Security & Compliance Overview
What security certifications does Granola have?
What security certifications does Granola have?
Granola holds SOC 2 Type II certification. You can access our full SOC 2 report and other compliance documentation through our Trust Center. For more on our security practices, visit granola.ai/security.
Where can I find Granola's security documentation for my company's vendor review?
Where can I find Granola's security documentation for my company's vendor review?
Our Trust Center has everything your security team needs — SOC 2 Type II report, data handling practices, and compliance certifications. Click “Request Access” in the top right to get started. For enterprise-specific questions, reach out to sales@granola.so.
Does Granola have ISO 27001 certification?
Does Granola have ISO 27001 certification?
We currently hold SOC 2 Type II. ISO 27001 is not yet available. Visit our Trust Center for all current certifications.
My company's IT security team flagged or blocked Granola. What can I share with them?
My company's IT security team flagged or blocked Granola. What can I share with them?
Data Storage & Residency
Where is my data stored?
Where is my data stored?
All data is stored on Amazon Web Services (AWS) servers located in the United States. Data is encrypted both at rest and in transit. Your meeting notes are also cached locally on your device so you can open and edit them quickly, including offline.
Can I store my data in the EU, UK, Canada, or Australia?
Can I store my data in the EU, UK, Canada, or Australia?
Currently, all data is stored on AWS in the US. We do not offer EU, UK, or other regional data residency at this time. We recognise this is important for many customers and will share updates if this changes. For more details, visit granola.ai/security.
Is Granola GDPR compliant?
Is Granola GDPR compliant?
Yes. We comply with GDPR and UK GDPR. We have a UK entity (Granola Labs Ltd, St Albans). We offer a Data Processing Addendum (DPA) incorporating EU and UK Standard Contractual Clauses. You act as the data controller; Granola acts as the data processor. See our DPA and Trust Center for full details.
Healthcare & HIPAA
Is Granola HIPAA compliant? Can you sign a BAA?
Is Granola HIPAA compliant? Can you sign a BAA?
Granola is not currently HIPAA compliant and cannot sign Business Associate Agreements (BAAs). Granola should not be used to store or process Protected Health Information (PHI). We are evaluating supporting HIPAA in the future — check granola.ai/security for the latest status.
Can I use Granola for NHS or healthcare settings?
Can I use Granola for NHS or healthcare settings?
We are not currently designed for processing patient-sensitive or clinically confidential information. We do not hold HIPAA or NHS DSP Toolkit accreditation. For non-clinical administrative use, please review our Trust Center to see if our current security posture meets your requirements.
Recording, Consent & Audio
How does Granola record meetings? Does a bot join?
How does Granola record meetings? Does a bot join?
Granola runs locally on your device and captures audio directly from your microphone and system audio. No bot joins your meeting — other participants will not see any additional attendee. This is a core part of our privacy-first design.
How do I get consent from meeting participants?
How do I get consent from meeting participants?
You are responsible for obtaining consent from participants before using Granola. To help: on macOS, go to Settings → Labs and enable “Let others know you’re using Granola” to automatically send a customisable consent message when meetings start. We strongly recommend always informing participants that you’re taking AI-enhanced notes. For more, see Getting consent, Automatic consent messaging, and our Trust Center.
Does Granola store audio recordings?
Does Granola store audio recordings?
No. Audio is temporarily cached during the meeting for transcription only. Once transcription is complete, the audio is deleted from our systems and any third-party services. We do not retain audio recordings.
Can Granola accidentally record a conversation I didn't intend to capture?
Can Granola accidentally record a conversation I didn't intend to capture?
Granola requires you to click to start recording — it does not start completely automatically. However, if a meeting runs longer than expected or you don’t end the session, it may continue transcribing. Always click End when your meeting finishes to ensure clean separation between sessions.
Note Privacy & Sharing
Who can see my meeting notes?
Who can see my meeting notes?
Your notes are private by default. No one in your workspace can see your notes unless you explicitly share them. You control sharing with three levels: Private (only you), Only your company (people signed in with your company email), or Anyone with link (public). This applies across all plans, including the free tier. See Sharing controls for details.
Can my admin or teammates see my private notes?
Can my admin or teammates see my private notes?
No — admins cannot see your individual notes. Notes remain private to you unless you choose to share them to a shared folder or directly with specific colleagues. Enterprise admins can set maximum sharing permissions (e.g. restrict public links), but they cannot view your private notes. See Sharing controls for more.
If I use the MCP integration with Claude or Cursor, can my colleagues see my notes?
If I use the MCP integration with Claude or Cursor, can my colleagues see my notes?
The MCP integration uses your personal API token and only accesses notes you have permission to view. Colleagues using the same Claude or Cursor instance would not gain access to your Granola notes through the integration.
Will my private notes stay private if I transfer them to a new workspace?
Will my private notes stay private if I transfer them to a new workspace?
Yes — transferred notes remain private by default. Your teammates won’t have access unless you choose to share them.
AI & Model Training
Does Granola use my data to train AI models?
Does Granola use my data to train AI models?
By default on Free and Business plans, anonymised data may be used for Granola’s own model improvements. You can opt out at any time: go to Settings → General → Data & sharing and turn off “Use my data to improve models for everyone.” Third parties like OpenAI and Anthropic are never allowed to train on your data — we have enterprise agreements preventing this.
Can my workspace admin opt everyone out of model training?
Can my workspace admin opt everyone out of model training?
On the Enterprise plan, admins can configure org-wide opt-out via Settings → Security & Access. On the Business plan, each user needs to opt out individually. For more details, visit granola.ai/security.
I opted out — was my historical data already used for training?
I opted out — was my historical data already used for training?
We cannot guarantee that anonymised data wasn’t used before you changed the setting. However, once you opt out, none of your data will be used for any future model training.
Data Retention & Deletion
How long does Granola keep my transcripts and notes?
How long does Granola keep my transcripts and notes?
Notes and transcripts are retained indefinitely unless you or your admin configures a retention policy. Enterprise plans offer configurable auto-deletion retention periods for transcripts. Contact hey@granola.so if you’d like to adjust your workspace’s retention settings.
How do I delete my account and all my data?
How do I delete my account and all my data?
Go to Settings → Profile → Delete Account in the app. If you no longer have access to the app, email hey@granola.so and we’ll process your account deletion and remove all associated data. See Deleting your account for more.
Can I export all my data (GDPR data portability)?
Can I export all my data (GDPR data portability)?
Yes — under GDPR Article 20, you can request a copy of all your personal data in a structured, machine-readable format. Contact hey@granola.so to initiate a data subject access request. For a CSV export of your historical notes from the app, see Exporting historical notes.
Legal & Procurement
Where can I find Granola's Data Processing Addendum (DPA)?
Where can I find Granola's Data Processing Addendum (DPA)?
Our DPA is available at granola.ai/dpa. It incorporates EU and UK Standard Contractual Clauses.
Who are Granola's subprocessors?
Who are Granola's subprocessors?
A list of subprocessors is available in our Trust Center.
Does Granola have a vulnerability disclosure or bug bounty programme?
Does Granola have a vulnerability disclosure or bug bounty programme?
We don’t have a formal bug bounty programme, but we do offer monetary rewards for legitimate security vulnerability reports based on severity and impact. Read our Vulnerability Disclosure Policy.
Authentication & Enterprise Controls
Does Granola support SSO (Single Sign-On)?
Does Granola support SSO (Single Sign-On)?
Yes — SSO is available on Enterprise plans for organisations with 50+ seats. We support Google OAuth and Microsoft authentication on all plans. Contact sales@granola.so for SSO configuration.
What admin security controls are available on Enterprise?
What admin security controls are available on Enterprise?
Enterprise admins get: org-wide sharing restrictions, org-wide model training opt-out, transcript retention policies, SSO enforcement, usage analytics, and priority support. Visit granola.ai/security or contact sales@granola.so to learn more.
Can’t find what you’re looking for? Chat with our docs or email hey@granola.so. For enterprise security inquiries, contact sales@granola.so.