Security best practices for Granola meeting data.
Use when implementing security controls, reviewing data handling,
or ensuring compliance with security policies.
Trigger with phrases like "granola security", "granola privacy",
"granola data protection", "secure granola", "granola compliance".
Granola achieved SOC 2 Type 2 certification in July 2025. It encrypts data with AES-256 at rest and TLS 1.3 in transit. Audio is transcribed server-side and not stored after processing. This skill covers security configuration, compliance posture, and organizational controls.
Prerequisites
Granola Business or Enterprise plan (for admin/security controls)
Understanding of your organization's compliance requirements
Admin access for workspace-level settings
Instructions
Step 1 — Understand Granola's Data Architecture
Audio Capture (your device)
│
├─→ Transmitted via TLS 1.3
│
▼
Granola Cloud (transcription)
│
├─→ Transcript generated (GPT-4o / Claude)
├─→ Audio DELETED after processing (not stored)
│
▼
Encrypted Storage (AES-256 at rest)
│
├─→ Meeting notes (your typed + AI enhanced)
├─→ Transcript text (stored, searchable)
├─→ Attendee metadata
│
▼
Your Device (local cache: cache-v3.json)
Key security properties:
No bot joins your meeting — audio is captured locally via system audio
Raw audio is never stored after transcription
Granola does not allow OpenAI or Anthropic to train on customer data
Enterprise plan enforces org-wide AI training opt-out by default
Local cache (cache-v3.json) contains meeting data on your device
Step 2 — Configure Account Security
Control
How to Enable
Plan Required
Google/Microsoft SSO
Default (social login)
All
Enterprise SSO (Okta, Azure AD)
Settings > Security > SSO
Enterprise
SCIM provisioning
Settings > Security > SCIM
Enterprise
Session timeout
Settings > Security
Enterprise
IP allowlisting
Contact Granola support
Enterprise
Step 3 — Configure Data Controls
Sharing defaults:
Settings > Privacy:
Default sharing: Private (recommended)
Auto-share with attendees: Off (enable per-folder instead)
External sharing: Disabled or Admin Approval Required
Public links: Disabled
Link expiration: 30 days (if external sharing enabled)
Data retention:
Settings > Data Retention:
Meeting notes: Organization policy (1-2 years typical)
Transcripts: 90 days (recommended for storage efficiency)
Audio: Deleted after processing (Granola default, not configurable)
AI training opt-out:
Settings > Privacy > AI Training:
Organization-wide opt-out: Enabled (Enterprise: enforced by default)
This ensures your meeting data is never used to train foundational models.
Step 4 — Meeting Recording Consent
Granola records audio from your device. You are responsible for informing meeting participants:
Legal requirements by jurisdiction:
One-party consent (US federal, most US states, UK): You can record if you are a participant
Two-party/all-party consent (California, Illinois, EU GDPR): All participants must be informed
Always recommended: Announce recording at meeting start or include notice in calendar invites
Calendar invite consent notice:
Note: This meeting will be recorded using Granola AI for note-taking
purposes. By joining, you consent to the recording and AI processing
of the discussion. Contact [your-email] to opt out.
Step 5 — Compliance Posture
Framework
Granola Status
Evidence
SOC 2 Type 2
Certified (July 2025)
Available on request
GDPR
Compliant
DPA available
CCPA
Compliant
Privacy policy updated
HIPAA
Not certified
Do not use for PHI without BAA
ISO 27001
Not certified
Covered by SOC 2 controls
GDPR requirements you must implement:
Right of Access: Export user's data via Settings > Data > Export
Right to Erasure: Delete user's notes and request account deletion
Data Processing Agreement: Request DPA from Granola (required for EU data)
Subject Access Requests: 30-day response deadline
Step 6 — Sensitive Meeting Protocol
For confidential meetings (board discussions, HR, legal, M&A):
Before: Disable auto-recording for the meeting
During: Announce recording consent to all participants
After: Review and redact sensitive content before sharing
Sharing: Set link expiration, restrict to named recipients
Retention: Apply shorter retention (30 days) for sensitive workspaces
Output
Account secured with SSO and appropriate authentication
Sharing defaults configured per organizational policy
Data retention policies set per data type
Compliance posture documented and gaps identified
Sensitive meeting protocol established
Error Handling
Error
Cause
Fix
SSO login fails
SAML/OIDC misconfigured
Verify Entity ID and ACS URL with IdP
Cannot disable external sharing
Individual override
Set workspace-level policy to override user settings
Data export fails
Insufficient permissions
Request export access from workspace admin
Consent notice ignored
Not in calendar template
Add to organization's default calendar template
Local Cache Security
The local cache file (~/Library/Application Support/Granola/cache-v3.json) contains meeting data in plaintext. For sensitive environments:
Enable FileVault (macOS) or BitLocker (Windows) for disk encryption