// Trust & Security Report
Recall.ai (Hyperdoc Inc.)
Meeting recording infrastructure API (bots, on-device SDKs, calendar data, transcripts)
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.recall.ai“Trust Center Resources list 'Hyperdoc Inc. SOC 2 Type 2 Report 2025.pdf' labelled 'SOC 2 Type 2 Report (2025)' (access on request), and the Compliance section displays 'SOC 2'.”
Verify on security.recall.ai“Compliance section lists 'ISO 27001:2022' and Resources include an 'ISO 27001 ISMS Certificate' available for request.”
Verify on recall.ai“"Recall.ai is HIPAA compliant, which means that companies can now use Recall to securely capture conversations that contain protected health information (PHI)." BAA available on request. Trust Center also lists 'HIPAA'.”
Verify on security.recall.ai“Trust Center Compliance section lists 'GDPR'; a Data Processing Agreement with SCC-based US transfer language is published.”
Verify on security.recall.ai“Trust Center Compliance section displays 'CCPA' with a 'COMPLIANT' badge.”
Verify on security.recall.ai“Trust Center Resources list 'Recall_Oneleet_PenetrationTest_2025.pdf' labelled 'Penetration Test 2025' (available on request).”
> Show 1 unconfirmed / not-held certifications
source: security.recall.aiNo public bug bounty program found on HackerOne, Bugcrowd, or the vendor's own security pages. Security testing is handled via third-party penetration testing (Oneleet) rather than a crowdsourced bounty.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary processing in the United States (AWS). Subprocessor list shows AWS hosting in US, EU, JP; Datadog logging US/EU; Svix webhooks EU. Privacy policy: personal information is stored and processed in the United States.
Vendor explicitly states it does not train on customer data: "Recall.ai does not use Customer Data for the purpose of training or fine-tuning machine learning or artificial intelligence models." (docs.recall.ai). DPA distinguishes Company Usage Data, which may be processed to 'optimize and maintain performance of the Services', from customer personal data.
// Security controls
Encryption at rest
Data encrypted at rest on AWS infrastructure ('Data encryption utilized' control listed; DPA confirms encryption at rest via AWS).
security.recall.aiEncryption in transit
'Data transmission encrypted' listed under Product security controls.
security.recall.aiPenetration testing
Third-party penetration test by Oneleet, 2025 report available on request.
security.recall.aiAccess controls
Encryption key access restricted, unique account authentication enforced, production application access restricted (Infrastructure security controls).
security.recall.aiResilience
Business Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained; documented Incident Response Plan.
security.recall.aiData retention controls
Configurable retention via API, including zero data retention (recording_config.retention = null). Default retention is indefinite for accounts created after June 12, 2025; 7 days for older accounts.
docs.recall.ai// Products & data scope
data: A bot joins video calls (Zoom, Google Meet, Microsoft Teams) to capture audio, video, transcripts, chat, and metadata. Media stored on Recall servers per retention config; explicit recording consent model.
Best when explicit recording consent is needed or for building AI meeting agents. Recordings flow through Recall infrastructure (US/AWS).
data: Records video conferences and in-person meetings via a desktop app, on-device, without a bot joining the call ('stealthier' capture). Data scope depends on customer integration and chosen upload/retention.
On-device capture reduces server-side footprint vs the bot API; still subject to the same platform retention controls when media is uploaded.
data: Pulls meeting metadata including participant emails, meeting titles, and scheduling data to enrich recordings. Handles PII (attendee emails).
Increases PII surface (participant emails); covered by the DPA and subprocessor list.
data: Records in-person meetings, cell phone calls, and VOIP calls from mobile devices.
Marked 'Coming Soon' on the homepage; compliance scope not yet separately documented. Treat as roadmap.
// What to watch
- Legal entity is Hyperdoc Inc.; SOC 2 report is issued under that name (matches, not a discrepancy).
- Do NOT confuse with getrecall.ai / recall.it, an unrelated personal-knowledge 'Recall' app. This assessment covers recall.ai, the meeting recording API.
- Default data retention is now indefinite for accounts created after June 12, 2025 (was 7 days) - meeting media persists forever unless retention is explicitly configured. Worth surfacing for privacy-sensitive buyers.
- Certification report PDFs (SOC 2, ISO 27001 cert, pentest) are gated behind 'Request access' and were not opened directly; existence and labels verified on the public Trust Center index.
- No public bug bounty; security testing relies on third-party pentest (Oneleet).
// At a glance
Pricing model
Usage-based: 5 free recording hours, then $0.50/hour with volume discounts; enterprise plans available. Quoted 99.9% SLA.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recall.ai (Hyperdoc Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.recall.ai