeps your storage blobs out of Tigris before the database cascade so nothing is left orphaned — chat attachments and video-recording files, both columns; and it cancels your Stripe subscriptions and deletes the Stripe customer. On-demand deletion is there too — drop a channel or a message from the UI and it's gone. Anonymous (guest) accounts get their own deletion endpoint plus a background sweep every 6 hours, under a monitored cron. The audit surfaced one gap here — recording blobs that the database cascade dropped but storage kept — and we closed it: erasure now leaves nothing behind in object storage.

Retention (Art. 5(1)(e)) — a documented criterion

Art. 5(1)(e) doesn't require an automatic time-to-live. It requires a defined retention criterion. Ours is now written into the Privacy Policy: data is kept until you or your team owner delete it, and deleting your account erases everything. That's the same model collaboration tools like Slack and Notion run on — persistence is the expected behavior, and you stay in control of it. The criterion is stated, not implied.

A Usercentrics consent banner (shown to EU visitors) gates analytics, and PostHog ships with opt_out_capturing_by_default: true — nothing is captured until consent is given, not the other way around.

Data portability (Art. 20) — a real export

GET /api/user/export builds a ZIP of your meetings, messages, recordings, and translations, with a 7-day download window and automatic cleanup. Access, deletion, and portability are tooling that works, not promises in a policy.

No meeting content reaches a US-domiciled model

The single biggest flow of meeting content — live voice and chat translation — runs on our own engine in France, never a third-party LLM. The post-meeting AI steps that do use a general-purpose model (the digest, the note-editor's generative actions) run on EU-hosted Mistral with zero-data-retention, pinned so hard that the request fails rather than fall back to a non-ZDR or US host. We also scrubbed participant names and utterance text out of the conference browser logs that PostHog session-recording could otherwise capture. The full vendor-by-vendor map is in Where one InterMIND meeting actually runs.

Transparency — sub-processors and processing records, published

The sub-processor list is live, with what each vendor does and where it's domiciled — not "available on request." Behind it sits a Record of Processing Activities (ROPA) built from the live schema: 11 processing operations, the security measures on each, and the erasure / portability paths. Our Privacy Policy and Terms now run under our own legal entity, with the real processing chain described.

EU runtime — pinned, not promised

Every runtime hop a meeting takes is in the EU: app and APIs on Vercel Frankfurt, the meeting server on Fly Paris, application data in Neon Postgres (AWS Frankfurt), errors on Sentry EU, analytics on PostHog EU, email via Resend Ireland. Object storage on Tigris is now pinned to EU regions (Frankfurt + Amsterdam) — every new write lands in the EU regardless of where the user is. The full architecture is on our security page.

Why this matters for your procurement

For most EU buyers — German Mittelstand, regulated teams running standard GDPR DPAs — the data-residency question now has a direct answer: the data doesn't leave the EU at runtime, erasure works, the retention criterion is stated, and the sub-processor list is on the table. That's a much shorter conversation than "let us get back to you on where the data goes."

For French souveraineté numérique and SecNumCloud-grade procurement, vendor corporate domicile is itself a criterion — a deeper conversation about deployment topology that we'll have honestly rather than oversell. And the one thing we won't do is wave an ISO certificate we don't yet hold: certifications are on the roadmap, but our answer to the checklist is architectural and verifiable today.

See it for yourself

GDPR-compliant video conferencing: the full DPO checklist — the seven things to make any vendor answer, and where Zoom sits.
Where one InterMIND meeting actually runs — the vendor map, with the gaps named.
Security & Privacy · Sub-processors · Privacy Policy · Terms
/demo — run the live, EU-runtime, multilingual pipeline on your own audio.

GDPR compliance isn't a badge you buy — it's work you do and can show. This is ours, line by line. If your DPO needs an answer this post doesn't give, write us.

— The Mind.com Team