We’re evaluating your platform for deploying voice agents in Europe and need urgent clarification regarding GDPR compliance.
Based on our legal analysis—and on information you yourselves provide—we’ve identified several critical points:
Retell does not appear in the EU–U.S. Data Privacy Framework, which means any data transfer to the U.S. would rely solely on SCCs + a TIA.
Your documentation states that you “do not currently operate services within the EU,” which raises major concerns for EU-based processing.
Your system requires access to unencrypted audio and transcripts to function, making effective technical safeguards impossible according to EDPB guidance.
This results in a high residual risk which, in some EU countries (e.g., Spain), could even trigger a mandatory Prior Consultation with the Data Protection Authority, with a real possibility of the processing being prohibited.
Direct question:
Do you plan to offer a 100% EU-based processing option, with European infrastructure and a formal DPA that allows clients to comply with GDPR without facing a negative TIA?
This is a critical point for anyone wanting to use Retell for real-world deployments with EU clients. Thank you.
Based on the available sources, I can confirm that Retell AI is GDPR certified(1). Retell AI’s Privacy Policy explicitly states that “Where required, we use safeguards like Standard Contractual Clauses and comparable mechanisms. This includes, where applicable, the UK International Data Transfer Agreement (IDTA) or other approved transfer mechanisms.”(2)
Regarding your specific concerns about EU-based processing:
Current Status:
The available documentation indicates that questions about EU server hosting have been raised by the community(1), but I don’t have definitive information in the official documentation about a dedicated EU infrastructure option or future plans for 100% EU-based processing.
Data Protection Measures:
Retell AI implements several GDPR-aligned safeguards:
Data Processing Addendum (DPA) available, which “governs and controls in the event of any conflict with this Privacy Policy” when Retell AI acts as a processor(2)
Data Handling:
For Communications Data (audio, transcripts, call metadata), Retell AI states that “Retell AI may use Communications Data in aggregated and de-identified form to improve, train, and enhance its models and Services, provided such use does not identify Customer or end users.”(2)
Next Steps:
For urgent clarification on EU infrastructure plans and a formal DPA that addresses your specific TIA requirements, I recommend:
The official documentation doesn’t provide details about future EU infrastructure plans, so direct contact with the Retell AI team would be necessary to get definitive answers about 100% EU-based processing options.
Thanks for laying all of that out. Based on what we currently support, the best setup on your side would be:
Turning on opt-out of sensitive data storage, so transcripts and other sensitive content aren’t stored.
Enabling signed URLs, which makes any audio links time-limited and access-controlled.
Setting recordings to delete after 24 hours, which keeps retention to a minimum.
These are all options available directly in the workspace settings per the Retell documentation.
For now, Retell doesn’t offer a fully EU-based processing environment — everything still runs on U.S. infrastructure under SCCs. If that changes, they’ll update the compliance documentation, but at the moment this is the most GDPR-aligned configuration available.