// Trust & Security Report

    Recall.ai (Hyperdoc Inc.) logo

    Recall.ai (Hyperdoc Inc.)

    Meeting recording infrastructure API (bots, on-device SDKs, calendar data, transcripts)

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Trust Center Resources list 'Hyperdoc Inc. SOC 2 Type 2 Report 2025.pdf' labelled 'SOC 2 Type 2 Report (2025)' (access on request), and the Compliance section displays 'SOC 2'.

    Verify on security.recall.ai
    ISO 27001:2022
    HELD

    Compliance section lists 'ISO 27001:2022' and Resources include an 'ISO 27001 ISMS Certificate' available for request.

    Verify on security.recall.ai
    HIPAA
    HELD

    "Recall.ai is HIPAA compliant, which means that companies can now use Recall to securely capture conversations that contain protected health information (PHI)." BAA available on request. Trust Center also lists 'HIPAA'.

    Verify on recall.ai
    GDPR
    HELD

    Trust Center Compliance section lists 'GDPR'; a Data Processing Agreement with SCC-based US transfer language is published.

    Verify on security.recall.ai
    CCPA
    HELD

    Trust Center Compliance section displays 'CCPA' with a 'COMPLIANT' badge.

    Verify on security.recall.ai
    Penetration Test (Oneleet, 2025)
    HELD

    Trust Center Resources list 'Recall_Oneleet_PenetrationTest_2025.pdf' labelled 'Penetration Test 2025' (available on request).

    Verify on security.recall.ai
    > Show 1 unconfirmed / not-held certifications
    Public bug bounty (HackerOne / Bugcrowd)
    NOT CONFIRMED

    No public bug bounty program found on HackerOne, Bugcrowd, or the vendor's own security pages. Security testing is handled via third-party penetration testing (Oneleet) rather than a crowdsourced bounty.

    source: security.recall.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary processing in the United States (AWS). Subprocessor list shows AWS hosting in US, EU, JP; Datadog logging US/EU; Svix webhooks EU. Privacy policy: personal information is stored and processed in the United States.

    Vendor explicitly states it does not train on customer data: "Recall.ai does not use Customer Data for the purpose of training or fine-tuning machine learning or artificial intelligence models." (docs.recall.ai). DPA distinguishes Company Usage Data, which may be processed to 'optimize and maintain performance of the Services', from customer personal data.

    // Security controls

    Encryption at rest

    Data encrypted at rest on AWS infrastructure ('Data encryption utilized' control listed; DPA confirms encryption at rest via AWS).

    security.recall.ai

    Encryption in transit

    'Data transmission encrypted' listed under Product security controls.

    security.recall.ai

    Penetration testing

    Third-party penetration test by Oneleet, 2025 report available on request.

    security.recall.ai

    Access controls

    Encryption key access restricted, unique account authentication enforced, production application access restricted (Infrastructure security controls).

    security.recall.ai

    Resilience

    Business Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained; documented Incident Response Plan.

    security.recall.ai

    Data retention controls

    Configurable retention via API, including zero data retention (recording_config.retention = null). Default retention is indefinite for accounts created after June 12, 2025; 7 days for older accounts.

    docs.recall.ai

    Bug bounty

    No public crowdsourced bug bounty program found.

    security.recall.ai

    // Products & data scope

    Meeting Bot APIServer-side meeting recording

    data: A bot joins video calls (Zoom, Google Meet, Microsoft Teams) to capture audio, video, transcripts, chat, and metadata. Media stored on Recall servers per retention config; explicit recording consent model.

    Best when explicit recording consent is needed or for building AI meeting agents. Recordings flow through Recall infrastructure (US/AWS).

    Desktop Recording SDKOn-device meeting recording

    data: Records video conferences and in-person meetings via a desktop app, on-device, without a bot joining the call ('stealthier' capture). Data scope depends on customer integration and chosen upload/retention.

    On-device capture reduces server-side footprint vs the bot API; still subject to the same platform retention controls when media is uploaded.

    Calendar APIMeeting metadata enrichment

    data: Pulls meeting metadata including participant emails, meeting titles, and scheduling data to enrich recordings. Handles PII (attendee emails).

    Increases PII surface (participant emails); covered by the DPA and subprocessor list.

    Mobile Recording SDKMobile / in-person recording

    data: Records in-person meetings, cell phone calls, and VOIP calls from mobile devices.

    Marked 'Coming Soon' on the homepage; compliance scope not yet separately documented. Treat as roadmap.

    // What to watch

    • Legal entity is Hyperdoc Inc.; SOC 2 report is issued under that name (matches, not a discrepancy).
    • Do NOT confuse with getrecall.ai / recall.it, an unrelated personal-knowledge 'Recall' app. This assessment covers recall.ai, the meeting recording API.
    • Default data retention is now indefinite for accounts created after June 12, 2025 (was 7 days) - meeting media persists forever unless retention is explicitly configured. Worth surfacing for privacy-sensitive buyers.
    • Certification report PDFs (SOC 2, ISO 27001 cert, pentest) are gated behind 'Request access' and were not opened directly; existence and labels verified on the public Trust Center index.
    • No public bug bounty; security testing relies on third-party pentest (Oneleet).

    // At a glance

    Pricing model

    Usage-based: 5 free recording hours, then $0.50/hour with volume discounts; enterprise plans available. Quoted 99.9% SLA.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recall.ai (Hyperdoc Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.recall.ai

    > Browse all vendor trust reports