How to Choose a GDPR-Compliant LaTeX Editor
Picking a writing tool used to be a question of features. Now it is also a question of law. If you are a researcher, a PhD student, or the person at a university who signs off on software, choosing a GDPR-compliant LaTeX editor means looking past the editor window and asking where your manuscripts actually live, who can touch them, and what contract sits behind the login screen. This guide walks through the checks that matter, in plain language, and uses inscrive.io as a worked example of what “compliant by design” looks like.
Most LaTeX content is not a privacy minefield on its own. Equations do not identify anyone. But the moment a thesis includes interview transcripts, a grant report names participants, or a co-author’s email and account data flow through a third-party server, the General Data Protection Regulation applies. The editor becomes a data processor, and you become responsible for choosing one you can defend.
What “GDPR-compliant LaTeX editor” actually requires
GDPR does not certify products. There is no official badge a vendor can buy. So when a tool calls itself a GDPR-compliant LaTeX editor, that phrase is only as good as the specifics behind it. Five things carry the weight.
A signed Data Processing Agreement. A DPA is the contract under Article 28 that binds the processor to act only on your instructions, keep the data secure, and help you meet your own obligations. Without one, you have a handshake. With one, you have something a Data Protection Officer can file.
Where the data is stored. Hosting location decides which laws reach your files. EU-soil storage keeps you inside one legal regime. Storage in the US, or with a US-owned company, drags in the Schrems II problem and the question of foreign government access.
Who the sub-processors are. Almost every service relies on others: a hosting provider, maybe an email service, maybe an analytics tool. Each is a place your data can sit. A compliant vendor lists them and lets you object to changes.
What happens to your content and AI. If the tool offers AI features, ask one blunt question. Does my unpublished work get used to train a model? The right answer is no.
Your rights as a person. Export, deletion, access. These should be buttons or a quick support request, not a legal battle.
The data residency question that trips people up
This is the part that catches institutions off guard. A vendor can be headquartered in Berlin and still store your files in Virginia. Ownership and hosting are separate facts, and both matter.
Under the GDPR text, transferring personal data outside the EU requires a legal basis, and the bar has been high since the European Court of Justice struck down Privacy Shield in the Schrems II ruling. The current EU-US Data Privacy Framework patches the gap, but it has the same structural weakness its predecessors did, and another legal challenge would not surprise anyone watching this space. The European Data Protection Board keeps publishing guidance precisely because the ground keeps shifting.
The clean way out is to avoid the transfer entirely. If your data never leaves the EU and your processor is not subject to foreign disclosure laws, the whole Schrems question becomes someone else’s headache. That is the design choice inscrive made. All data sits on EU soil, hosted by Hetzner in Germany and Finland, in ISO 27001-certified data centres, with no third-country transfers. There is no US leg to assess because there is no US leg.
A practical checklist
Run any LaTeX editor through these questions before you commit a thesis or a research group to it.
| Check | What to ask | Good answer |
|---|---|---|
| DPA | Will you sign a Data Processing Agreement? | Yes, available before sign-up |
| Residency | Where are documents physically stored? | Named EU data centres |
| Ownership | Who owns the company and under whose jurisdiction? | EU entity, EU law |
| Sub-processors | Who else processes the data, and are they listed? | Published list |
| AI training | Is my content used to train models? | No, never |
| Certification | Is the hosting ISO 27001 certified? | Yes, with audit evidence |
| Portability | Can I export everything and delete my account? | Yes, self-service |
If a vendor dodges the residency question or cannot produce a DPA, that tells you most of what you need to know.
How inscrive maps to the checklist
Taking the same list in order. inscrive signs a DPA, and Organizations customers get one as a standard part of onboarding alongside a signed agreement that fits public procurement. Data residency is 100% EU, on Hetzner infrastructure in Germany and Finland. The company is built in the EU and operates under EU law, so there is no foreign jurisdiction reaching into your files. Sub-processing is kept tight and EU-based. On AI, the position is unambiguous: the Pro tier’s AI assistance suggests fixes for LaTeX compile errors, and your documents are never used to train models. Hosting runs in ISO 27001-certified centres backed by an independent inspection report. Export and deletion are yours whenever you want them.
None of this sits behind the paywall, either. The free tier (€0 forever, up to 10 active projects, unlimited collaborators) carries the same EU residency and full GDPR posture as the paid plans. Data protection is not an upsell here.
Where the free tier ends and Pro begins
To be straight about it, inscrive is freemium, not free-for-everything. The free plan is genuinely usable: real-time collaboration, 60-second compile time, Git integration with any provider, Zotero and Mendeley sync, version history, and PDF export. Pro at €7 per month lifts the compile ceiling to 480 seconds (eight times the free tier), removes the project cap, and adds the AI error-fixing and priority support. For a single big thesis with heavy figures, that longer compile window is often the deciding factor. The compliance guarantees, though, do not change between tiers.
Reading a sub-processor list without glazing over
The sub-processor list is the part most people skip, and it is more revealing than the privacy policy. Every name on it is a separate company that can touch your data, and every one sits in some jurisdiction. A short, EU-based list is a good sign. A long list peppered with US analytics, US email, and US infrastructure vendors means your “EU” tool is quietly routing pieces of your data across the Atlantic through the side door.
What you are looking for is three things. First, the list exists at all and is published rather than hidden behind a sales call. Second, the vendors on it are themselves under EU jurisdiction or covered by a defensible transfer basis. Third, there is a commitment to notify you before adding or swapping a sub-processor, so a change does not happen silently after you have signed. inscrive keeps its sub-processing tight and EU-centred precisely so this part of the assessment is short. The fewer hops your data takes, the fewer assessments you owe.
The AI question deserves its own paragraph
AI features are now standard in writing tools, and they introduce a risk that did not exist five years ago: your unpublished work becoming training data. For a thesis or a paper under review, that is not a minor privacy detail. It is a confidentiality problem and, in some fields, a competitive one. Imagine a novel method buried in your draft turning up in a model’s output before your paper clears peer review.
So ask the vendor directly, and get the answer in writing. Does my content train your models? With inscrive the answer is no, full stop. The Pro tier’s AI assistance reads your compile errors to suggest fixes, but your documents are never fed into model training. That line should be non-negotiable for anyone writing work that is not yet public.
Don’t forget your own obligations
A compliant editor handles the processor side. You still own the controller side. That means telling co-authors and participants how their data is handled, keeping a record of which tools touch personal data, and not pasting sensitive material somewhere it does not belong. The tool makes compliance possible. It cannot make it automatic. If your institution runs a Data Protection Impact Assessment for new software, a vendor with a ready DPA and clear residency answers turns that assessment from a slog into a formality.
For the deeper specifics, inscrive publishes its security and data protection details on the GDPR page, and institutions evaluating central rollout can read about SSO, central user management, and the signed DPA on the Organizations page.
The short version
A GDPR-compliant LaTeX editor is one that stores your data in the EU, signs a real contract, names its sub-processors, keeps your work out of AI training sets, and lets you leave with everything. Ask those questions of any tool you are considering. The ones that answer cleanly are the ones you can stand behind when your DPO asks.
Want a LaTeX editor where the compliance answers are already settled? Start writing on inscrive.io for free. EU-hosted, GDPR by design, no credit card.
