> ## Documentation Index
> Fetch the complete documentation index at: https://docs.granola.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security, Privacy & Data FAQs

> Answers to common questions about Granola's security practices, data storage, privacy controls, GDPR compliance, and enterprise features.

Granola takes security and privacy seriously. This page answers our most common security and privacy questions. For our full SOC 2 report, data handling practices, and compliance documentation, use our [Trust Center](https://trust.granola.ai) (click "Request Access" in the top right). For our technical security overview, see [granola.ai/security](https://www.granola.ai/security).

# Security & Compliance Overview

<AccordionGroup>
  <Accordion title="What security certifications does Granola have?">
    Granola holds **SOC 2 Type II** certification. You can access our full SOC 2 report and other compliance documentation through our [Trust Center](https://trust.granola.ai). For more on our security practices, visit [granola.ai/security](https://www.granola.ai/security).
  </Accordion>

  <Accordion title="Where can I find Granola's security documentation for my company's vendor review?">
    Our [Trust Center](https://trust.granola.ai) has everything your security team needs — SOC 2 Type II report, data handling practices, and compliance certifications. Click "Request Access" in the top right to get started. For enterprise-specific questions, reach out to [sales@granola.so](mailto:sales@granola.so).
  </Accordion>

  <Accordion title="Does Granola have ISO 27001 certification?">
    We currently hold **SOC 2 Type II**. ISO 27001 is not yet available. Visit our [Trust Center](https://trust.granola.ai) for all current certifications.
  </Accordion>

  <Accordion title="My company's IT security team flagged or blocked Granola. What can I share with them?">
    Point your IT team to [granola.ai/security](https://www.granola.ai/security), our [Trust Center](https://trust.granola.ai), and our [Network troubleshooting and allowlist guide](/help-center/troubleshooting/network-troubleshooting). Granola runs locally on your device (no meeting bots), uses encrypted connections, and holds SOC 2 Type II certification. The troubleshooting guide includes the domains that may need to be allowlisted in tools like Zscaler, plus common symptoms when requests are blocked or redirected.
  </Accordion>
</AccordionGroup>

# Data Storage & Residency

<AccordionGroup>
  <Accordion title="Where is my data stored?">
    All data is stored on **Amazon Web Services (AWS)** servers located in the **United States**. Data is encrypted both at rest and in transit. Your meeting notes are also cached locally on your device so you can open and edit them quickly, including offline.
  </Accordion>

  <Accordion title="Can I store my data in the EU, UK, Canada, or Australia?">
    Currently, all data is stored on AWS in the US. We do not offer EU, UK, or other regional data residency at this time. We recognise this is important for many customers and will share updates if this changes. For more details, visit [granola.ai/security](https://www.granola.ai/security).
  </Accordion>

  <Accordion title="Is Granola GDPR compliant?">
    Yes. We comply with GDPR and UK GDPR. We have a UK entity (Granola Labs Ltd, St Albans). We offer a Data Processing Addendum (DPA) incorporating EU and UK Standard Contractual Clauses. You act as the data controller; Granola acts as the data processor. See our [DPA](https://go.granola.so/dpa) and [Trust Center](https://trust.granola.ai) for full details.
  </Accordion>
</AccordionGroup>

# Healthcare & HIPAA

<AccordionGroup>
  <Accordion title="Is Granola HIPAA compliant? Can you sign a BAA?">
    Granola is **not currently HIPAA compliant** and cannot sign Business Associate Agreements (BAAs). Granola should not be used to store or process Protected Health Information (PHI). We are evaluating supporting HIPAA in the future — check [granola.ai/security](https://www.granola.ai/security) for the latest status.
  </Accordion>

  <Accordion title="Can I use Granola for NHS or healthcare settings?">
    We are not currently designed for processing patient-sensitive or clinically confidential information. We do not hold HIPAA or NHS DSP Toolkit accreditation. For non-clinical administrative use, please review our [Trust Center](https://trust.granola.ai) to see if our current security posture meets your requirements.
  </Accordion>
</AccordionGroup>

# Education & FERPA

<AccordionGroup>
  <Accordion title="Is Granola FERPA compliant?">
    Granola is **not currently FERPA compliant**. If your institution requires FERPA compliance, Granola may not be suitable for use with student education records at this time.
  </Accordion>
</AccordionGroup>

# Recording, Consent & Audio

<AccordionGroup>
  <Accordion title="How does Granola record meetings? Does a bot join?">
    Granola runs **locally on your device** and captures audio directly from your microphone and system audio. **No bot joins your meeting** — other participants will not see any additional attendee. This is a core part of our privacy-first design.
  </Accordion>

  <Accordion title="How do I get consent from meeting participants?">
    You are responsible for obtaining consent from participants before using Granola. To help: on macOS, go to **Settings → Labs** and enable **"Let others know you're using Granola"** to automatically send a customisable consent message when meetings start. We strongly recommend always informing participants that you're taking AI-enhanced notes. For more, see [Getting consent](/help-center/consent-security-privacy/getting-consent), [Automatic consent messaging](/help-center/managing-your-account/automatic-consent-messaging), and our [Trust Center](https://trust.granola.ai).
  </Accordion>

  <Accordion title="Does Granola store audio recordings?">
    No. Audio is temporarily cached during the meeting for transcription only. Once transcription is complete, the audio is deleted from our systems and any third-party services. We do not retain audio recordings.
  </Accordion>

  <Accordion title="Can Granola accidentally record a conversation I didn't intend to capture?">
    Granola requires you to **click to start** recording — it does not start completely automatically. However, if a meeting runs longer than expected or you don't end the session, it may continue transcribing. Always click **End** when your meeting finishes to ensure clean separation between sessions.
  </Accordion>
</AccordionGroup>

# Note Privacy & Sharing

<AccordionGroup>
  <Accordion title="Who can see my meeting notes?">
    Your notes are **private by default**. No one in your workspace can see your notes unless you explicitly share them. You control sharing with three levels: **Private** (only you), **Only your company** (people signed in with your company email), or **Anyone with link** (public). This applies across all plans, including the free tier. See [Sharing controls](/help-center/consent-security-privacy/sharing-controls) for details.
  </Accordion>

  <Accordion title="Can my admin or teammates see my private notes?">
    No — admins cannot see your individual notes. Notes remain private to you unless you choose to add them to a folder in your team space or share them directly with specific colleagues. Enterprise admins can set maximum sharing permissions (e.g. restrict public links), but they cannot view your private notes. See [Sharing controls](/help-center/consent-security-privacy/sharing-controls) for more.
  </Accordion>

  <Accordion title="If I use the MCP integration with Claude or Cursor, can my colleagues see my notes?">
    The MCP integration uses your personal API token and only accesses notes you have permission to view. Colleagues using the same Claude or Cursor instance would not gain access to your Granola notes through the integration.
  </Accordion>

  <Accordion title="Will my private notes stay private if I transfer them to a new workspace?">
    Yes — transferred notes remain private by default. Your teammates won't have access unless you choose to share them.
  </Accordion>
</AccordionGroup>

# AI & Model Training

<AccordionGroup>
  <Accordion title="Does Granola use my data to train AI models?">
    By default on Free and Business plans, anonymised data may be used for Granola's own model improvements. You can **opt out at any time**: go to **Settings → Preferences → Data & sharing** and turn off **"Use my data to improve models for everyone."** Third parties like OpenAI and Anthropic are **never** allowed to train on your data — we have enterprise agreements preventing this.
  </Accordion>

  <Accordion title="Can my workspace admin opt everyone out of model training?">
    On the **Enterprise** plan, admins can configure org-wide opt-out via **Settings → Security & Access**. On the **Business** plan, each user needs to opt out individually. For more details, visit [granola.ai/security](https://www.granola.ai/security).
  </Accordion>

  <Accordion title="I opted out — was my historical data already used for training?">
    We cannot guarantee that anonymised data wasn't used before you changed the setting. However, once you opt out, **none of your data** will be used for any future model training.
  </Accordion>
</AccordionGroup>

# Data Retention & Deletion

<AccordionGroup>
  <Accordion title="How long does Granola keep my transcripts and notes?">
    Notes and transcripts are retained **indefinitely** unless you or your admin configures a retention policy. Enterprise plans offer configurable auto-deletion retention periods for transcripts. Contact [hey@granola.so](mailto:hey@granola.so) if you'd like to adjust your workspace's retention settings.
  </Accordion>

  <Accordion title="How do I delete my account and all my data?">
    Go to **Settings → Profile → Delete Account** in the app. If you no longer have access to the app, email [hey@granola.so](mailto:hey@granola.so) and we'll process your account deletion and remove all associated data. See [Deleting your account](/help-center/deleting-your-account) for more.
  </Accordion>

  <Accordion title="Can I export all my data (GDPR data portability)?">
    Yes — under GDPR Article 20, you have the right to a copy of all your personal data in a structured, machine-readable format, which you can request by emailing [hey@granola.so](mailto:hey@granola.so). For a CSV export of your historical notes from the app, see [Exporting historical notes](/help-center/sharing/exporting-notes).
  </Accordion>
</AccordionGroup>

# Legal & Procurement

<AccordionGroup>
  <Accordion title="Where can I find Granola's Data Processing Addendum (DPA)?">
    Our standard DPA is available at [go.granola.so/dpa](https://go.granola.so/dpa). It incorporates EU and UK Standard Contractual Clauses. Custom DPAs are not available.
  </Accordion>

  <Accordion title="Who are Granola's subprocessors?">
    A list of subprocessors is available in our [Trust Center](https://trust.granola.ai).
  </Accordion>

  <Accordion title="Does Granola have a vulnerability disclosure or bug bounty programme?">
    We don't have a formal bug bounty programme, but we do offer **monetary rewards** for legitimate security vulnerability reports based on severity and impact. Read our [Vulnerability Disclosure Policy](/help-center/policies/terms-of-service/vulnerability-disclosure-policy).
  </Accordion>
</AccordionGroup>

# Authentication & Enterprise Controls

<AccordionGroup>
  <Accordion title="Does Granola support SSO (Single Sign-On)?">
    Yes — SSO is available on **Enterprise** plans for organisations with 50+ seats. We support Google OAuth and Microsoft authentication on all plans. Contact [sales@granola.so](mailto:sales@granola.so) for SSO configuration.
  </Accordion>

  <Accordion title="Does Granola support two-factor authentication (2FA/MFA)?">
    Granola does not have a built-in 2FA or MFA feature. All authentication is delegated to your identity provider — Google, Microsoft, or your organization's SSO provider. To protect your Granola account with multi-factor authentication, enable it on your identity provider. See [Signing in and connecting your calendar](/help-center/signing-in-and-connecting-your-calendar) for more on how authentication works.
  </Accordion>

  <Accordion title="Does Granola enforce a password policy?">
    Granola does not manage passwords directly. All authentication is delegated to your identity provider — Google, Microsoft, or your organization's SSO provider. Whatever password policies your identity provider enforces (complexity requirements, expiration, etc.) apply to your Granola sign-in.
  </Accordion>

  <Accordion title="What admin security controls are available on Enterprise?">
    Enterprise admins get: org-wide sharing restrictions, org-wide model training opt-out, transcript retention policies, SSO enforcement, usage analytics, and priority support. Visit [granola.ai/security](https://www.granola.ai/security) or contact [sales@granola.so](mailto:sales@granola.so) to learn more.
  </Accordion>
</AccordionGroup>

***

Can't find what you're looking for? [Chat with our docs](https://help.granola.ai) or email [hey@granola.so](mailto:hey@granola.so). For enterprise security inquiries, contact [sales@granola.so](mailto:sales@granola.so).