Data Protection Impact Assessment
AI-Powered Processing — All Autonomous Consumers
GDPR Article 35 | Version 2.0 | April 8, 2026
Prepared by: Lamb and Flag TopCo Corp (dba AtlanticM&A)
Data Protection Contact: privacy@atlanticma.com
1. Description of Processing
1.1 Nature of Processing
The AtlanticM&A platform offers an AI-powered meeting transcript analysis feature ("Meeting Intelligence"). When a Customer uploads or pastes a meeting transcript, the system:
- Stores the transcript text encrypted at rest in AWS S3 (AES-256)
- Generates a vector embedding (Amazon Titan) for semantic search capability
- Sends the transcript to an AI model hosted on AWS Bedrock — currently Anthropic Claude (Sonnet 4.6) or DeepSeek (V3.2 / R1), selected per-feature by the model router — for structured analysis
- Extracts: summary, action items, key decisions, risks, sentiment, and proposed data updates
- Presents AI-generated suggestions to the user for explicit approval or rejection
- Stores approved changes in the project database; rejected suggestions are discarded
1.2 Scope of Processing
| Personal data processed | Names of meeting attendees and speakers, job titles, email addresses mentioned in transcript, opinions and statements attributed to named individuals, action item assignments |
| Special categories (Art. 9) | None intentionally processed. Transcripts may incidentally contain health references, trade union membership, or political opinions if discussed in meetings. Customers are advised not to upload transcripts containing special category data. |
| Data subjects | Meeting attendees, individuals discussed in meetings, individuals named in M&A deal context |
| Volume | Typically 1-10 transcripts per project per month, 1,000-50,000 words per transcript |
| Geographic scope | Global — Customers operate across jurisdictions. All processing occurs in US-East-1 (N. Virginia). |
| Retention | While Customer subscription is active. Deleted within 35 days of account termination (30-day export window + 5-day backup retention). |
1.3 Purpose of Processing
The processing serves the following legitimate purposes:
- Contractual necessity (Art. 6(1)(b)): The Customer has contracted for AI-powered meeting analysis as part of the Service. The feature is core to the product offering.
- Legitimate interest (Art. 6(1)(f)): Reducing manual effort in capturing meeting outcomes, improving project tracking accuracy, and enabling evidence-based integration management.
Processing is initiated onlyby explicit Customer action — uploading a transcript and clicking "Analyze." The system does not automatically record, transcribe, or process meetings.
1.4 Technology Description
| Component | Technology | Data Flow |
|---|---|---|
| Storage | AWS S3 (AES-256 encryption at rest) | Transcript text stored as .txt file |
| Embedding | Amazon Titan Embed Text v1 | First 8,000 chars → 1536-dim vector (stored in PostgreSQL pgvector) |
| AI Analysis | Anthropic Claude Sonnet 4.6 and DeepSeek V3.2 / R1 via AWS Bedrock (routed per feature) | Full transcript → structured JSON extraction |
| Network | AWS VPC private endpoint | No public internet transit — Bedrock accessed via private network |
| Results | Aurora PostgreSQL (encrypted) | AI output stored as JSONB with confidence scores |
1.5 AI Consumer Registry
The platform operates multiple AI consumers — discrete features that invoke AI models (Anthropic Claude and DeepSeek) via AWS Bedrock to process tenant data. Each consumer is registered in the application's data flows catalog with a declared trust level (controlling which data sensitivity tiers it can access) and a GDPR lawful basis. Autonomous consumers (those that fire without explicit per-invocation user consent) require this DPIA reference.
All consumers access data through a unified foundational context loader that enforces sensitivity-based field filtering at runtime. A commercial-trust consumer, for example, cannot access sensitive-tier fields (escrow, earnout, employee provisions) even if the underlying data source contains them.
TSA Bootstrap Pipeline (Autonomous)
| Consumers | tsa_bootstrap_analyse, tsa_workstream_creation, tsa_exit_plans, tsa_integration_plans, walk_the_walls_populate |
| Trust Level | Commercial |
| Lawful Basis | Art. 6(1)(b) — Contract performance (Customer contracted for AI-powered TSA analysis and work plan generation) |
| Data Categories | TSA addendum text, extracted service schedules, project charter objectives, SPA deal context (commercial-filtered: purchase price, closing conditions, regulatory approvals — no escrow/earnout/employee data) |
| Personal Data | None directly. TSA documents may incidentally name service contacts or incumbent vendor staff. |
| Human Oversight | User initiates bootstrap. Generated work plans, workstreams, and exit strategies are presented for review before any data is committed. |
| Audit Trail | ai_context.load_foundational logged per invocation with data lineage; tsa_bootstrap_runs table records every pipeline step. |
Email Intelligence (Autonomous)
| Consumer | email_categorisation |
| Trust Level | Commercial |
| Lawful Basis | Art. 6(1)(f) — Legitimate interest (reducing manual email triage effort for M&A professionals) |
| Data Categories | Email sender/recipient addresses, subject lines, snippet previews, deal metadata, capital partner contacts, project charters (for workstream-level classification) |
| Personal Data | Email addresses, sender/recipient names, email content snippets (first ~200 chars) |
| Human Oversight | Batch classification runs on user action. Categories and relevance scores are stored but can be overridden by the user at any time. |
| Audit Trail | audit_log entry per batch with token usage, cost estimate (SOC2 CC3.4), validation stats, and project assignment counts. |
Contact Intelligence (Autonomous)
| Consumer | contact_intelligence |
| Trust Level | Commercial |
| Lawful Basis | Art. 6(1)(f) — Legitimate interest (enriching contact context for relationship management) |
| Data Categories | Email correspondence, meeting transcripts, deal metadata |
| Personal Data | Contact names, email addresses, job titles, company affiliations, communication history summaries |
| Human Oversight | User explicitly requests contact enrichment. AI-generated insights are displayed as suggestions. |
| Audit Trail | Application audit log per enrichment request. |
Meeting Intelligence (Autonomous)
| Consumer | meeting_action_extraction |
| Trust Level | Commercial |
| Lawful Basis | Art. 6(1)(f) — Legitimate interest (extracting actionable intelligence from meeting transcripts) |
| Data Categories | Meeting transcripts (full text), attendee names, extracted decisions and action items |
| Personal Data | Names of attendees and speakers, statements attributed to individuals, action item assignments |
| Human Oversight | User uploads transcript and initiates analysis. All AI-generated suggestions require explicit approval before data changes. |
| Audit Trail | meeting_summaries table with confidence scores; application audit log per analysis. |
Risk Auto-Seed (Autonomous)
| Consumer | risk_auto_seed |
| Trust Level | Sensitive (double-gated: min(consumer trust, role tier)) |
| Lawful Basis | Art. 6(1)(f) — Legitimate interest (proactive risk identification to protect integration outcomes) |
| Data Categories | SPA reps & warranties, escrow/earnout terms, charter objectives, overdue task schedules, existing risk register entries |
| Personal Data | None directly — risks reference workstreams and deal terms, not individuals |
| Human Oversight | User initiates risk identification. All AI-generated risks are presented as drafts — user must explicitly approve each risk before it enters the register. |
| Audit Trail | ai_context.load_foundational audit entry with lineage; approved risks tracked via standard risk creation audit. |
In addition to autonomous consumers, the platform includes co-pilot consumers (email_ai_compose, capital_partner_suggest, lbo_ai_valuation, charter_generation) and a conversational consumer (voice_assistant). These are explicitly triggered by user action per invocation and do not require separate DPIA entries, though they share the same foundational context loader, sensitivity enforcement, and audit trail infrastructure.
2. Necessity and Proportionality Assessment
2.1 Necessity
Post-merger integration involves dozens of weekly meetings across multiple workstreams. Manually extracting action items, risks, and status updates from these meetings is time-consuming and error-prone. AI analysis reduces a 2-hour manual review process to under 2 minutes, with evidence-quoted source attribution for every extracted item.
Less intrusive alternatives considered:
- Manual-only extraction: Rejected — does not scale for large integrations (10-20 workstreams, weekly meetings each). The purpose of the Service is to automate this process.
- Keyword-only extraction (no AI): Rejected — insufficient accuracy for M&A-specific terminology. Keyword matching cannot identify nuanced action items, risk escalations, or sentiment.
- On-device processing: Not feasible — large language model inference requires GPU/accelerator infrastructure not available on end-user devices.
- EU-region processing: AWS Bedrock with Anthropic Claude and DeepSeek is not yet available in all EU regions. When available, EU processing will be offered as an option.
2.2 Proportionality
- Data minimisation: Only the transcript text is sent to the AI model. No user authentication data, billing data, or unrelated project data is included in the AI prompt.
- Purpose limitation: The AI model processes the transcript solely for structured extraction. It does not profile individuals, make automated decisions about individuals, or generate content about individuals beyond what is in the transcript.
- Human oversight: Every AI-generated suggestion requires explicit human approval before any data is changed. The system proposes; the user decides.
- No model training: AWS Bedrock does not use customer data to train, improve, or fine-tune any models. This is contractually guaranteed by AWS.
3. Risk Assessment
3.1 Risks to Data Subjects
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Unauthorised access to transcript content | Low | High | Encryption at rest (AES-256), in transit (TLS 1.2+), row-level security, VPC isolation, MFA, WAF rate limiting |
| AI misattribution of statements to wrong individuals | Medium | Medium | Confidence scoring on every extraction; evidence quotes allow verification; human approval required before data changes |
| Incidental processing of special category data | Low | High | Customer guidance not to upload transcripts containing special category data; AI does not attempt to extract or classify sensitive personal attributes |
| Data breach exposing transcript content | Very Low | High | Multi-layer security (WAF, VPC, RLS, encryption, CloudTrail); breach notification within 72 hours; incident response plan documented |
| Cross-tenant data leakage via AI model | Very Low | High | AWS Bedrock provides strict tenant isolation — each API call is independent with no shared context. No fine-tuning or model persistence between calls. |
| US government access to data (Schrems II concern) | Low | Medium | Encryption keys managed by AWS KMS; Standard Contractual Clauses in place; supplementary technical measures (VPC isolation, no public egress); transparency report commitment |
| Automated decision-making affecting individuals (Art. 22) | N/A | N/A | The system does not make automated decisions about individuals. All AI outputs are suggestions requiring human approval. No profiling, scoring, or automated consequences for data subjects. |
3.2 Residual Risk Assessment
After applying the mitigations described above, the residual risk to data subjects is assessed as LOW. The primary risk vectors (unauthorised access, data breach) are mitigated by industry-standard and above-standard security controls. The AI-specific risks (misattribution, cross-tenant leakage) are mitigated by the human-in-the-loop approval workflow and AWS Bedrock's tenant isolation guarantees.
4. Measures to Address Risks
4.1 Technical Measures
- Encryption at rest (AES-256) for all data stores (S3, Aurora, DynamoDB)
- Encryption in transit (TLS 1.2+ enforced with HSTS)
- Row-Level Security (RLS) at database level — strict tenant isolation
- VPC private endpoints — AI processing never traverses the public internet
- AWS WAF with OWASP rules, IP reputation, and rate limiting (50 req/5min on auth)
- Multi-factor authentication (TOTP, WebAuthn passkeys)
- CloudTrail audit logging with 90-day retention
- Automated backup with 35-day retention and point-in-time recovery
4.2 Organisational Measures
- AI Processing Notice displayed before transcript upload (informed consent)
- Human-in-the-loop: all AI suggestions require explicit approval
- Confidence scoring: each extraction includes a 0-1 confidence score
- Evidence quotes: every proposed update links to the source text in the transcript
- Data minimisation: only transcript text sent to AI — no extraneous personal data
- Right to deletion: users can delete individual meetings and transcripts at any time
- Account-level deletion: full GDPR Article 17 erasure within 35 days of termination
- Incident response plan: documented procedure with 72-hour notification commitment
- Sub-processor register: maintained and updated with 30-day notification for changes
4.3 Data Subject Rights
- Right of access (Art. 15): Data export available via Account Settings (JSON format)
- Right to rectification (Art. 16): Users can edit all project data including AI-generated content
- Right to erasure (Art. 17): Individual meeting deletion + full account deletion available
- Right to data portability (Art. 20): Full data export in machine-readable format
- Right to object (Art. 21): AI features can be disabled entirely; transcripts can be uploaded without analysis
- Right not to be subject to automated decisions (Art. 22): Not applicable — no automated decisions are made about data subjects. All AI outputs require human approval.
5. Consultation
5.1 Data Protection Officer
Given the size of the organisation (sole proprietor), a formal DPO appointment is not required under GDPR Article 37. However, data protection enquiries are handled by the Data Protection Contact at privacy@atlanticma.com.
5.2 Data Subject Consultation
Data subjects (meeting attendees) are not directly consulted as part of this DPIA. The Controller (Customer) is responsible for ensuring appropriate legal basis for uploading meeting transcripts, including informing meeting participants that transcripts may be processed by AI tools. The Processor provides the AI Processing Notice within the application to support this obligation.
5.3 Supervisory Authority
Based on the residual risk assessment (LOW), prior consultation with the supervisory authority under GDPR Article 36 is not considered necessary. This assessment will be reviewed if the processing changes materially or if the risk profile increases.
6. Review Schedule
This DPIA will be reviewed:
- Annually (next review: March 2027)
- When the AI model is changed or upgraded
- When the processing scope changes materially (e.g., automatic transcription added)
- When a data breach or near-miss occurs involving transcript data
- When relevant regulatory guidance is updated (e.g., EU AI Act implementation)
7. Conclusion
This DPIA concludes that the AI-powered meeting transcript analysis feature processes personal data in a manner that is necessary, proportionate, and adequately safeguarded. The combination of technical measures (encryption, VPC isolation, RLS), organisational measures (human-in-the-loop, consent notice, confidence scoring), and data subject rights (deletion, export, objection) reduces the residual risk to data subjects to a level that does not require prior consultation with the supervisory authority.
The key safeguard is the human-in-the-loop design: the AI suggests, the human decides. No automated decisions are made about data subjects, and no data is used for model training.
Lamb and Flag TopCo Corp (dba AtlanticM&A) · 159 N Wolcott St, Ste 133, Casper, WY 82601, United States
Version 2.0 · April 8, 2026 · Next review: April 2027