Fireflies.ai cares deeply about the security of your information and uses commercially reasonable physical, technical and organizational measures designed to preserve the integrity and security of all information we collect and that we share with our service providers.
SOC 2 Compliance
Fireflies.ai is SOC 2 Type 2 compliant and we maintain our compliance annually.
SOC 2 is a voluntary compliance standard developed by the American Institute of CPAs (AICPA) which specifies how organizations should manage customer data. Being SOC 2 compliant means our organization has the infrastructure, tools, and processes to protect customer data from unauthorized access both from within and outside the firm.
For details on the report, please send an email to security@fireflies.ai
Fireflies.ai Architecture
Fireflies.ai is built on top of infrastructure and services that use industry grade security standards. You can see a high level technical documentation that details the system architecture here.
Internal Fireflies.ai Team Data Access
Fireflies employees do not have access to production customer data by default. If greater access is needed, for example during a support request, permission must be granted by the user and employees must provide documentation for why they are requesting access. Access is granted only when absolutely required.
We apply the principle of least privilege in our access controls mechanism to sensitive data. Access to sensitive data is based on a need-to-know basis and is strictly monitored and audited.
Vulnerability Management Program
Fireflies.ai is regularly scanned with industry standard scanning tools for monitoring and detecting vulnerabilities. In addition, we host an ongoing bug bounty program with HackerOne to continuously detect vulnerabilities.
However, no security system is impenetrable and we cannot 100% guarantee the security of our systems. In the event that any information under our control is compromised because of a breach of security, we will take reasonable steps to investigate the situation and when appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.