EU Client GDPR Compliance — Data Residency, Subprocessors & DPA: Full Breakdown + Questions for the Team

Support Help
1

Hi Retell community and team,

I’m building a multilingual AI voice support agent for a European B2B client. Before we move into the build phase, their legal team has raised standard GDPR compliance questions — data residency, subprocessors, and contractual guarantees. I’ve done my research and want to be fully transparent with my client, which means I need clear answers from Retell directly.

I’m posting here publicly because many EU-facing builders are dealing with the same questions. Hopefully this thread becomes a useful resource.

CONTEXT

What the agent does and what data it handles

The agent answers inbound B2B support calls from technicians across multiple EU countries. It handles:

  • Live voice audio during calls

  • Real-time transcripts of conversations

  • Caller metadata (phone number, timestamp, language, call duration)

  • Product knowledge base (manuals — no personal data)

No financial data, health data, or GDPR Article 9 special categories are involved. However, phone numbers and voice recordings are personal data under GDPR Article 4.

THE CORE PROBLEM I NEED HELP WITH

Retell’s documentation states data does not stay in the EU

From docs.retellai.com/general/compliance:

“We comply with GDPR by utilizing Amazon Web Services (AWS), which includes a GDPR-compliant DPA in its Service Terms. However, please note that we do not currently operate services within the European Union.”

This is the main issue to resolve. My client does not require EU-only processing, but they do need to understand the legal transfer mechanism and review the DPA that formalizes it.

Post-Schrems II, EU → US data transfers must rely on mechanisms like Standard Contractual Clauses (SCCs). These need to be clearly included in the DPA.

MY QUESTIONS FOR RETELL — PLEASE ANSWER SPECIFICALLY

1. DPA and SCC mechanism
Does the self-sign DPA include Standard Contractual Clauses (SCCs) for EU–US transfers?
Which SCC module applies (controller-to-processor or processor-to-processor)?

2. Full subprocessor list
Can you publicly confirm the current list of subprocessors?
Specifically: which LLM, STT, and TTS providers are used?

Clients must approve all subprocessors under GDPR Article 28.

3. EU self-hosted / private deployment
What does “deploy within your own infrastructure” actually involve?

  • Is it enterprise-only?

  • Do clients bring their own cloud, LLM, STT/TTS?

  • What are pricing and timelines?

4. Data retention
What is the default retention period for recordings and transcripts?
Can it be configured or reduced?
Is there a deletion process?

5. Breach notification
What is the notification timeline if a breach occurs?
Is it aligned with GDPR’s 72-hour requirement?

6. Subprocessor change notification
How much advance notice is given for new subprocessors?
Is there a right to object?

7. Data use for model training
Is any call data used for training or fine-tuning models?
Is there a contractual guarantee that it is not used?

HOW I’M PLANNING TO MAKE THIS WORK

Step 1 — Execute the Retell DPA
This establishes Retell as a data processor and should include SCCs.

Step 2 — Execute a builder–client DPA
Formalizes roles and responsibilities before handling live data.

Step 3 — Confirm subprocessor list
Required for client legal approval.

Step 4 — Configure telephony routing (EU where possible)
Reduces exposure of data outside the EU.

If EU residency becomes mandatory
We may need to explore self-hosting or alternative platforms.

Caller disclosure
All users will be informed they are speaking with an AI system.

TO THE COMMUNITY

Has anyone already solved this for an EU client?

If you’ve deployed Retell in an EU context:

  • Was the DPA accepted as-is?

  • How did you handle subprocessors?

  • Did any client require EU-only processing?

  • Did you explore self-hosting?

Any insights would be genuinely helpful.

Thanks in advance

2

Hello @saad

Thank you for the details and for sharing your questions. I’ve forwarded them to our team for review, and we’ll get back to you as soon as we have an update.

Thank you for your patience!

3

Hey @saad

Thank you for your questions. Please find the details below:

1. DPA & SCCs
Our self-sign DPA does not include Standard Contractual Clauses (SCCs). If SCCs are required, you can request a separate DPA.

2. Subprocessors
You can review our current subprocessor list here:
https://trust.retellai.com/subprocessors

3. Resources & Deployment
Clients are not required to bring their own resources. The term refers to solution design flexibility—you can use webhooks to deploy agents within your existing workflow or pipeline.

Timelines may vary depending on the complexity of the agent, but simple agents are typically completed within 4 weeks or less.
Pricing details are available here:
https://www.retellai.com/pricing

4. Data Retention
By default, call recordings and transcripts are stored indefinitely in session history.

  • Customers can disable storage, in which case data is not retained.

  • Webhook-delivered recording URLs will expire after processing.

  • Retention settings can also be customized.

More details:
https://docs.retellai.com/accounts/privacy-disable

5. Breach Notification

  • As a processor, we notify affected customers without undue delay and within 5 days of becoming aware of a security incident.

  • As a controller, we notify the supervisory authority within 72 hours, where required by GDPR.

  • Our process includes legal oversight and phased updates if needed.

6. Subprocessor Changes

  • We provide at least 15 days’ prior notice before adding a new subprocessor.

  • Customers may object within 10 days on reasonable data protection grounds.

  • If unresolved, customers may terminate the DPA.

7. Data Usage for Model Training
We do not use customer call data for training or fine-tuning AI models.

  • We rely on pre-trained third-party models.

  • We enforce provider-level training opt-outs.

  • Our DPA restricts data usage strictly to service-related purposes.

Thank You

4

Thanks for the detailed response — genuinely one of the clearer answers I’ve gotten in a vendor thread, so appreciated.

I’ve gone through everything with team and we’re mostly aligned, but a few things still need clarification before we can proceed. Posting these here since they’ll likely apply to others in similar situations.

1. SCC request process

You mentioned SCCs aren’t in the self-sign DPA but can be requested separately. Can you confirm: is that a standard document you send on request, or does it require a custom negotiation? And what’s the typical turnaround? We’re trying to understand if this is a 2-day thing or a 2-week thing before we commit the build timeline.

2. Data residency — the core question

The docs state Retell does not currently operate services within the EU. My client is fine with US-based processing during the pilot phase, but has a hard requirement for EU data residency when they go live (they’re subject to NIS2, not just GDPR). Is EU data residency on the roadmap at all — and specifically, is it available under the enterprise plan? I’ve seen it mentioned anecdotally in a few places but can’t find anything confirmed in the docs.

Happy to take any of these offline if easier. The EU residency question is the most time-sensitive one for us — that answer will determine whether we continue the build on Retell or need to evaluate alternatives.

Thanks again.