The fastest way to get an AI tool banned at your company is to install a notetaker without asking anyone. IT teams call it shadow AI, and meeting tools are the number one offender, because a notetaker does not just process your data. It processes everyone else's. Your boss's offhand comment about the reorg. The client's pricing complaint. The candidate's salary expectation.
This guide covers one option you may already own (Microsoft Teams Copilot) and the three third-party tools your company is most likely to evaluate (Granola, Otter, Fireflies), on the criteria IT actually uses: where the audio goes, who trains on your data, what compliance paperwork exists, and what it costs.
One disclosure up front: Granola is an affiliate partner of this newsletter. The full note is at the bottom, and you will find its biggest wrinkle called out in its own section anyway. That is how we do this.
The fast answer
If you want the verdict before the evidence:
- Your company already pays for Microsoft Copilot: use it first. The compliance work is done.
- You are an individual operator who wants low-friction notes without a bot in the room: Granola, with the training toggle flipped (details below).
- You are in a regulated industry that requires a BAA (the signed agreement HIPAA demands): Fireflies Enterprise, budgeted honestly.
- You want a mature, visible-bot tool and your meeting volume fits the caps: Otter.
The rest of the guide is the evidence, because your security team will ask for it.
The four questions IT will ask
Every tool below is scored against the checklist security teams actually run. It maps to the standard paperwork IT expects: a current SOC 2 Type 2 report, a data processing agreement, a contractual answer on AI training, and a defined retention policy.
- Does a bot join the call, and do participants know they are being recorded?
- Is the audio stored, and for how long?
- Is anyone training AI models on our meetings?
- Can admins control retention, access, and provisioning centrally?
For Teams-based organizations, this is the option to exhaust before spending anything new.
- Bot
- none. Native to the platform; participants see the standard Teams transcription notice.
- Audio and transcripts
- stay in your Microsoft 365 tenant, in OneDrive and SharePoint, governed by your organization's existing Purview retention policies (the same compliance controls as your email) and subject to the same eDiscovery.
- Training
- governed by your existing Microsoft agreement. No new data processor enters the picture.
- Compliance
- inherits your M365 posture. No new vendor review at all.
- Cost
- the catch. Intelligent recap requires a Teams Premium or Microsoft 365 Copilot license, and Copilot runs about $30 per user per month.
IT friction: lowest of the four.
Our take: serviceable recaps, zero new risk, but it stops at the tenant wall. The moment you need notes from an external client call on Zoom, you are back in the market, which is how most people end up reading the rest of this guide.
For the individual operator who needs notes without a recorder visible in every client call, this is the strongest fit in the guide.
- Bot
- none. A desktop app captures your device audio; no participant joins. That is its best feature and the one to be honest about: nobody's behavior changes because nobody sees a recorder, which means consent is on you. Several US states require all-party consent for recording, and your company policy may require disclosure regardless. Announce it.
- Audio
- deleted immediately after real-time transcription. There is no recording to store, leak, subpoena, or breach. Only the transcript and notes persist, encrypted, US-hosted. SOC 2 Type 2 certified since July 2025.
- Training
- read this twice. Third parties like OpenAI and Anthropic are contractually barred from training on your data on every plan. But Granola itself trains on your anonymized data by default on Basic and Business unless you opt out in Settings. The org-wide default opt-out is an Enterprise feature. The individual toggle takes ten seconds.
- Compliance
- not HIPAA compliant, no BAAs, so healthcare stops here. No EU data residency yet.
- Cost
- free Basic with limited history, Business $14 per user per month, Enterprise $35 with SSO and the org-wide training opt-out.
IT friction: low; the no-stored-audio architecture removes the scariest item from the review entirely.
Our take: the strongest privacy architecture in the category, with one asterisk you now know about.
If you are outside a regulated environment, set it up safely in 60 seconds: download the desktop app, open Settings and turn off model training, decide your disclosure line ("heads up, an AI tool is taking notes on my end"), done.
Otter
The mature incumbent
03
For teams that want the established name and are comfortable with a visible bot, Otter is the category's known quantity, with real admin controls and the cheapest paid entry point here.
- Bot
- OtterPilot joins your Zoom, Teams, or Meet call as a visible participant. Consent optics handled by default, which IT likes. Every client seeing "Otter.ai" in the attendee list is the trade.
- Audio
- recordings and transcripts stored in Otter's cloud, with admin-configurable retention on team plans.
- Training
- Otter's privacy documentation states it trains its own models on de-identified user data, automatically. Its third-party AI providers do not train on customer data. Whether de-identified training on your meetings is acceptable is a question for your security team. Ask it explicitly.
- Compliance
- SOC 2, GDPR; SSO and HIPAA available at the Enterprise tier.
- Cost
- free tier at 300 minutes per month with a 30-minute per-conversation cap. Pro $8.33 per user per month annual. Business $19.99 annual. Enterprise custom. Know the caps before you commit: when you hit them, transcription stops until the next cycle. Transcription covers English, French, and Spanish.
IT friction: medium. Established vendor, standard certifications, but stored recordings plus the training policy means a real review, not a rubber stamp.
Our take: fine and mature; make sure your meeting volume fits the minute caps and your security team has answered the training question before you standardize on it.
For healthcare, legal, and other regulated teams where a signed BAA is non-negotiable, Fireflies is the only tool on this list that provides one.
- Bot
- the Fireflies Notetaker joins as a visible participant. Same trade as Otter.
- Audio
- recordings stored on Fireflies servers, encrypted.
- Training
- the cleanest policy of the bot-based tools. Fireflies maintains zero-day retention agreements with its AI vendors and states meeting data is never used for model training. Its own or anyone else's.
- Compliance
- SOC 2 Type 2, GDPR, and HIPAA with a signed BAA. Private storage, custom retention policies, and automated governance rules all exist. Note where they live: the BAA, private storage, custom retention, and the rules engine are Enterprise-tier features.
- Cost
- free tier limited by a credits system that is tighter than it looks. Pro $10 per user per month annual, Business $19 annual, Enterprise $39 annual, which is where the compliance features above actually sit.
IT friction: low at Enterprise, medium below it.
Our take: the compliance capabilities in the marketing are real, and they live at $39 a month, not $10. Budget for the tier that has them.
The comparison in one table
Before you install anything: the Three-Question Clearance
A One-Minute Win you can run today. Send your IT or security contact this message, with the tool name filled in:
- Existing approvals: Do we have an approved AI notetaker already, and if so which one?
- Blocking risks: If we evaluated [tool], what would block approval: stored audio, training policy, or missing paperwork?
- Consent policy: What is our policy on announcing AI notetakers on external calls?
Question 1 saves you from buying a tool your company already owns. Question 2 turns a vague "security review" into a two-line answer. Question 3 keeps you out of the consent mess entirely. If the answers come back clean, you are the person who did it right, which in corporate terms is worth more than the tool.
Some links on this page are affiliate links, including Granola. We only link to tools we would recommend anyway, and the training-toggle warning above should prove it.
Sources (Tier 1, verified July 2026)
- granola.ai/security and Granola security and compliance documentation (SOC 2 Type 2 July 2025, audio deletion, training defaults, HIPAA status, pricing)
- otter.ai/pricing and otter.ai/privacy-security (tiers, minute caps, de-identified training policy)
- fireflies.ai/security and Fireflies knowledge base (SOC 2, HIPAA BAA, zero-day vendor retention, Enterprise gating, pricing)
- learn.microsoft.com Teams intelligent recap documentation and support.microsoft.com Copilot in Teams (licensing requirements, Purview retention, tenant storage)
Stay ahead of what your company's policy might miss.
Subscribe free. One email per week. Under 60 seconds.
Subscribe Free