GDPR by architecture # GDPR-Compliant Video Editor with no data transfer No uploadNo EU-to-third-country transferNo DPA needed Most GDPR worries about online video editors come from one architectural fact: when you upload a video to a cloud editor, you are transferring personal data (the people in the video, the audio of their voices, the metadata of where and when it was recorded) to a third-party processor. That transfer triggers most of the heavy GDPR machinery: a Data Processing Agreement, lawful basis review, cross-border transfer mechanisms, breach notification procedures, the right to erasure across replicas. Honest scope This page describes how VidStudio satisfies the practical GDPR concern around video content. We are not a Data Protection Officer service, and this page is not legal advice. The architectural fact (your video stays on your device) is what makes most GDPR concerns inapplicable in the first place. ## Try it now The architecture above runs every tool below. Pick one to start. [Open the Video Editor](/video-editor) or jump directly to a tool [Auto Caption](/auto-caption)[Compress](/compress)[Resize](/resize)[Trim](/trim)[Watermark](/watermark)[Thumbnails](/thumbnails) ## How this fits GDPR-Compliant Video Editor VidStudio does not have any of that machinery because it does not have the transfer it would manage. The file you drop on the page is read by your browser tab. Speech recognition runs locally against a Whisper model that downloads once and caches in your browser. Video processing runs through FFmpeg compiled to WebAssembly, also locally. The captioned or compressed or trimmed output is written back to your disk. None of that involves a server-side processor that handles your video. What we do collect, separately from your video, is standard product telemetry: page views, error reports (Sentry), and Core Web Vitals (Vercel Analytics). That telemetry is GDPR-relevant in its own right, and we follow the usual playbook for it: cookie consent, opt-out, the standard subprocessor list. The point is that the video itself is not on that list, because the video does not go anywhere. ## The architectural points that do the work #### No controller-to-processor transfer of video content GDPR Article 28 requires a Data Processing Agreement between a data controller and any processor that handles personal data on the controller's behalf. Because VidStudio never receives your video, there is no processor relationship to formalise for that content. #### No cross-border data flow Cross-border transfers (especially EU-to-US) trigger Standard Contractual Clauses and Transfer Impact Assessments under Schrems II. None of that applies to a video that stays on your laptop in the country where you opened the browser. #### Right to erasure is trivial Closing the tab clears the working data. There is no backup, no log entry, no replica in three regions. The right-to-erasure obligation, which is operationally painful for cloud services, is satisfied by the architecture itself. #### Cookie banner honesty We do use product analytics (Vercel) and error tracking (Sentry). Those use cookies and are subject to consent. Our cookie banner reflects that. Neither system receives video content. ## How to verify the GDPR-relevant claims yourself #### 01 Open DevTools On any VidStudio tool page, open browser DevTools and switch to the Network panel. #### 02 Filter to fetch and XHR Apply the Network panel's filter to fetch and XHR requests so you only see the application traffic. #### 03 Drop a video and run the tool Drop any video file in and let the tool process it. Compress, resize, or generate captions, whichever flow you want to inspect. #### 04 Read the requests You will see the application bundle, the WASM binary, and the Whisper model (first visit only). You will not see any request containing your video. That is the architectural claim, observed directly. ## Frequently asked questions ### Does GDPR apply to using VidStudio? GDPR applies to anyone processing personal data of people in the EU and UK. If your video contains identifiable people, you are processing personal data when you edit it. The good news: VidStudio is not the processor; you are. The video stays on your device, so the cross-border processor question does not apply. ### Do you sign a Data Processing Agreement? For video content, no, because we do not act as a processor of that content. We do not see, store, or transmit it. For the small amount of telemetry we do collect (page views, error logs), the standard subprocessor terms apply through Vercel and Sentry. ### Where is my video stored? In your browser tab's memory while you are working with it. The browser may temporarily write to local OPFS storage for memory-efficient processing of large files; that storage is origin-bound and clears on cache purge or tab close. Nothing about your video is stored on our infrastructure. ### What about the Whisper model download? Is that a transfer? The Whisper model weights are bundled into our static build. When your browser fetches the model, it is fetching a static file the same way it fetches an image. The model is the same for every user; nothing about your video influences which model file is fetched. ### Can I use VidStudio under a UK GDPR / EU GDPR / Swiss FADP regime? Yes. The architectural fact is the same regardless of jurisdiction. The video does not leave your device, so the rules about transferring personal data to a processor do not apply to the video itself. Local telemetry rules (cookies, opt-out) still apply. ### Is this legal advice? No. This page describes our architecture. A privacy lawyer who knows your specific use case and jurisdiction should sign off on the actual compliance position. The point of this page is that the architecture removes most of the questions you would normally have to answer. Privacy by architecture ## All processing happens locally in your browser, and your files never leave your device. No upload step, no server queue, no waiting. Verify in 30 seconds 1. 01`⌘⌥I` Open DevTools and switch to the Network panel. 2. 02 Filter to fetch and XHR requests. 3. 03 Drop your file in and start the tool. 4. 04 You will see the app bundle, the WASM binary on first visit, and nothing involving your file. How this works Video and audio processing runs through FFmpeg compiled to WebAssembly. Hardware decoding goes through the browser's WebCodecs API. Speech recognition runs against a Whisper model that downloads once and caches in your browser, never streamed from a third-party server. ## Related Tools and Resources #### [HIPAA-friendly video tools](/hipaa-compliant-video-tools) Same architecture, framed against the US healthcare standard. #### [NDA-safe video editor](/nda-video-editor) For unreleased product footage and embargoed content. #### [Private video editor](/private-video-editor) The general-purpose privacy framing for the editor. #### [Auto Caption Generator, No Upload](/auto-caption-no-upload) Same architecture applied to the caption tool specifically. --- Source: [https://vidstudio.app/gdpr-compliant-video-editor](https://vidstudio.app/gdpr-compliant-video-editor)