The question comes up in every RFP, asked by the same person. The DPO opens their notebook, lets the product demo run, then asks where interview recordings will live, which subprocessors get to see candidates' voices, and which jurisdiction the infrastructure falls under. On the sales side, the answer often arrives in two stages: a general reassurance ("our data is hosted in Europe, we're GDPR-compliant"), then a pointer to a security page nobody has reviewed with the DPO.
This article is written for the person asking the question. It offers a four-point checklist, then a sourced comparison of nine interview transcription and analysis tools, with each cell linking to the vendor's public page. Hirify, which publishes this guide, is one of the tools listed: every factual item about the other tools is drawn from their public pages and dated June 6, 2026.
Today, CVs are anonymized before being sent to ChatGPT, and the DPO is tearing their hair out.
That sentence sums up the unease. Recruitment teams use tools that process candidates' personal data (their voice, their background, and sometimes topics falling under the GDPR's special categories when health or origin come up in an interview), without always knowing where that material lands. The goal here is to give the DPO what they need to work the file themselves, rather than to point a finger at any one vendor.
The four-question checklist
Before comparing brands, you need to know what to look at. Four questions are enough to map the risk of an interview transcription tool.
Where does the data physically reside?
This is the first question, the simplest, and the one most vendors answer readily. A datacenter in France, Belgium, the Netherlands, or the United Kingdom does not carry the same weight under the GDPR: France and Belgium are in the Union, the United Kingdom has left but benefits from an adequacy decision. Knowing the location is necessary, but it is not enough, because it says nothing about the next question.
Who can be legally compelled to hand over the data?
This is the point that the phrase "hosted in Europe" most often masks. Data stored in Paris on the infrastructure of a US provider remains exposed to the Cloud Act: the 2018 US law allows US authorities to demand from a US-incorporated company the data it holds, wherever that data is stored. Amazon Web Services, Microsoft Azure, and Google Cloud are companies incorporated under US law. Hosting in an EU region on one of these three providers reduces transfer risk, but it does not close exposure to an access request. The only way to close it is to use a provider whose parent company falls under a European jurisdiction. This is the nuance that many DPOs hunt for and that few marketing pages state clearly.
Where does the data go to be processed by the AI?
A transcription tool splits the work across several subprocessors: a speech recognition engine that turns voice into text, a language model that summarizes and structures it. These subprocessors are rarely highlighted on sales pages, even though they are the ones that see the real content of the interview. A serious DPO wants the list by name: which transcription engine, which language model vendor, in which jurisdiction. When that list is not public, that in itself is information.
Storage and processing are two different things
The last trap, and the most subtle. A vendor can offer a data residency option in Europe while performing the computation (transcription, summarization) on infrastructure located elsewhere. The case is documented at Fireflies: its Private Storage option lets you store data in the EU, but that same documentation states that processing is still carried out in the United States, with processing in a European region announced as a future capability. Storing in Europe and processing in the United States are two separate decisions, and only a careful reading of the security page lets you untangle them.
The comparison, read through this checklist
The table below applies these four questions to nine tools that recruitment teams use to capture and structure what comes out of an interview. They all answer the same starting need: transcribe the conversation and decide what happens to the candidate data next. They differ on where that data lives and on the transparency of their subprocessing chain.
One caveat before reading: none of these tools is presented here as non-compliant with the GDPR. Several hold demanding certifications, SOC 2 Type II or ISO 27001, which are real strengths that the table does not seek to downplay. The axis of comparison is the jurisdiction of the cloud provider and the transparency of subprocessors, not compliance.
| Tool | Vendor (country) | Cloud provider (jurisdiction) | Data location | Declared AI subprocessors | France/EU residency |
|---|---|---|---|---|---|
| Otter | United States | AWS, GCP, Crusoe (US) | United States | Anthropic, OpenAI (US) | Not documented |
| Fireflies | United States | AWS, GCP (US) | United States by default | OpenAI (US), unnamed speech engines | EU storage on Enterprise, US processing |
| BrightHire | United States (Zoom group) | AWS (US), region not specified | United States | OpenAI, Anthropic, AssemblyAI, Deepgram and others (US) | No |
| Metaview | United Kingdom | AWS (UK) | United Kingdom | Anthropic, AssemblyAI (US) | No, UK hosting |
| Screenloop | United Kingdom | AWS | USA or EU depending on the DPA | OpenAI, AssemblyAI (US) | Conditional |
| tl;dv | Germany | GCP, AWS, Hetzner, Wasabi | Datacenters in Europe | Anthropic (US) | EU residency claimed |
| Leexi | Belgium | AWS, Azure (EU region) | France and EU | Azure OpenAI (EU), Gladia for transcription (FR) | France/EU residency |
| Noota | France | GCP EU (transcription), Scaleway claimed for Talent | EU | Not published | EU residency |
| Seedext | France | Azure and GCP per the March 2025 Microsoft listing | France | Not named publicly | France residency claimed |
Data verified on June 6, 2026 from the vendors' public pages. Offers change; tell us about anything that has become inaccurate at contact@hirify.fr.
A few readings worth spelling out, because the short cells don't tell the whole story.
The first three tools, Otter, Fireflies, and BrightHire, have a fully US stack: vendor, cloud provider, and AI subprocessors in the United States. That is a fact of location and jurisdiction, not a judgment of quality. BrightHire joined the Zoom group in late 2025, which does not change its stated compliance (SOC 2 Type II, third-party bias audit, claimed AI Act framework) but adds one more actor to the chain for a DPO mapping the data controllers. For Fireflies, the point to remember is the storage-versus-processing distinction seen above: EU residency exists on Enterprise, processing is still announced in the United States.
Metaview and Screenloop are British. Metaview hosts on AWS in the UK region, outside the Union but under adequacy, with Anthropic and AssemblyAI as the AI subprocessors declared in its Trust Center. Screenloop deserves the cautious phrasing: its data processing agreement states that data may reside in the United States as well as in the EU, which makes residency conditional rather than guaranteed. Both tools are full recruitment platforms, Metaview with sourcing and talent pool rediscovery, Screenloop having itself become an ATS, and their compliance is not in question here.
On the European side, the table shifts in color without becoming uniform. tl;dv is a German company that claims data residency in Europe, on US hyperscalers (GCP, AWS) supplemented by Hetzner and Wasabi, with Anthropic as the AI subprocessor. The data is in the EU, the cloud provider remains in part incorporated under US law.
Leexi and Seedext are worth pausing on, because these are serious French-speaking players in this space, not checkbox entries.
Leexi and Seedext, two credible Europeans on sovereignty
Leexi is a Belgian company (registered in Brussels, Belgian law) that strongly addresses the French market: French-language interface, French support, named French clients. Its subprocessing documentation, dated May 2025, is one of the most readable on the list: AWS infrastructure in an EU region, generative AI on Azure OpenAI in an EU region, and transcription handled in part by Gladia, a French player. A relatively lean stack, with data in France and the EU. The gap with a French stack lies in the jurisdiction of the underlying providers: AWS and Azure remain companies incorporated under US law, exposed to the Cloud Act despite the European region. This reflects no compliance shortcoming, only a jurisdictional nuance, and Leexi is one of the few to publish enough information for us to state it.
Seedext is a French company (headquartered in Paris) that puts sovereignty at the center of its messaging, with hosting claimed in France and data residency in France. One point calls for caution: the app's Microsoft 365 certification listing, self-declared by the vendor and updated in March 2025, declares Azure and Google Cloud as hosting cloud providers, with data storage in France. According to that March 2025 listing, which covers only the Teams app, the underlying providers are therefore US hyperscalers, again a matter of provider jurisdiction rather than location. No AI subprocessor is named publicly by Seedext, which leaves that cell open for a DPO who wants the full chain.
Against Leexi and Seedext, Hirify's edge does not rest on "being French": both tools already host data in France or the EU and run no candidate scoring. It rests on two specific points. The jurisdiction of the cloud provider first: Hirify relies on Scalingo, a French company, whereas Leexi and Seedext rest on underlying providers incorporated under US law. The product layer next, which we return to below, which goes beyond transcription to make use of the candidate pool.
Noota, finally, is a two-tier case that has to be told apart by product. Its notetaker stores data on Google Cloud Platform in EU datacenters, a US provider exposed to the Cloud Act, a fact published on its own security page. Its recruitment platform, on the other hand, claims to run on Scaleway, a French provider, with an architecture described as SecNumCloud-compatible (compatible, not qualified by the ANSSI). The list of its AI subprocessors is not published. Reading Noota therefore means asking which product is being discussed.
Reading a vendor's security page in five minutes
You don't need to be a lawyer to work the file. Here is what a DPO looks at when opening a "security" or "trust" page or a DPA, in order.
The list of subprocessors first. A serious trust page publishes the list of its subprocessors by name, with their role and their location. If that list exists and names the cloud provider, the transcription engine, and the language model vendor, you have the essentials. If it vaguely refers to "third-party providers" without naming them, note it and ask for the list in writing.
The provider's jurisdiction next. Find the name of the infrastructure provider, then ask yourself a single question: does its parent company fall under a European or a US jurisdiction? AWS, Azure, and Google Cloud are US-based, even when the announced region is European. Scaleway, Outscale, and Scalingo are French. It is this criterion, and not the flag flown by the datacenter, that determines Cloud Act exposure.
The storage-versus-processing distinction, third. Read whether the page mentions where the data is computed, not just where it sleeps. A statement of "data stored in the EU" without a word on processing warrants a follow-up question: where are transcription and summarization carried out?
The language model provider, last. The real content of the interview passes through the model that summarizes it. Knowing whether it is a model from a US vendor called via an API, a European model, or a self-hosted model changes the risk analysis. When that information is missing, it is often the first to ask for.
What Hirify chose
Hirify's choice is plain and fits on one line: hosting rests on Scalingo, a French company, in a datacenter in Paris, and no candidate data leaves France. The cloud provider therefore falls under a European jurisdiction, which closes Cloud Act exposure at the infrastructure level, where a European region on a US provider did not. The question of the recording framework itself, consent and retention period, is covered in our guide on recording a job interview.
On the product layer, Hirify does not stop at transcription, which is the entry point. The structured interview report, generated from customizable templates, enriches the candidate profile in your ATS bidirectionally, and the candidate base becomes searchable in natural language ("find me 5 SOC profiles available in Paris"). No percentage scoring is produced: everything stays explainable, which is the ground DPOs expect on the AI Act, a topic detailed in our guide on the AI Act and recruitment.
A line of transparency to close, because it holds for this guide as for any honest comparison: Hirify publishes this article and appears in the table. The factual items about the other tools come from their public pages, dated June 6, 2026, and we correct any information that has become inaccurate when flagged to the address listed under the table. For the detail of what happens to interview data once structured, see also why the talent pool sleeps.
Frequently asked questions
Is data hosted in France beyond the reach of the Cloud Act?
Not automatically. What determines Cloud Act exposure is the nationality of the cloud provider, not the location of the datacenter. Data stored in Paris on the infrastructure of a US provider (AWS, Azure, Google Cloud) remains subject to an access request from US authorities, even in a European region. To close that exposure at the infrastructure level, you need a provider incorporated under European law.
Are data storage and data processing the same thing?
No, and the distinction matters for a recruitment interview. Storage is where the data sits at rest, processing is where it is computed, transcribed, or summarized. A tool can offer storage in Europe while running the processing in the United States. Fireflies' documentation describes this case for its EU storage option, reserved for the Enterprise plan.
How do you read a vendor's security page before signing?
Look for four things: the public list of subprocessors, the jurisdiction of the cloud provider, the distinction between storage and processing, and the name of the language model provider. If the list of AI subprocessors is not published, ask for it in writing under the data processing agreement before you commit.
Are US tools non-compliant with the GDPR?
That is the wrong question, and the claim would be false for most of them. Several US tools assert GDPR compliance and hold certifications such as SOC 2 or ISO 27001. The concern for a DPO is not declared compliance but the provider's jurisdiction and the transparency of the subprocessing chain.
Key takeaways
- The location of the datacenter and the jurisdiction of the cloud provider are two distinct pieces of information: data in France on a US provider remains exposed to the Cloud Act.
- Storage and processing are decided separately: storage in Europe can come with processing in the United States, as Fireflies documents for its Enterprise option.
- Otter, Fireflies, and BrightHire rest on a US stack; all claim GDPR compliance and several hold SOC 2 or ISO 27001.
- Leexi and Seedext are credible European players already hosting in France or the EU; the gap is about the jurisdiction of the underlying providers and the product layer.
- Hirify relies on Scalingo, a French company in Paris, with no candidate data outside France, and publishes its subprocessing logic in the same spirit of transparency as this guide.