// Trust & Security Report
Fireflies.ai Corp
AI meeting notetaker: transcription, summarization, search, and conversation intelligence for teams
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.fireflies.ai“SOC 2 certified. You can request the report via the 'Resources' tab”
Verify on trust.fireflies.ai“GDPR compliant with comprehensive DPA. You can request the report via the 'Resources' tab or here”
Verify on trust.fireflies.ai“HIPAA compliant with BAA signed for Enterprise clients that enable Private Storage”
Verify on trust.fireflies.ai“FERPA compliant with DSA signed for Enterprise clients that enable Private Storage”
Verify on fireflies.ai“Fireflies.ai complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks”
> Show 8 unconfirmed / not-held certifications
source: trust.fireflies.aiNo public evidence on vendor domain. The 2021 security blog post listed ISO 27001 as a '2022 strategic security goal' but it does not appear in the Trust Center compliance list (which shows only SOC 2, GDPR, HIPAA, FERPA). Infrastructure hosts AWS and GCP hold ISO 27001 but that is not Fireflies' own certification.
source: trust.fireflies.aiNo public evidence on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Default: US (AWS and GCP). Enterprise Private Storage: EU-region option via Bring Your Own Storage on AWS S3 or Google Cloud Storage. Note: data may be processed in the US even with EU private storage.
ToS explicitly states Fireflies 'will not use your User Content to train, retrain, fine-tune or otherwise improve any generative artificial intelligence models.' Privacy policy states: 'We do not use personal information for AI model training and we contractually prohibit our vendors from using this information for their own model training.' A zero-day retention policy requires third-party AI subprocessors (including OpenAI and Assembly.ai) not to store or train on meeting data after processing. Fireflies itself does retain meeting content for the account owner's access.
// Security controls
Infrastructure
Google Cloud Platform (compute) and AWS (database/storage via MongoDB Atlas); US-based by default
trust.fireflies.aiPrivate Storage
Enterprise-only dedicated cloud storage (Bring Your Own Storage on AWS S3 or GCP) with EU region option
fireflies.aiAccess controls
Super Admin controls, Rules Engine for automation, SSO + SCIM provisioning (Enterprise), granular sharing controls per meeting
fireflies.aiPenetration testing
Annual third-party pen test; 'Fireflies Penetration Test Report 2026' available in Trust Center resources
trust.fireflies.aiSubprocessors
Assembly.ai (transcription, US), OpenAI (LLM, US), MongoDB Atlas (database, US), Google Cloud Platform (compute, US)
trust.fireflies.aiVulnerability management
Vulnerability Management Policy published in Trust Center; bug bounty program with third-party security researchers
trust.fireflies.aiData retention controls
Custom data retention policies on Enterprise; default retention governed by plan storage limits
fireflies.ai// Products & data scope
data: Meeting audio, transcripts, summaries stored in US cloud; 400 minutes total storage; 20 AI credits
SOC 2 and GDPR coverage applies. No HIPAA, no private storage, no SSO. Data processed by OpenAI and Assembly.ai under zero-day retention policy.
data: Meeting audio, video, transcripts, summaries; 8,000 minutes/seat; 20 AI credits
Adds video recording, transcript downloads, AI Skills, Voice Agents. SOC 2 and GDPR apply. No HIPAA, no private storage.
data: Unlimited meeting storage; team-level analytics and conversation intelligence data
Adds multi-language mode, team analytics, public meeting access. SOC 2 and GDPR apply. No HIPAA, no private storage, no SSO.
data: Unlimited storage; optional Private Storage with EU region; audit logs; HIPAA ePHI and FERPA-protected data supported
HIPAA BAA and FERPA DSA available. Private Storage (BYOS) enables EU data residency. SSO + SCIM, custom retention, Rules Engine, dedicated account manager. Most security controls are Enterprise-only.
// What to watch
- HIPAA and FERPA compliance require Enterprise plan with Private Storage add-on; homepage and security page present HIPAA as a general feature without that caveat, which may mislead non-Enterprise buyers.
- ISO 27001 was announced as a '2022 strategic goal' in the vendor's own blog but has never appeared in the Trust Center certifications list; third-party review sites inconsistently claim it is held. Mark as not held until vendor publishes a certificate or adds it to the Trust Center.
- Data stored in the US by default on all plans including healthcare and education use cases; EU storage requires an Enterprise contract and separate Private Storage configuration.
- Subprocessors include OpenAI (LLM) and Assembly.ai (transcription) - both US entities. The zero-day retention contractual obligation limits their reuse of data but adds a dependency on those contracts being honored.
- The DPA (updated March 6, 2026) includes Standard Contractual Clauses for EEA/UK/Switzerland to US transfers. Verify it is signed by the vendor counterparty before relying on it for GDPR Article 46 compliance.
- No ISO 27017, ISO 27018, ISO 27701, ISO 42001, CSA STAR, or FedRAMP certifications found on vendor domain as of 2026-06-29.
- Fireflies MCP Server integration (announced for Claude, Devin, ChatGPT) means meeting data can flow into third-party AI environments - enterprise buyers should review MCP data handling separately.
// At a glance
Pricing model
Freemium + per-seat subscription: Free, Pro ($10/seat/mo annual or $18 monthly), Business ($19/seat/mo annual or $29 monthly), Enterprise ($39/seat/mo annual only)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fireflies.ai Corp's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.fireflies.ai