Documents in the cloud and GDPR: a pragmatic checklist

Entrusting your documents to an external service is a sensible choice: less infrastructure to manage, more automation. But business documents contain personal data — names, addresses, VAT numbers, amounts — and that opens the door to the GDPR. Here's a concrete checklist, no panic and no legalese.

You don't need to be a lawyer to ask the right questions. You need to know what to ask the vendor, what to put in the contract, and what to verify periodically. Compliance isn't a one-time event — it's like maintaining a plant.

1. Where the data lives

The first question is geographic: where are the documents physically stored and analyzed? Fully European infrastructure enormously simplifies compliance, because it avoids non-EU transfers and the additional safeguards they require. Always ask, and get it in writing.

Watch the details: «servers in Europe» isn't enough if AI processing or backups end up elsewhere. Ask for compute region, storage region, disaster recovery region. And if sub-processors are used (hosting, transactional email), they must appear in your processing register and in the DPA.

2. How long they stay

The GDPR loves minimization: don't keep data longer than necessary. A good service lets you configure the retention period and, above all, automatically deletes expired documents. «Forever» retention is convenient but it's a risk, not a feature.

• Retention period configurable per organization
• Automatic and permanent deletion beyond the window
• Deletion on request for a single document or an entire client
• Proof of deletion (logs) for internal audits

3. Who can access

In a multi-client service, the key question is: does my company see only its own data? Isolation between customers must be guaranteed at a technical level and, ideally, verified by automated tests. On the internal side, what matters is who on the provider's staff can access and with what tracking.

For professional firms the issue is even more sensitive: an accountant managing a hundred clients can't afford a «leak» between organizations. Roles, permissions, and audit logs aren't optional.

4. AI and data processing

With AI in the mix, two more questions: are your documents used to train models? And where does the processing run? The right answers are «no» and «in the EU». On top of that, the European AI Act adds transparency obligations: a good provider explains them to you without beating around the bush.

Also ask about retention of inference logs, whether prompts include document data, and how incidents are handled (data breach notification within 72 hours to the controller).

5. Contract and roles

You are the controller for your clients' and suppliers' data; the extraction service provider is typically the processor. You need a clear DPA: subject matter, duration, purpose, security measures, sub-processors, assistance with data subject rights.

Compliance isn't a badge: it's the sum of concrete choices about where, for how long, and to whom.

Quick checklist before signing

• DPA available and signable
• Data in the EU (storage + compute)
• Configurable retention with automatic deletion
• Documented multi-tenant isolation
• No training on your documents without explicit consent
• Export and deletion procedures on request

If a provider offers all of this right away and without beating around the bush, that's a good sign. LOCRAI is built with these answers already in hand — because, with data, trust is earned before it's even asked for.