Is Overleaf GDPR Compliant? What EU Universities Should Check
Ask a procurement officer at a European university whether Overleaf is GDPR compliant and you will usually get a pause. It is a fair question with a careful answer. Overleaf is a capable, widely used LaTeX editor, and “is Overleaf GDPR compliant” is not the same question as “is Overleaf a good editor.” This article separates the two, lays out what an EU institution should actually verify, and is honest about where Overleaf is strong and where the data-residency questions live.
Let me say the obvious part first. Overleaf is the market leader for a reason. The template gallery is enormous, almost everyone in academia has used it, and onboarding a new collaborator takes seconds because they have probably already got an account. Those are real strengths, and no honest comparison pretends otherwise.
GDPR compliance is about facts, not slogans
GDPR does not hand out certificates. No tool is “GDPR certified” in any official sense, so the question is never whether a vendor claims compliance. It is whether the specifics hold up. For any LaTeX editor that processes personal data (co-author account details, interview material in a manuscript, named participants in a grant report), four facts decide the matter: who owns the company, where the data is stored, whether there is a signed Data Processing Agreement, and what crosses a border.
Overleaf is owned by Digital Science, a company in the US-linked Holtzbrinck group. That ownership is the root of the question EU institutions keep running into. It is not an accusation. It is a jurisdiction fact, and jurisdiction is what GDPR cares about when data leaves the EU.
The data-transfer question, fairly stated
Here is the issue without the drama. When personal data is processed by a US-owned provider, or stored on US infrastructure, it potentially falls within reach of US surveillance law. The European Court of Justice took this seriously enough to strike down the Privacy Shield framework in the Schrems II ruling of 2020. The replacement, the EU-US Data Privacy Framework, currently provides a legal basis, but it shares the structural design that got its predecessors invalidated, and the European Data Protection Board continues to flag that organisations must still assess each specific transfer themselves.
So the honest position is this. Using a US-owned tool is not automatically illegal. The Data Privacy Framework exists. But it puts the assessment burden on you, the data controller, and it carries the risk that a future court ruling reshuffles the deck again. A “Schrems III” is not a fringe worry. For a university handling thousands of students’ work and sensitive research, that uncertainty has a cost even when nothing technically breaks.
What to verify before you commit
Whatever editor you are evaluating, run it through these checks. They apply to Overleaf and to every alternative.
| Check | Why it matters | What to request |
|---|---|---|
| Signed DPA | Required under Article 28 for any processor | The actual document, in writing |
| Data location | Decides which laws reach your files | Named data centre regions |
| Ownership and jurisdiction | Determines exposure to foreign disclosure law | Corporate structure |
| Transfer mechanism | Your legal basis if data leaves the EU | DPF status or SCCs plus a transfer assessment |
| Sub-processor list | Each is a place your data sits | Published, with change notice |
| AI and training | Whether your unpublished work feeds a model | A written “no” |
| Deletion and export | Your and your users’ rights in practice | Self-service or fast support |
For Overleaf specifically, the items to nail down are the DPA terms, the exact storage location for your tier, and the transfer mechanism it relies on. Overleaf does publish security and privacy documentation, and an institutional sales contact can usually provide a DPA. Get it in writing and read where the data actually rests. The GDPR text is clear that the controller, your university, stays accountable regardless of what the vendor’s marketing says.
Overleaf’s other trade-offs, kept honest
Compliance aside, a few practical limits often come up alongside the GDPR discussion, and they are worth naming plainly. Free-tier compiles can time out on long documents, which bites theses with lots of figures. Git integration on the premium tier is GitHub-centric rather than provider-agnostic. Reference managers import rather than stay continuously in sync. None of these are scandals. They are the normal shape of trade-offs, and Overleaf’s ubiquity offsets a lot of them. The point is simply to weigh the whole picture, not just the data question.
The alternative that removes the transfer question
The cleanest way to make the Schrems assessment disappear is to never transfer data outside the EU in the first place. That is the design behind inscrive.io. All data is stored on EU soil, hosted by Hetzner in Germany and Finland, in ISO 27001-certified data centres, with no third-country transfers. The company is built in the EU and operates under EU law. There is no US leg to assess because there is no US leg.
The contract side is handled too. inscrive signs a DPA, and the Organizations plan bundles a signed DPA, EU residency, SSO, and central user management with annual invoicing that fits public procurement. On AI, the line is firm: the Pro tier offers AI-suggested fixes for compile errors, and your documents are never used to train models.
A quick comparison of the data posture, not the feature list:
| Data question | Overleaf | inscrive.io |
|---|---|---|
| Company jurisdiction | US-linked (Digital Science) | EU |
| Default data residency | Assess per tier | 100% EU (Germany, Finland) |
| Third-country transfer | Relies on DPF | None |
| Signed DPA | Via institutional contact | Standard, Organizations included |
| Trains AI on your content | Verify | No, never |
On features, inscrive is competitive rather than identical. The free tier (€0 forever) includes real-time collaboration with unlimited collaborators, 60-second compiles, agnostic Git that works with any provider, live Zotero and Mendeley sync, version history, and PDF export. Pro at €7 per month raises compiles to 480 seconds and lifts the project cap. inscrive’s template library is younger than Overleaf’s vast gallery, and that is a fair point in Overleaf’s favour. The decision comes down to what you are optimising for.
What a DPO actually files
It helps to picture the end state. When a Data Protection Officer signs off on a tool, they are not collecting good vibes. They are building a small folder: the signed DPA, a note of where data is stored, the transfer mechanism and a short assessment of it, the sub-processor list, and a record of the AI-training position. If that folder can be assembled in an afternoon, the tool is easy to defend. If half of it requires chasing a sales rep across three emails and the transfer mechanism comes back as “we rely on the Data Privacy Framework, please assess yourself,” the folder is thinner than anyone would like.
This is the practical difference between the two paths. With a US-owned tool, the folder is assemblable but the transfer section carries an asterisk that never fully goes away. With an EU-sovereign tool, the transfer section is a single line: no third-country transfer, not applicable. One of those is a standing item on every future review. The other is closed.
Migration is easier than it looks
The objection that usually follows is switching cost. Everyone already has an account on the incumbent, the templates are there, the muscle memory is there. Fair. But LaTeX is portable by nature. A project is just .tex files, a .bib, and some figures, so moving it is a matter of exporting a folder and importing it elsewhere. inscrive’s agnostic Git integration helps here too, because if your project is already in a Git repository (with any provider, not just GitHub), bringing it across is close to frictionless. You are not locked into a format. You are choosing where the same files live.
So, is Overleaf GDPR compliant?
It can be used compliantly if you do the work: secure a DPA, confirm the storage location, document your transfer basis, and accept the residual risk that a future ruling reopens the question. For some institutions that is acceptable. For others, especially public universities with strict data-governance rules, the simpler answer is to choose a tool where the transfer never happens. Both are defensible. Just make the choice with the facts in front of you, not the brand recognition.
Want to skip the transfer assessment entirely? Start writing on inscrive.io for free. EU-hosted, GDPR by design, with a DPA ready when you need it.
