Blog — sota.io

2026-05-02·13 min read·sota.io team

AWS Chime is Amazon's unified communications platform spanning video meetings, audio conferencing, chat messaging, and the Chime SDK for embedding real-time communication into custom applications. Through the Chime SDK, AWS also powers thousands of third-party applications — telehealth platforms, customer support tools, virtual classroom systems — where end users have no awareness that Amazon infrastructure handles their calls. For European organisations, Chime presents a structural compliance problem that applies whether you use the Chime application directly, embed the Chime SDK, or route SIP traffic through Amazon Chime Voice Connector. Every participant in a meeting, every word in a chat channel, every second of a recorded call, and every metadata record generated by Chime resides on US-controlled infrastructure subject to the CLOUD Act. Your meeting participants — patients in a telehealth consultation, employees in an HR discussion, legal clients in a privileged call — never consented to Amazon holding records of those conversations. This post analyses what AWS Chime actually processes, why the CLOUD Act exposure extends well beyond what most communication platform teams recognise, and which EU-native video conferencing alternatives deliver equivalent capability without routing European communications through US infrastructure. --- ## What AWS Chime Actually Processes Chime is frequently described as a "meeting tool," but the data surface extends across multiple service layers that compound the GDPR exposure. **Meeting participant records:** Each Chime meeting generates a participant record containing: - Chime account profile: display name, email address, phone number, profile photo, and account creation timestamp for registered users - Device identifiers: the device type, operating system, and application version for each participant joining a meeting - Network attributes: IP address and geolocation derived from IP for each participant at each meeting - Meeting attendance: join timestamp, leave timestamp, and total duration for each participant — generating a precise attendance log for every meeting in your organisation's history **Meeting recordings:** Chime meeting recordings are stored in Amazon S3 buckets under the customer's account. Each recording contains: - Full audio and video of the meeting content - Screen sharing content if participants shared their screen - Embedded participant video streams with participant identification metadata - Recording metadata: meeting ID, organiser identity, participant list, start and end timestamps The S3 bucket containing recordings is under the customer's AWS account — but it is still US-controlled infrastructure subject to CLOUD Act compelled production. An order targeting the S3 bucket yields the complete video archive. **Chat and messaging content:** Chime chat (Amazon Chime SDK Messaging) stores message content and channel history: - Message body text for every message in every channel - Sender identity, timestamp, and channel membership records - Attachments and media shared in channels stored in S3 - Message retention logs even after messages are "deleted" by users — Chime's retention policies operate at the channel level, not per-message, and deletion often marks messages rather than purging the underlying record **Amazon Chime Voice Connector:** Voice Connector is a SIP trunking service that routes PSTN telephone traffic through AWS infrastructure: - Call detail records (CDRs) for every call: calling number, called number, call start, call answer, call end, duration, and call disposition - Call recordings if streaming is enabled — entire audio streams stored in S3 - SIP signalling logs: the full SIP INVITE, RINGING, OK, BYE sequence revealing call setup attempts, ring duration, and termination reason - Media streams: Real-time audio routing through Amazon EC2 infrastructure for transcoding and relay For any European organisation using Voice Connector as a telephony gateway, EVERY telephone call placed through the system generates CDR records in Amazon's infrastructure. **Chime SDK application data:** Applications built on the Chime SDK generate additional data through the meeting control plane: - Attendee tokens: cryptographic credentials issued per meeting per participant, linked to application-layer identities - Meeting transcriptions: if Amazon Transcribe is integrated, call content is processed by a second US-controlled service with its own retention and disclosure obligations - Event notifications: meeting state change events (attendee join, leave, mute, video on/off) delivered through Amazon EventBridge or SNS — adding a third layer of metadata persistence --- ## CLOUD Act Exposure: Communications Your Participants Don't Know AWS Holds The CLOUD Act (18 U.S.C. § 2713) requires US providers to produce data regardless of the physical location of storage. AWS is a US entity. A CLOUD Act order targeting an organisation's Chime environment can compel production of: **The complete meeting history:** Every meeting held through Chime — internal team meetings, customer calls, board meetings, investor conversations — generates attendance records identifying who met with whom, when, for how long, and from which location. For a mid-sized European organisation, this is a surveillance-grade record of internal business activity accumulated over years, produced without any notification to meeting participants. **Meeting recordings containing privileged content:** Healthcare consultations, legal advisory calls, HR disciplinary discussions, board-level strategy sessions — any content recorded in Chime S3 storage is reachable under a CLOUD Act order. The legal protection that would ordinarily apply to medical records under Art. 9 GDPR or to legal privilege under national law does not insulate the S3 recording from CLOUD Act compelled disclosure. The content moves through US jurisdiction when uploaded to S3 regardless of which EU region it is stored in. **Chat channel content:** Chime Messaging stores channel content on a rolling retention basis. For organisations using Chime as their internal messaging platform, an order can compel production of weeks or months of internal messaging — project discussions, management conversations, customer negotiations — without notifying any of the employees whose messages are disclosed. **Telephone CDRs through Voice Connector:** For organisations routing PSTN traffic through Amazon Chime Voice Connector, every telephone call generates a CDR in AWS infrastructure. An order targeting the Voice Connector account compels production of the complete call log: who called whom, when, for how long. CDRs of this breadth constitute a detailed map of an organisation's external relationships — customers, suppliers, advisors, regulators — disclosed to US authorities under an order that no European data protection authority reviews or can veto. --- ## GDPR Exposure Points: Six Compliance Gaps ### 1. Article 9 — Special Category Data in Video Recordings Video recordings of healthcare consultations, therapy sessions, physiotherapy appointments, or any medical-adjacent communication constitute processing of special category health data under Art. 9 GDPR. AWS Chime recordings stored in S3 place this content in US-controlled infrastructure without the explicit consent under Art. 9(2)(a) that would be required for this specific processing purpose — the consent at booking or registration does not extend to "Amazon may be compelled by US law enforcement to produce the recording of your consultation." The same Art. 9 exposure applies to: - Legal advice calls where mental health, disability, or family status is discussed - HR conversations touching on medical leave, disability accommodations, or pregnancy - Financial advisory calls touching on dependency, bankruptcy, or medical incapacity - Telehealth platforms built on the Chime SDK where patient-clinician video is the core product ### 2. Article 88 — Employee Monitoring and the Chime Attendance Log The meeting attendance data Chime generates — who participated in which meeting, for how long, with what engagement signals (muted, camera off, active speaker) — constitutes employee monitoring data under Art. 88 GDPR in conjunction with DSGVO §26 (in Germany) and equivalent national provisions across the EU. Processing employee meeting attendance records as HR data requires: - A documented lawful basis under Art. 6(1)(b) or (c) GDPR - Works council consultation where applicable under national co-determination law (Betriebsverfassungsgesetz in Germany requires works council agreement for employee monitoring systems) - Data minimisation: Chime attendance granularity (join timestamp, leave timestamp, active speaker duration, engagement score) significantly exceeds what is necessary for meeting functionality The CLOUD Act exposure compounds: Chime meeting attendance records for an entire workforce, accumulated over years, constitute a behavioural monitoring dataset for every employee — one that US authorities can compel without the notification obligations that a domestic European court order would require. ### 3. Article 5(1)(e) — Storage Limitation and S3 Recording Accumulation Chime recording storage accumulates without built-in expiry. S3 lifecycle policies are optional and must be explicitly configured; the default is indefinite retention. Organisations that rely on Chime's default configuration retain years of meeting recordings in S3 without a documented retention schedule, violating Art. 5(1)(e)'s requirement that personal data be kept "no longer than is necessary for the purposes for which the personal data are processed." The storage limitation problem is amplified by Chime's multi-layer persistence: the S3 recording, the CloudTrail access log for the S3 recording, the Chime control plane event log for the meeting, and the Chime chat transcript if the meeting included messaging. Each layer requires independent lifecycle management. ### 4. CLOUD Act + Article 46 — Cross-Border Transfers and Schrems II Chime operates through Amazon's global infrastructure. US-region processing occurs not only when an EU customer uses a US-region Chime endpoint but also through Chime's control plane and media processing infrastructure. The Schrems II ruling invalidated Privacy Shield and introduced heightened requirements for Standard Contractual Clauses — transfer impact assessments (TIAs) must demonstrate that US law does not undermine the protection SCCs promise. For Chime, any TIA must account for the CLOUD Act as applied to communications content — call recordings, chat messages, voice CDRs. Legal analysis consistently concludes that the CLOUD Act's government access provisions cannot be mitigated by SCCs alone. The residual risk for communications content is assessed as high by most European DPA guidance. ### 5. Article 28 — Processor Obligations and Subprocessor Chains When an organisation deploys the Chime SDK within their product, Amazon becomes a processor. The Art. 28 DPA must cover all categories of data processed — attendee tokens, meeting metadata, media streams, recordings if stored, Transcribe output if integrated. Many SaaS applications built on Chime SDK have not updated their privacy notices or DPAs to reflect Amazon as a named subprocessor for real-time communications. The subprocessor chain compounds: Chime SDK applications that integrate Transcribe add Amazon Transcribe as an additional subprocessor processing audio content. Applications that use Amazon EventBridge for meeting events add EventBridge as a processor of meeting state change events. Each subprocessor relationship requires notification to data subjects, updating of the Art. 30 processing record, and individual assessment under the Schrems II framework. ### 6. Article 13/14 — Transparency Gap in Chime SDK Applications End users of applications built on the Chime SDK — telehealth patients, online education students, virtual event attendees — typically encounter no disclosure that their communication is powered by AWS infrastructure. The privacy notice covers the application's data handling but frequently omits the processor relationship with Amazon for real-time communications. Art. 13/14 requires disclosure at the point of collection of all recipients of personal data, including processors. An application that routes video through the Chime SDK without disclosing Amazon as a data recipient violates Art. 13(1)(e). The disclosure gap is widespread: healthcare platforms, EdTech applications, and customer service tools built on Chime SDK have embedded a CLOUD Act-reachable processor into their product stack without user notification. --- ## EU-Native Video Conferencing Alternatives The mature open-source and EU-hosted commercial alternatives to AWS Chime cover the full range of use cases — from self-hosted Jitsi for basic meetings to BigBlueButton for education, Matrix/Element for persistent messaging, and EU-hosted commercial platforms for enterprise deployments. ### Jitsi Meet Jitsi Meet is a fully open-source video conferencing platform developed by 8x8 and deployable on any infrastructure. The self-hosted deployment runs as a set of containers: Prosody (XMPP server for signalling), Jicofo (focus component managing conferences), JVB (Jitsi Video Bridge for media routing), and optionally Jibri (recording and streaming). A self-hosted Jitsi deployment on EU infrastructure — a virtual machine on Hetzner, OVH, or a PaaS like sota.io — processes no data outside the EU. Meeting metadata (participant count, duration) is local. Recordings, if enabled via Jibri, write to local storage. There is no AWS S3, no US control plane, no CLOUD Act reachable infrastructure. Jitsi is appropriate for: - Internal team meetings (1-50 participants) - Customer calls where data sovereignty is contractually required - Any use case where the Chime application can be replaced with a web-browser-accessible meeting room The operational cost is the Jitsi Video Bridge resource requirement — JVB processes all media server-side and requires dedicated CPU proportional to meeting scale. ### BigBlueButton BigBlueButton (BBB) is an open-source web conferencing system designed specifically for online education. It adds to video conferencing: shared slides and whiteboards, breakout rooms, polling, hand-raising, and recording with playback that allows chapter navigation. BBB is used by EU educational institutions — universities, schools, continuing education providers — as a GDPR-compliant replacement for Zoom and Chime-powered EdTech platforms. Self-hosted on EU infrastructure, it processes student interactions (participation data that may constitute special category data for minors under Art. 9 where processing involves vulnerable groups) entirely within EU jurisdiction. ### Matrix / Element Matrix is an open, decentralised communication protocol with end-to-end encryption (E2EE) as a first-class feature. Element is the reference Matrix client. A self-hosted Matrix homeserver (Synapse or the lighter Conduit implementation) provides: - Persistent messaging with E2EE that means even the server operator cannot read message content - Voice and video calling via Matrix's built-in WebRTC support - Federation with other Matrix homeservers for external communication without centralised routing For organisations replacing Chime as a persistent chat and messaging platform (not just video meetings), Matrix eliminates the US-infrastructure exposure entirely. With E2EE enabled, a CLOUD Act order against the server yields only encrypted ciphertext — the metadata (who communicated with whom, when) remains, but content is inaccessible. Matrix federation requires careful jurisdiction management: federated rooms can route data through servers in non-EU jurisdictions unless federation is restricted to EU homeservers. ### Nextcloud Talk Nextcloud Talk integrates video conferencing directly into the Nextcloud collaboration platform. For organisations already running Nextcloud for file management and groupware, Talk adds browser-based video meetings and persistent chat without introducing a separate communications platform or additional processor relationships. Nextcloud Talk supports: - Browser-based peer-to-peer video (no dedicated media server for small groups) - TURN server-based relay for NAT traversal (self-hosted coturn) - High-performance backend (HPB) using signaling server for larger meetings - Recording via Nextcloud's recording backend ### Whereby (EU-hosted) Whereby is a Norwegian video conferencing company offering browser-based meetings without software installation. Unlike AWS Chime, Whereby operates from Norwegian infrastructure and processes data under Norwegian data protection law (which incorporates GDPR). For organisations that need a managed SaaS meeting tool without self-hosting complexity, Whereby offers a GDPR-compliant alternative with EU data residency and a non-US parent company. ### Wire Wire provides encrypted team messaging and video conferencing with a self-hosted enterprise option (Wire On-Premise). Wire's architecture stores all communication metadata and content on the organisation's own infrastructure when deployed on-premise. The Wire protocol applies E2EE to all messaging and calls, meaning server compromise or CLOUD Act compelled disclosure yields only encrypted content. --- ## Deploying EU-Native Communication on sota.io Running Jitsi Meet, BigBlueButton, or a Matrix homeserver on EU-native PaaS eliminates the CLOUD Act exposure of AWS Chime without requiring dedicated server management. A managed EU PaaS provides container orchestration, persistent storage, TLS termination, and domain management — the operational layer that makes organisations reach for AWS Chime by default. [sota.io](https://sota.io) is EU-native PaaS (Germany-hosted, no US parent company, no CLOUD Act jurisdiction) built for deploying containerised applications without US infrastructure dependency. Deploying Jitsi Meet on sota.io: 1. Deploy Prosody, Jicofo, and JVB containers with persistent configuration volumes 2. Configure a custom domain via sota.io's domain management 3. Route meeting traffic through JVB on EU infrastructure with no US media relay 4. Store recordings (via Jibri) in EU-hosted persistent storage rather than Amazon S3 All meeting metadata, participant records, and recording content stays within EU jurisdiction. No CLOUD Act exposure. No S3 recording accumulation under US control. No Art. 28 subprocessor disclosure gap for Amazon. --- ## Decision Framework: When to Migrate from AWS Chime **Migrate now if:** - Your application handles medical, therapeutic, or legal consultations via video — Art. 9 special category processing in US infrastructure creates unmitigable CLOUD Act risk - Your organisation conducts board-level, HR, or other sensitive internal meetings recorded in Chime S3 - You use Amazon Chime Voice Connector for PSTN routing and generate CDR records on AWS infrastructure - A DPA audit, enterprise prospect, or insurance requirement has raised AWS infrastructure as a data residency concern **Assess carefully if:** - You use the Chime SDK embedded in your product and have not disclosed Amazon as a processor in user-facing privacy notices — this is the fastest compliance fix (notice update) before a larger migration - Your organisation uses Chime for low-sensitivity internal meetings with no recording — the CLOUD Act risk is lower but the meeting attendance metadata persists **Chime remains acceptable if:** - Your meetings involve no EU personal data (all participants outside EU jurisdiction) - You operate as a US entity processing data of US data subjects exclusively --- ## Summary AWS Chime processes European video meetings, call recordings, chat messages, and telephone CDRs on US-controlled infrastructure subject to CLOUD Act compelled disclosure without notification to data subjects. The six GDPR exposure points — Art. 9 health data in recordings, Art. 88 employee monitoring via attendance logs, Art. 5(1)(e) accumulating S3 recordings, Art. 46/Schrems II transfer risk, Art. 28 SDK subprocessor disclosure gaps, and Art. 13/14 transparency failures in Chime SDK applications — create compliance risk that SCCs alone cannot resolve. EU-native alternatives — self-hosted Jitsi Meet on EU infrastructure, BigBlueButton for education, Matrix/Element for persistent messaging, Nextcloud Talk for integrated collaboration, or managed EU SaaS like Whereby — deliver equivalent communication capability without routing European conversations through US infrastructure. The migration path from Chime is established: replace the TURN/media infrastructure with EU-hosted equivalents, update Art. 30 processing records to remove Amazon as processor, and notify data subjects of the changed processor relationship.

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Start free — no credit card View pricing