Back to Scribe
GDPREU Data ResidencyEncryption at Rest

Compliance & Security

Last updated: March 7, 2026Happenings Group A/S

Scribe is built with privacy and security at its core. We are fully GDPR-compliant, store all data within the European Union, and follow industry best practices for data protection.

Data Residency

All customer data is stored and processed within the European Union. Our database, file storage, and AI processing pipelines are configured to use EU-based infrastructure. No customer data is transferred outside the EU without explicit consent and appropriate safeguards (Standard Contractual Clauses).

Database
EU Frankfurt (Prisma + PostgreSQL)
File Storage
EU (Cloudflare R2)
AI Processing
EU (AssemblyAI + Anthropic)

GDPR Compliance

Scribe is fully compliant with the General Data Protection Regulation (GDPR). We process personal data under the following legal bases:

  • ContractProcessing necessary to provide the transcription and knowledge management service
  • Legitimate InterestService improvement, security monitoring, and fraud prevention
  • ConsentOptional features such as voice recognition and speaker profiling

Security Measures

Encryption in transit
TLS 1.3 on all connections
Encryption at rest
AES-256 for stored data
Password hashing
bcrypt with 12 rounds
Token hashing
SHA-256 before storage
Access control
Role-based with organization scoping
Audit logging
All sensitive operations logged
Secure file access
Presigned URLs with expiry
No plaintext secrets
All credentials encrypted or hashed

Subprocessors

We use the following third-party services to provide Scribe. Data Processing Agreements (DPAs) are in place with all subprocessors.

ProviderPurposeData ProcessedRegionDPA
Prisma (Prisma Data)Database connection pooling and edge accessAll application data (via Prisma Accelerate)EU (Frankfurt)In place
CloudflareFile storage (R2) and CDNAudio/video files, attachmentsEU (Western Europe)In place
AssemblyAISpeech-to-text transcriptionAudio files for transcriptionEUIn place
AnthropicAI summaries and content extractionTranscript text (no audio)EUIn place
SendGrid (Twilio)Transactional email deliveryEmail addresses, message contentEUIn place
GoogleOAuth authentication (optional)Email, name, account IDEU/USIn place
PyAnnote (self-hosted)Speaker voice recognitionAudio clips, speaker embeddingsEUPending
Recall.aiMeeting bot recordingMeeting metadata, audio/video streamsEU/USIn place
InngestBackground job orchestrationJob metadata, event payloadsUSIn place
VercelApplication hosting, deployment, and web analyticsRequest logs, edge metadata, pageview analyticsGlobal (edge)In place
PostHogProduct analytics and session replayUsage events, pageviews, session recordingsEUIn place
PartyKit (Cloudflare)Real-time document collaborationDocument edits, presence dataEUIn place

Your Rights

Under GDPR, you have the following rights regarding your personal data. We respond to all requests within 30 days.

Access
Request a copy of all personal data we hold about you
Rectification
Correct inaccurate or incomplete personal data
Erasure
Request deletion of your personal data and associated content
Portability
Export your data in a machine-readable format
Objection
Object to processing based on legitimate interest
Restriction
Request limited processing of your data

Data Retention

We retain your data for as long as your account is active and you need the service. Upon account deletion or request:

  • Account data and personal information are deleted within 30 days
  • Audio/video files and transcriptions are permanently removed from storage
  • Voice profiles and speaker embeddings are anonymized or deleted
  • Audit logs may be retained for up to 90 days for security purposes

Contact

For compliance inquiries, data subject requests, or security concerns:

Happenings Group A/S

Klostergade 56B, St.

8000 Aarhus C, Denmark

VAT NO. DK40979956

Email: support@happenings.dk

Web: scribe.happenings.social

Effective as of March 7, 2026

Privacy PolicyTerms of Use