GDPR-compliant video conferencing: what it actually takes (and a Zoom alternative that translates)

"GDPR-compliant" on a video platform's homepage is close to content-free. GDPR is not a certification you pass — it's a set of obligations on you, the data controller, that a vendor either helps you meet or quietly leaves on your desk. The useful question isn't "is this tool GDPR-compliant?" It's "what does this tool make me responsible for, and where does my meeting data actually go?"

This post is the plain-terms version of that question: the checklist a DPO actually works through, where Zoom sits on it (fairly — it's more compliant-capable than the internet implies), and where an EU-runtime alternative changes the answer. If you want the broader "how should real-time meetings work" frame, that's the pillar guide; this one is specifically about the data-protection layer.

The plain-terms checklist

Strip the marketing and "GDPR-compliant video conferencing" comes down to seven things you can actually verify:

1. A signed DPA. A Data Processing Addendum that names the vendor as your processor, with documented purposes and instructions. No DPA, no lawful processing — full stop.
2. A real sub-processor list. Every third party that touches meeting data — transcription, storage, email, analytics, AI features — named, with what they do and where they're domiciled.
3. Where data is processed at runtime. The physical region your audio, transcripts, recordings, and metadata are handled in. This is what most data-residency clauses are actually about.
4. The international-transfer mechanism. If any data leaves the EEA, on what legal basis? Standard Contractual Clauses (SCCs), adequacy, or a residency setup that avoids the transfer entirely. This is the Schrems II question, and it doesn't go away because a homepage says "compliant."
5. Security posture you can audit. ISO 27001, ISO 27701, SOC 2 — independent attestations, not self-assertions.
6. Data-subject rights tooling. Can you actually fulfil access, deletion, and portability requests for meeting data, or only in theory?
7. Retention and deletion you control. Recordings, transcripts, and AI summaries deleted on your schedule, not the vendor's default.

A tool is "GDPR-compliant" for your purposes only when all seven have concrete answers. Most homepages answer zero of them.

Where Zoom actually stands (fairly)

Zoom is more GDPR-capable than its reputation suggests, and it's worth being accurate about that rather than scoring cheap points:

• It publishes a global DPA with the 2021 EU Standard Contractual Clauses built in.
• It offers EU Data Residency — "Zoom EU Infrastructure" — for Enterprise and Education customers, covering Meetings, Webinar, Chat, Phone, and Contact Center.
• It holds ISO 27001 and, as of February 2026, ISO 27701 (the privacy-management extension), plus published EU public-sector sovereignty controls.

So a properly configured Zoom deployment, on the right tier, can satisfy most of the checklist. The honest caveats are about defaults and domicile, not capability:

• EU residency is a tier-and-config add-on, not the default. It's on Enterprise/Education and has to be turned on. The free and lower paid tiers don't get it. "We use Zoom" and "we use Zoom configured for EU residency" are different procurement facts.
• Zoom is a US-domiciled company. Even with SCCs and EU residency, the vendor's corporate domicile is in scope for CLOUD-Act and sovereignty-grade evaluations. For standard GDPR this is manageable with SCCs; for French souveraineté numérique or SecNumCloud-grade procurement, corporate domicile is itself a criterion, and that's a harder conversation.
• The meeting still happens in one language. Zoom's translated captions and AI Companion help, but the room doesn't become genuinely multilingual — every participant hearing the meeting live in their own language. If your compliance problem is also a language problem (cross-border audits, multi-site CAPA reviews), that gap is unsolved regardless of where the data lives.

The short version: Zoom can be GDPR-compliant when configured for it. Whether that's sufficient depends on how sovereignty-sensitive your buyer is — and whether the meetings are multilingual.

The EU-runtime alternative

We built InterMIND so the data-residency answer is the default, not a configuration project — and so the meeting can actually be multilingual. On the checklist above, the part that's structural rather than promised is where the meeting runs. As verified against the live deployment:

• Every runtime hop is in the EU. App and server APIs on Vercel in Frankfurt (fra1); the meeting WebSocket server on Fly in Paris (cdg); application data in Neon Postgres on AWS Frankfurt (eu-central-1); recordings on Tigris, EU-pinnable; error/analytics on Sentry EU and PostHog EU; transactional email via Resend in Ireland.
• The translation engine is our own code, in France (OVH) — not a US general-purpose model we resell. The single biggest flow of meeting content stays EU-resident and never touches a third-party LLM. Document translation goes to DeepL in Cologne — also an EU company.
• The sub-processor list with corporate-domicile detail ships with the DPA as standard practice, not on request.

We don't pretend the picture is spotless. One path is still US-domiciled, and we name it plainly: the post-meeting AI digest (topics, decisions, action items) is generated via models reached through Vercel's AI Gateway — Google Gemini with an Anthropic Claude fallback, both US vendors. Real-time voice, chat, notes, and documents do not go through it. We're closing that gap two ways: an owner-controlled opt-out (disable the digest, transcript stays in the EU) and a self-hosted EU summarization model. The full vendor-by-vendor map, including this gap, is in Where one InterMIND meeting actually runs, and the build-vs-buy view is in What one InterMIND meeting is built from.

One thing we don't claim: we are not going to wave an ISO certificate we don't yet hold. Our answer to the checklist is architectural — EU runtime, own engine, transparent sub-processors, a real DPA — and we'd rather you verify that than trust a badge. Certifications are on the roadmap; the runtime is real today.

And the part Zoom's residency settings can't add: the meeting is multilingual by design — every participant live in their own language across 21 languages, voice and chat and notes, with translation quality published openly instead of asserted. How that works is in the pillar guide; the regulated-meeting use case is in multilingual compliance meetings.

Which buyer is this for

• German Mittelstand and regulated EU teams running standard GDPR DPAs: an EU-at-every-hop runtime answers the residency question directly, without a tier upgrade or a residency project. The transfer-mechanism conversation gets a lot shorter when the data doesn't leave.
• French public-sector and souveraineté-grade procurement, where vendor corporate domicile is itself part of the spec: that's a deeper conversation about deployment topology, and one we'll have honestly rather than oversell.
• US-domestic and APAC buyers: residency usually isn't the constraint — latency from your region is. Different problem; tell us and we'll plan for it.

Try it, then read the data map

• /demo — run the live, multilingual pipeline on your own audio and hear what "EU-runtime and multilingual" actually feels like.
• InterMIND vs. Zoom — feature-by-feature, honestly.
• Where one InterMIND meeting actually runs — the full vendor map, gap included.

"GDPR-compliant video conferencing" is a checklist, not a badge. Whichever tool you pick — ours or another — make the vendor answer all seven questions in writing. The ones that can are worth your time; the ones that can't are selling you a homepage.

— The Mind.com Team

Sources on Zoom: Zoom — GDPR, Zoom — EU Data Residency / privacy in Europe, Zoom — ISO 27701. Vendor offerings and tiers change; verify the current configuration against Zoom's trust pages. InterMIND runtime facts are verified against the live deployment as described in the linked data-map post.