Deliberation technology needs trust at the core
Safety in dialogue is non-negotiable. That's why dembrane is built for trust from the ground up.
ISO 27001 certified · GDPR compliant · EU hosted · Source available
How dembrane processes your data
Step 1
Participants record the audio of their conversations. No personal data are need to be collected before recording to start.
Step 2
The audio recording is transcribed into text. We use a double model approach to ensure transcription accuracy.
Step 3
Conversation hosts can perform analysis on the audio and the transcripts using the dembrane dashboard.
Audio recording
Language models*
Data Pipelines
Processed Insights
Audio data is deleted 30 days after the project finishes. Data can be deleted immediately upon request. Only what participants share voluntarily during the conversation is recorded. The host is the data controller.
*Our Language Model Providers & sub-processors are AssemblyAI, Google Cloud Vertex AI, and Azure. We have strict data protection agreements with all subprocessors. All data processing happens on Northwest EU servers.
All data is stored and encrypted at rest on Northwest European servers. Our current data storage provider is DigitalOcean.
Security, privacy, and transparency are foundational to how we build.
What kinds of data are used for what and why?
dembrane is built with data minimization in mind. Only four categories of data are processed to deliver value, and you stay in full control.
Category
Description
Purpose
Retention
Legal Basis (Controller's choice)*
🎙️ Audio recording
Sensitive personal data
All audio recorded with dembrane (voluntarily shared).
To transcribe contributions. Kept for retranscription and fact-checking.
Project duration + 30 days. Can be deleted anytime by admin.
Your chosen legal basis (Art. 6(1) GDPR)
📝 Transcription text
Personal data (content-dependent)
Transcribed conversations from recorded audio.
To perform analysis and provide evidence for the analysis.
Project duration + 30 days. Can be deleted anytime by admin.
Your chosen legal basis (Art. 6(1) GDPR)
🔍 Analysis data
Personal data (content-dependent)
Generated by dembrane and users from transcription data via chat and other features.
To understand diverse stakeholder perspectives shared during sessions.
Project duration + 30 days. Can be deleted upon request.
Your chosen legal basis (Art. 6(1) GDPR)
👤 Account data
Personal data
User email and encrypted password to create and identify user accounts.
To maintain accounts for dashboard access and deliver services.
As long as account exists. Can be deleted upon request.
Contract; Art. 6(1)(b) GDPR
*dembrane acts as the processor (Art. 28 GDPR). The applicable legal basis is determined by you as controller.
You're not alone
We're trusted by leading organisations across public and private sectors
Full GDPR compliance works for most cases, but some require more. Because dembrane is built with trust and flexibility in mind you can choose extra provisions that fit your needs, starting from the Guardian tier:
🔐 Baseline
Fully Compliant
EU data processing and storage
No training on your data
Dataminimalisation by principle
GDPR compliant
No training on your data
ISO27001 certified
Fully Compliant: Uses Azure EU servers with European hosted AI models as default.
🇪🇺 Sovereign
Full EU Tech Stack
Everything from Fully Compliant, plus:
EU owned hosting providers
EU-developed AI models
Higher costs, potentially lower performance
Full EU Tech: Switches to providers like OVH (hosting) and Mistral (AI models). Quality may be up to 15-20% lower, costs increase by ~40% + implementation fee.
🛡️ Maximum Control
Self-Hosted
Most secure technology achievable
Complete data sovereignty
On-premise deployment
Custom security configurations
Requires technical expertise
Complete on-prem solution including local LLMs. We provide implementation support, training, and ongoing maintenance contracts. Quality will vary depending on models chosen. Custom pricing.
