Security & Trust

Your client data stays where it belongs.

Consana is built for consultants who work with sensitive client information. EU data residency, encryption at every layer, and GDPR-aligned data handling are not features — they are the foundation.

Data-sovereign by design

Consana is local-first. Your meeting content — transcripts, canvases, notes — is stored in a folder you choose on your own device by the desktop app. The cloud processes audio for transcription and reasoning, and results are written straight back to your local files. This portal holds only account, billing, and usage data.

Data residency — EU, West Europe

All Consana infrastructure runs on Microsoft Azure in the West Europe region (Netherlands). Transcript processing, AI-generated canvas content, and account information never leave the EU.

  • Compute: Azure Container Apps — West Europe
  • Storage: Azure Blob Storage — West Europe
  • AI processing: Anthropic Claude accessed via Azure in West Europe
  • Speech transcription: Azure Cognitive Services — West Europe

Encryption

In transit

All data in transit is encrypted with TLS 1.2 or higher. Connections between the desktop app, the web portal, and the API are enforced over HTTPS; live transcription streams use WSS.

At rest

Cloud-held data is encrypted at rest using AES-256 via Azure Storage Service Encryption. Keys are managed by Azure and rotated automatically.

Access control

Consana uses Microsoft Entra ID as the primary identity provider — your organisation's existing MFA and Conditional Access policies apply.

  • Role-based access control — session owner, team member, and admin roles
  • Enterprise SSO on the Enterprise plan — enforce identity via your own Entra tenant
  • Short-lived session tokens — the desktop app receives a single-use token that expires after 60 seconds

Subprocessors

The following third-party services process data on behalf of Consana. Each is subject to a Data Processing Agreement (available on request via Get in touch).

EU via Azure

Anthropic

AI reasoning — Claude processes transcript excerpts to produce canvas content, summaries, and action items.

Azure West Europe

Microsoft Azure Cognitive Services

Live speech-to-text transcription of session audio.

Azure West Europe

Microsoft Azure

Cloud infrastructure — compute (Container Apps), storage (Blob), authentication (Entra ID), and monitoring.

EU

Stripe

Payment processing — subscription billing, invoicing, and top-up purchases. No audio or transcript data is shared with Stripe.

EU

Sentry

Error tracking and performance monitoring — stack traces and session metadata, configured to exclude PII. Active only with your consent.

Data retention and deletion

You control your data. Meeting content lives on your device; cloud-held records are retained only while your account is active.

  • Sessions can be deleted individually at any time from your account
  • Account deletion removes all associated cloud data within 30 days
  • Enterprise plans can configure custom retention windows
  • Backups are retained for 30 days and purged automatically thereafter

GDPR and compliance

Consana is GDPR-aligned and EU-hosted. We are not yet certified against SOC 2 or ISO 27001 — certifications are on the roadmap as the product matures, and this page will be updated when they are awarded.

Compliance roadmap GDPR-aligned, EU-hosted — live now · DPA for Enterprise — available on request · SOC 2 Type II — on roadmap · ISO 27001 — on roadmap

Questions about how Consana handles your data?

Talk to us Read the privacy policy