// Trust & Security Report

    Fireflies.ai Corp logo

    Fireflies.ai Corp

    AI meeting notetaker: transcription, summarization, search, and conversation intelligence for teams

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 certified. You can request the report via the 'Resources' tab

    Verify on trust.fireflies.ai
    GDPR
    HELD

    GDPR compliant with comprehensive DPA. You can request the report via the 'Resources' tab or here

    Verify on trust.fireflies.ai
    HIPAA
    HELD

    HIPAA compliant with BAA signed for Enterprise clients that enable Private Storage

    Verify on trust.fireflies.ai
    FERPA
    HELD

    FERPA compliant with DSA signed for Enterprise clients that enable Private Storage

    Verify on trust.fireflies.ai
    EU-U.S. Data Privacy Framework
    HELD

    Fireflies.ai complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks

    Verify on fireflies.ai
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor domain. The 2021 security blog post listed ISO 27001 as a '2022 strategic security goal' but it does not appear in the Trust Center compliance list (which shows only SOC 2, GDPR, HIPAA, FERPA). Infrastructure hosts AWS and GCP hold ISO 27001 but that is not Fireflies' own certification.

    source: trust.fireflies.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    ISO 27017
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    ISO 27018
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    ISO 27701
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.fireflies.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Default: US (AWS and GCP). Enterprise Private Storage: EU-region option via Bring Your Own Storage on AWS S3 or Google Cloud Storage. Note: data may be processed in the US even with EU private storage.

    ToS explicitly states Fireflies 'will not use your User Content to train, retrain, fine-tune or otherwise improve any generative artificial intelligence models.' Privacy policy states: 'We do not use personal information for AI model training and we contractually prohibit our vendors from using this information for their own model training.' A zero-day retention policy requires third-party AI subprocessors (including OpenAI and Assembly.ai) not to store or train on meeting data after processing. Fireflies itself does retain meeting content for the account owner's access.

    // Security controls

    Encryption in transit

    TLS 1.2 for all data in transit

    guide.fireflies.ai

    Encryption at rest

    256-bit AES encryption for all stored meeting content

    fireflies.ai

    Infrastructure

    Google Cloud Platform (compute) and AWS (database/storage via MongoDB Atlas); US-based by default

    trust.fireflies.ai

    Private Storage

    Enterprise-only dedicated cloud storage (Bring Your Own Storage on AWS S3 or GCP) with EU region option

    fireflies.ai

    Access controls

    Super Admin controls, Rules Engine for automation, SSO + SCIM provisioning (Enterprise), granular sharing controls per meeting

    fireflies.ai

    Penetration testing

    Annual third-party pen test; 'Fireflies Penetration Test Report 2026' available in Trust Center resources

    trust.fireflies.ai

    Subprocessors

    Assembly.ai (transcription, US), OpenAI (LLM, US), MongoDB Atlas (database, US), Google Cloud Platform (compute, US)

    trust.fireflies.ai

    Vulnerability management

    Vulnerability Management Policy published in Trust Center; bug bounty program with third-party security researchers

    trust.fireflies.ai

    Data retention controls

    Custom data retention policies on Enterprise; default retention governed by plan storage limits

    fireflies.ai

    // Products & data scope

    FreeAI meeting notetaker

    data: Meeting audio, transcripts, summaries stored in US cloud; 400 minutes total storage; 20 AI credits

    SOC 2 and GDPR coverage applies. No HIPAA, no private storage, no SSO. Data processed by OpenAI and Assembly.ai under zero-day retention policy.

    ProAI meeting notetaker

    data: Meeting audio, video, transcripts, summaries; 8,000 minutes/seat; 20 AI credits

    Adds video recording, transcript downloads, AI Skills, Voice Agents. SOC 2 and GDPR apply. No HIPAA, no private storage.

    BusinessAI meeting notetaker + conversation intelligence

    data: Unlimited meeting storage; team-level analytics and conversation intelligence data

    Adds multi-language mode, team analytics, public meeting access. SOC 2 and GDPR apply. No HIPAA, no private storage, no SSO.

    EnterpriseAI meeting notetaker + enterprise security

    data: Unlimited storage; optional Private Storage with EU region; audit logs; HIPAA ePHI and FERPA-protected data supported

    HIPAA BAA and FERPA DSA available. Private Storage (BYOS) enables EU data residency. SSO + SCIM, custom retention, Rules Engine, dedicated account manager. Most security controls are Enterprise-only.

    // What to watch

    • HIPAA and FERPA compliance require Enterprise plan with Private Storage add-on; homepage and security page present HIPAA as a general feature without that caveat, which may mislead non-Enterprise buyers.
    • ISO 27001 was announced as a '2022 strategic goal' in the vendor's own blog but has never appeared in the Trust Center certifications list; third-party review sites inconsistently claim it is held. Mark as not held until vendor publishes a certificate or adds it to the Trust Center.
    • Data stored in the US by default on all plans including healthcare and education use cases; EU storage requires an Enterprise contract and separate Private Storage configuration.
    • Subprocessors include OpenAI (LLM) and Assembly.ai (transcription) - both US entities. The zero-day retention contractual obligation limits their reuse of data but adds a dependency on those contracts being honored.
    • The DPA (updated March 6, 2026) includes Standard Contractual Clauses for EEA/UK/Switzerland to US transfers. Verify it is signed by the vendor counterparty before relying on it for GDPR Article 46 compliance.
    • No ISO 27017, ISO 27018, ISO 27701, ISO 42001, CSA STAR, or FedRAMP certifications found on vendor domain as of 2026-06-29.
    • Fireflies MCP Server integration (announced for Claude, Devin, ChatGPT) means meeting data can flow into third-party AI environments - enterprise buyers should review MCP data handling separately.

    // At a glance

    Pricing model

    Freemium + per-seat subscription: Free, Pro ($10/seat/mo annual or $18 monthly), Business ($19/seat/mo annual or $29 monthly), Enterprise ($39/seat/mo annual only)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Fireflies.ai Corp's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.fireflies.ai

    > Browse all vendor trust reports