Title - GDPR-Compliant AI Teammate | EU Data Residency, DPA | Ainora URL - https://ainora.lt/ai-teammate/gdpr-compliant Last Updated: 2026-05-05 Category - Geo Wedge - GDPR # GDPR-Compliant AI Teammate: EU Data Residency, DPA, Article 22 A GDPR-compliant AI teammate stores call audio, transcripts, and customer memory in EU regions only, signs a Data Processing Agreement under GDPR Article 28, does not train models on customer conversations, and labels automated interactions in line with Article 22 transparency requirements. Ainora is built that way by default. NOTE: This page describes Ainora as a GDPR-compliant product. It does not offer compliance review, audit, or legal advisory services. Consult qualified legal counsel for compliance decisions specific to your organisation. Call the live demo: +1 (218) 636-0234 (Jessica, EN) or +370 5 200 2620 (Agne, LT). --- ## Stats - EU regions only: No US transfer, no enterprise upsell required (Source: GDPR, EUR-Lex - https://eur-lex.europa.eu/eli/reg/2016/679/oj) - DPA on request: Signed under GDPR Article 28 for every customer - No training: Customer conversations never used to train any model - Per-tenant: Workspace-scoped memory, no cross-tenant leakage --- ## Why Are Most "GDPR-Compliant" AI Agents Only Conditionally Compliant? The GDPR was published in 2016 and applied from May 2018 (Regulation 2016/679, EUR-Lex - https://eur-lex.europa.eu/eli/reg/2016/679/oj). Almost every AI agent vendor selling into Europe today claims to be GDPR-compliant. The claim varies in substance. EU region availability is not the same as EU residency by default. Most US-built AI agent platforms offer an EU storage region - on the enterprise plan. The European Commission's legal framework on EU data protection (https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en) makes clear this is a meaningful legal distinction. A "GDPR-ready" claim is not the same as a signed Data Processing Agreement. GDPR Article 28 requires controllers (the customer) and processors (the AI vendor) to have a written DPA. Sub-processor disclosure is uneven. GDPR requires processors to disclose their own sub-processors and obtain controller authorisation. Model training on customer data is the silent default at many vendors. Unless the vendor explicitly contracts that customer conversations will not be used to train any model, the default is often that they will. Automated decisioning under Article 22 is rarely addressed concretely. See the Article 22 navigable summary: https://gdpr.eu/article-22-automated-individual-decision-making/ --- ## What GDPR Compliance Actually Requires for Voice AI GDPR is a long regulation. Detailed guidance is published by the European Data Protection Board (EDPB guidelines index - https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en). **Article 6 - lawful basis.** Every processing activity needs a documented lawful basis. For an AI agent taking a customer call to handle a service request, "performance of a contract" is typically the basis. **Article 22 - automated decision-making.** A data subject has the right not to be subject to a decision based solely on automated processing that produces legal effects. Voice agents that screen, schedule, summarise, and escalate to humans do not trigger Article 22 for the screening itself, because the binding decision stays with a human. **Article 28 - processor obligations.** A signed Data Processing Agreement covering processing scope, security measures, sub-processors, sub-processor change notification, audit rights, and return-or-deletion at termination. **Article 32 - security of processing.** Encryption in transit and at rest, access controls, periodic testing. **Article 44 onward - international transfers.** Personal data leaving the EEA needs a transfer mechanism. The cleanest answer for a European AI agent is: do not transfer. Keep the data in the EU. --- ## How Ainora Is GDPR-Compliant by Design | Capability | Detail | |---|---| | EU regions by default | Audio, transcripts, memory, and embeddings stored in EU regions for every workspace. No US transfer. | | Per-tenant isolation | Each workspace runs scoped tools and memory. No cross-tenant leakage. | | No model training on customer data | Conversations not used to train Ainora's models or any underlying model. Contractually committed in the DPA. | | Signed DPA on request | Every customer gets a DPA under GDPR Article 28 with sub-processor list and audit rights. | | Article 22 transparency | Inbound callers hear an automated-call disclosure. Binding decisions stay with human teammates. | --- ## Honest Read: "EU Region Available" vs "EU-Default for All" | | US enterprise platforms | DACH vendors | Altis | Ainora | |---|---|---|---|---| | EU region | Available on enterprise plan | Yes | Yes | Default for all customers | | DPA signed under Article 28 | On enterprise plan | Yes | On request | Yes, every customer | | Sub-processor disclosure | On request | Yes | Limited | Yes, on request | | No training on customer data | Varies | Generally yes | Yes | Yes, contractual | | Article 22 disclosure on calls | Inconsistent | Yes (voice product) | N/A (no voice) | Yes | | Per-tenant isolation | Enterprise tier | Yes | Yes | Yes | Comparison reflects publicly available product positioning as of 2026-05-05. Several vendors run a clean GDPR posture on the enterprise plan and a US-default posture on smaller plans. The wedge for European mid-market is "EU residency without negotiating the enterprise tier." That is what Ainora ships. --- ## Where GDPR Posture Determines the Vendor Choice - Healthcare and dental clinics - Special category data under Article 9 - /industries/dental-clinics - Debt collection - Sensitive financial data; supervisory authority scrutiny - /industries/debt-collection - Veterinary clinics - Customer phone, email, address, animal records - /industries/veterinary-clinics - HR and recruiting use cases - Candidate data, Article 22 implications - /ai-teammate/recruiting - Customer success - Cross-border B2B with EU data subjects - /ai-teammate/customer-success --- ## FAQ **Where exactly is data stored?** EU regions on Google Cloud and AWS Frankfurt. The specific region is named in the Data Processing Agreement. **Does Ainora train on my call data?** No. Conversations are not used to train Ainora's models or any underlying model. Contractual in the DPA. **Does Ainora sign a DPA under GDPR Article 28?** Yes - every customer receives a signed DPA on request, with sub-processor list, security annex, and audit rights. **Does Article 22 of the GDPR apply to Ainora's voice agents?** Ainora's voice agents screen, schedule, summarise, and escalate to humans; binding decisions remain with the human teammates the customer designates. Used that way, Article 22 does not block the deployment. **What does an inbound caller hear about automation?** A clear automated-call disclosure at the start of the call. Phrasing is configurable per language and per customer regulator. **Is Ainora SOC 2 audited?** Not yet. SOC 2 is on the roadmap. Our compliance posture today leads with GDPR, EU residency, per-tenant isolation, and no-training-on-customer-data. **Can I get a copy of the sub-processor list?** Yes, on request alongside the DPA. --- ## Sources - GDPR official text - EUR-Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj - EDPB homepage: https://www.edpb.europa.eu/edpb_en - EDPB guidelines index: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en - Article 22 navigable summary: https://gdpr.eu/article-22-automated-individual-decision-making/ - EC legal framework of EU data protection: https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en --- ## Related - AI Teammate pillar: https://ainora.lt/ai-teammate - Providers compared: https://ainora.lt/ai-teammate/providers - Europe geo-wedge: https://ainora.lt/ai-teammate/europe - Baltic geo-wedge: https://ainora.lt/ai-teammate/baltic - EU AI Act-Ready geo-wedge: https://ainora.lt/ai-teammate/eu-ai-act-ready ## CTA - Book a 20-min demo: https://ainora.lt/contact - Call Jessica: +1 (218) 636-0234 (EN) - Call Agne: +370 5 200 2620 (LT)