GDPR and Data Subject Requests

Harmony provides tooling and contractual options that help customers meet their obligations under the General Data Protection Regulation (GDPR). GDPR compliance is a shared responsibility — your organisation is the Controller of the personal data you record and process, and Harmony acts as your Processor.

This page explains what Harmony provides today, how to handle data subject requests, and where to ask for documentation.

Specific commitments around data residency, sub-processors, and the Data Processing Agreement depend on your contract with Harmony. The general guidance below should be paired with your current DPA, privacy policy, and Harmony account contact for anything that needs a contractual answer.

Your role vs. Harmony's role

Under GDPR there are two key roles:

Controller (you) — you decide why personal data is recorded, how participants are informed, what consent you obtain, and how to respond to data subject rights requests.
Processor (Harmony) — Harmony processes the data on your instructions, applies security controls, and helps you meet your obligations.

Because the recording, transcription, and conversation data flows from your meetings, you remain accountable for lawful basis, retention, and how participants are informed.

Data Processing Agreement (DPA)

A Data Processing Agreement is available to Harmony customers. The DPA covers Harmony's role as Processor, sub-processor disclosures, and data transfer mechanisms (such as Standard Contractual Clauses where applicable).

To request a DPA or the current sub-processor list, contact your Harmony account team. DPA and sub-processor questions are handled through legal or account-team processes rather than self-serve.

Handling data subject requests

When a participant or end user exercises their GDPR rights, the workflow depends on the right being exercised.

Right to erasure (deletion)

You can delete a meeting (and its transcript, insights, and any attached recording) from the conversation detail view. Open the conversation and use the action menu (⋯) next to the title to delete it.

Workspace deletion (including the broader account-level erasure flow) is handled under Workspace Settings → Danger Zone. For data subject erasure requests that go beyond a single meeting, contact Harmony support so the request can be tracked end-to-end.

Right of access and portability

Participants commonly request copies of recordings, transcripts, and any derived insights about them. Today the available export surfaces are:

Share PDF from a single conversation — produced from the Share menu next to the conversation title. The PDF includes meeting metadata, participants, medium, and the configured insights for the conversation.
Share link — a read-only link to the conversation that can be sent to the data subject.
Public API — GET /v1/conversations/{id} returns conversation metadata; GET /v1/conversations/{id}/transcript returns the transcript; insight endpoints return generated insights. Use the API for bulk or programmatic exports.

There is no single "GDPR export" button today. Combine the in-app share/export with the Public API as needed for the request.

Right to rectification

Transcripts are read-only in the Harmony app — there is no inline transcript text editor. If you believe a transcript materially misrepresents what was said, the available options are:

Reprocess the conversation — the action menu (⋯) on a conversation includes a "Restart from Transcription" option that re-runs transcription against the original recording.
Update participant identity — speaker labels can be matched to the correct contact or workspace user from the conversation detail view, which corrects who is attributed to which turn.
Contact support — for rectification requests that need formal handling, contact Harmony support with the conversation reference and what needs to be corrected.

Notification of rights restrictions or objections

Harmony does not maintain a per-participant consent registry. Once a recording is created, it is your responsibility as Controller to honour any restriction or objection — typically by deleting or restricting access to the affected conversation.

Data residency

Harmony's hosting region for new workspaces and any optional residency configuration depends on the customer's contract. Default hosting is not guaranteed to be limited to a single region without a specific contractual agreement. For data residency commitments — including any EU-only configuration — contact your Harmony account team.

Sub-processors and AI providers

Harmony uses third-party providers for hosting, AI transcription, and AI summarisation. The current sub-processor list is available through your DPA.

Whether and how AI providers may use customer data depends on the provider, the contract Harmony has with them, and Harmony's current AI documentation. For specific commitments around model training and provider data retention, see Models and training data and request the most current information through your account team — these positions can change as Harmony's provider stack evolves.

Reporting a personal data breach

If you suspect a personal data breach involving Harmony, contact Harmony support immediately. Harmony has a duty to support customers in meeting breach-notification timelines required by GDPR.

Where to get further documentation

For documents typically requested in a GDPR review (DPA, sub-processor list, security overview, current data residency posture), reach out through your Harmony account team or vendor-security contact.

Your role vs. Harmony's role​

Data Processing Agreement (DPA)​

Handling data subject requests​

Right to erasure (deletion)​

Right of access and portability​

Right to rectification​

Notification of rights restrictions or objections​

Data residency​

Sub-processors and AI providers​

Reporting a personal data breach​

Where to get further documentation​