Where Does the Recording Really Go? Five Questions for Any Dictation Software
Philipp Mühl
Product & Policy Strategy, IDM gGmbH

Medical speech recognition processes the most sensitive data healthcare has: the spoken word between doctor and patient. Accordingly, almost every vendor advertises with the same terms today, GDPR-compliant, hosted in Germany, highest security standards. The label says little about what actually happens to the recording.
Two Constellations Where the Label Deceives
The first constellation is well known: processing runs directly on the infrastructure of a US vendor. The CLOUD Act obliges US companies to hand over data to US authorities, regardless of where the server stands. Even a European cloud region marketed as sovereign changes nothing as long as the parent company is subject to US law.
The second constellation is less well known and hits precisely those hospitals that believe they solved the problem long ago. The contract is with a German vendor. The invoice comes from Germany. Yet the actual speech recognition is still handled in the background by a third-party AI model, to which the German vendor automatically forwards every recording, invisible to the hospital because it only sees the German interface. For data protection, however, what counts is not who issues the invoice but who actually processes the recording. And that can be an entirely different company, in an entirely different country.
What Actually Matters: Control on Three Levels
Whether a solution keeps what the label promises comes down to three questions of control.
Infrastructure: Where does processing run, and whose law applies to the operator? A data center in Germany does not rule out access under third-country laws: if the operator is a US company, the CLOUD Act applies regardless of server location. Access under third-country laws is only ruled out when two conditions are met at once: a location in Germany and an operator that is itself subject to German or European law, for example in its own data center or in a cloud with a German parent company.
Model: Who owns the AI model that processes the recording? Whoever passes third-party models through cannot control every processing step or bindingly guarantee that no data leaves their own environment. Only those who develop and operate their own model can.
Structure: Who owns the vendor, and how is it financed? Ownership and financing shape, over the long term, how a company handles sensitive data. Anyone dependent on external growth capital has to show investors that the collected data creates value in itself, for example as training material for new products or as an independent revenue stream. A non-profit ownership without external investors operates under different conditions than a growth-financed company.
Five Questions for Any Dictation Software
These three levels yield a concrete checklist. Every solution should be able to answer all five questions precisely.
1. Where does the entire processing chain run, from recording to finished text, and who owns the operator at each step? Not the headquarters of the contracting partner, and not the server location alone: what is decisive is where each individual processing step runs and whether the respective operator is itself subject to German or European law. A server in Germany under a US operator does not rule out third-country access.
2. Who developed the AI model in use, and who operates it? Your own model means your own responsibility for the data flow. Vendors that pass third-party recognition models through via APIs can only partially guarantee data flows. A third-party model integrated via an interface means that a third party co-processes and must appear in the data processing agreement as a sub-processor.
3. What happens to audio and transcript after recognition? Retention period, purpose limitation and the question of whether the material is used to train third-party models belong concretely in the contract. Can every user deactivate storage themselves? A contract that leaves this open is not an answer.
4. Which operating models are available? Hospitals have different requirements, some want operation in their own data center, others need a cloud without their own hardware. A vendor whose architecture allows only one of the two cannot adapt to the requirements of the hospital, the hospital has to adapt to the vendor. Whoever offers only cloud should be able to explain why.
5. Who explains the processing when the data protection officer asks? When in doubt, what counts is whether the data protection officer reaches a contact in Germany who can genuinely explain the processing. A ticket system in another time zone is not enough for that.
No Compromise Required: How ORPHEUS Answers These Questions
ORPHEUS is under its own control on all three levels. The speech model is entirely developed in-house, no data flows to external AI platforms, there are no passed-through interfaces. The entire processing, including that of ambient documentation, takes place exclusively in Germany.
For the operating model, the hospital decides, not the architecture. Large hospitals run ORPHEUS on-premise on their own GPU infrastructure. Those who do not want to maintain their own hardware use the sovereign STACKIT cloud, university hospitals additionally the hosting via GWDG. All three paths remain under German law, sovereignty is not only the server room in your own building. Every user can deactivate the storage of audio data via opt-out.
And the structure behind it: IDM is a non-profit subsidiary of UKE Hamburg-Eppendorf. No venture capital, no exit pressure, no business model built on monetizing health data. ORPHEUS is developed, trained and operated in the very hospital where it is used every day.
We have summarized what matters when choosing a system in our medical speech recognition guide. And if your data protection officer has questions, we are happy to answer them directly: book a conversation.
About the author
Related Posts
How AI documents the doctor-patient conversation
Ambient documentation listens to the conversation and turns it into a structured note. How the technology works, what matters for GDPR and hosting, and where ORPHEUS stands.
engineeringHow to use ORPHEUS in practice and hospital
A practical walkthrough. Dictate, document the conversation ambiently, structure it with templates and maintain your vocabulary, step by step with screenshots from the ORPHEUS client.