COMPLIANCE & TRUST
Deliberation technology needs trust at the core
Safety in dialogue is non-negotiable. That's why dembrane is built for trust from the ground up.
ISO 27001 certified · GDPR compliant · EU hosted · Source available
How dembrane processes your data
Step 1
Participants record the audio of their conversations. No personal data are need to be collected before recording to start.
Step 2
The audio recording is transcribed into text. We use a double model approach to ensure transcription accuracy.
Step 3
Conversation hosts can perform analysis on the audio and the transcripts using the dembrane dashboard.
Audio recording
Language models*
Data Pipelines
Processed Insights
Audio data is deleted 30 days after the project finishes. Data can be deleted immediately upon request. Only what participants share voluntarily during the conversation is recorded. The host is the data controller.
*Our Language Model Providers & sub-processors are Assembly AI, Google Cloud Vertex AI, Azure and Runpod. We have strict data protection agreements with all sup-processors. All data processing happens on Northwest EU servers.
All data is stored and encrypted at rest on Northwest European servers. Our current data storage provider is DigitalOcean.
Security, privacy, and transparency are foundational to how we build.
What kinds of data are used for what and why?
dembrane is built with data minimization in mind. Only four categories of data are processed to deliver value, and you stay in full control.
Category
Description
Purpose
Retention
Legal Basis
🎙️ Audio recording
Sensitive personal data
All audio recorded with dembrane (voluntarily shared).
To transcribe contributions. Kept for retranscription and fact-checking.
Project duration + 30 days. Can be deleted anytime by admin.
Consent; Art. 6(1)(a) GDPR or Public Task/Official Authority; Art. 6(1)(e)
📝 Transcription text
Personal data (content-dependent)
Transcribed conversations from recorded audio.
To perform analysis and provide evidence for the analysis.
Project duration + 30 days. Can be deleted anytime by admin.
Consent; Art. 6(1)(a) GDPR or Public Task/Official Authority; Art. 6(1)(e)
🔍 Analysis data
Personal data (content-dependent)
Generated by dembrane and users from transcription data via chat and other features.
To understand diverse stakeholder perspectives shared during sessions.
Project duration + 30 days. Can be deleted upon request.
Consent; Art. 6(1)(a) GDPR or Public Task/Official Authority; Art. 6(1)(e)
👤 Account data
Personal data
User email and encrypted password to create and identify user accounts.
To maintain accounts for dashboard access and deliver services.
As long as account exists. Can be deleted upon request.
Contract; Art. 6(1)(b) GDPR
You're not alone
We're trusted by leading organisations across public and private sectors
Full GDPR compliance works for most cases, but some require more. Because dembrane is built with trust and flexibility in mind you can choose extra provisions that fit your needs.
🔐 Baseline
Fully Compliant
Fully Compliant: Uses Azure EU servers with European hosted AI models as default.
🇪🇺 Sovereign
Full EU Tech Stack
Full EU Tech: Switches to providers like OVH (hosting) and Mistral (AI models). Quality may be up to 15-20% lower, costs increase by ~40% + implementation fee.
🛡️ Maximum Control
Self-Hosted
Complete on-prem solution including local LLMs. We provide implementation support, training, and ongoing maintenance contracts. Quality will vary depending on models chosen. Custom pricing.