Before you install any AI meeting assistant on your work calendar, you need to understand the privacy and compliance implications. This guide covers disclosure, consent, data residency, and the compliance status of the major tools.
The Core Principle: Disclosure & Consent
Recording a meeting — including via an AI transcription bot — generally requires informed consent from every participant. In the US, some states (California, Illinois, Florida, and others) are "all-party consent" jurisdictions. In the EU and UK, GDPR makes consent or another lawful basis mandatory. Best practice everywhere: tell your participants, every time, before the recording starts.
What to Check Before You Install
- Where is audio stored? Is it cloud-only, or is there a local-processing option?
- How long is data retained by default? And can you change it?
- Does the vendor train its models on your content? (Most don't, but always check the current terms.)
- Where does the data reside? US, EU, or configurable?
- What's the DPA / BAA situation? Is there one, and what does it cover?
- Who can access your meeting content? (Vendor employees? Sub-processors?)
Compliance Matrix
| Tool | SOC 2 | GDPR | HIPAA | EU Data Residency | Bot in Attendees |
|---|---|---|---|---|---|
| Fireflies | Type II | Yes | Business+ | Enterprise only | Yes |
| Otter | Type II | Yes | Enterprise only | Limited | Yes |
| Granola | Type II | Yes | No | Partial (local proc) | No |
| Zoom AI Companion | Type II | Yes | Enterprise | Configurable | N/A |
Always verify the current compliance status directly with the vendor — this table can go stale.
The Three Risk Profiles
Low Risk: Internal Team Meetings
Recording standups, sprint reviews, and internal syncs is generally fine with any of the major tools, provided you've disclosed it to your team and your employer allows it. Fireflies Pro or Otter Pro are the easy default picks.
Medium Risk: External Client Calls
Client calls introduce the "bot in the attendee list" awkwardness and the "does the client consent?" question. Best practice: explicit verbal consent at the start of every call, and consider using Granola (no bot) or a vendor with the strongest compliance posture.
High Risk: Regulated or Privileged Meetings
Legal, medical, therapy, HR, and financial services meetings require a much stricter privacy posture. For these, use a HIPAA-enabled plan (Fireflies Business), a BAA, configurable retention, and ideally EU or configurable data residency. Some meetings simply shouldn't be recorded at all.
Special Considerations for GDPR (EU/UK)
Under GDPR, recording a meeting constitutes processing of personal data. You need a lawful basis (Art. 6) and, if you're recording special category data (health, etc.), also an Art. 9 basis. Consent is one option, but it must be freely given, specific, informed, and unambiguous. Data residency matters — prefer vendors that offer EU-region hosting for EU meetings.
The Simplest Safe Default
If you're not sure: (1) announce the recording verbally at the start of every meeting; (2) use a HIPAA-capable tool like Fireflies Business even if you don't need HIPAA — the compliance posture is better across the board; (3) set retention to 90 days or less; (4) turn off auto-join for meetings with external attendees; (5) review vendor sub-processors annually.
Bottom Line
AI meeting assistants are legal and useful in most contexts, but the "install and forget" approach that works for personal productivity tools is risky here. Spend 30 minutes understanding the privacy posture before you install one on a calendar with client meetings on it.