Incident Response & Breach Notification

Wispr Flow runs a formal incident response program to detect, investigate, and resolve security incidents — and to notify affected customers promptly. This page covers how incidents are handled, breach notification timelines for HIPAA-covered customers, and how to sign a BAA.

What it is

The incident response program is a set of procedures and controls that govern how Wispr Flow identifies, investigates, contains, and resolves security incidents. It includes continuous automated monitoring, defined escalation paths, and clear notification timelines — especially for customers subject to HIPAA requirements.

How it works in Flow

Detection and reporting

• Continuous monitoring: Automated systems watch for security anomalies and threats around the clock.

• Automated alerts: High and critical security events trigger immediate alerts to the security team.

• Employee training: All employees are trained to recognize and report security incidents.

• In-app reporting: Security concerns submitted through the in-app support dialog are routed directly to the support team.

Investigation and assessment

• Preliminary investigation: Conducted promptly after detection.

• Risk assessment: Determines incident severity and impact.

• Documentation: Incident details, affected systems, and timeline are recorded.

• Evidence preservation: Forensic evidence is preserved for further investigation.

Severity classification

Incidents are classified by potential impact:

• Critical: Potentially catastrophic impact or violation of legal/regulatory requirements.

• High: Significant harm to business units or clear policy violations.

• Medium: Limited impact with potential for escalation.

Containment and resolution

• Containment: Immediate steps to prevent further damage.

• Root cause analysis: Determines how the incident occurred.

• Remediation: Plan development and execution.

• Verification: Confirms the incident is fully resolved.

Communication and notification

For high and critical incidents:

• Internal stakeholders: Notified according to escalation procedures.

• Customers: Informed when their data may be affected.

• Regulatory bodies: Notified as required by applicable laws.

Wispr Flow also proactively alerts users when a service incident is affecting their region:

• Hub banner: A colored banner appears at the top of the Hub home page — orange for degraded performance, red for an outage — with a "View status" link to the incident status page.

• Desktop notification: If a dictation is slow during an active incident, you may receive a desktop notification. This appears at most once per hour.

Testing and preparedness

• Annual review: Procedures are reviewed at least once a year for currency and effectiveness.

• Annual testing: Procedures are tested through tabletop exercises or simulations at least once a year.

• Continuous improvement: Procedures are updated based on testing results and emerging threats.

Documentation and retention

All incident-related documentation is retained for a minimum of six years, including:

• Incident reports and investigation findings

• Risk assessments and breach determinations

• Notification records and communications

• Remediation actions and lessons learned

Breach notification for HIPAA-covered customers

Signing a HIPAA BAA

You can sign a HIPAA Business Associate Agreement directly within Wispr Flow. Signing requires entering your legal name.

After signing on Mac or Windows, you can review the BAA at any time by clicking "View" in Settings → Data & Privacy.

Enterprise security controls

Enterprise customers manage BAA signing through the admin portal and can configure additional security controls at the organization level:

• Enforced Zero Data Retention: Permanently locks Privacy Mode on for all users.

• Local data deletion policy: Three levels — normal storage, deletion after 24 hours, or never storing data locally. Setting "never store" permanently locks Privacy Mode on.

• Mandatory SSO: Requires single sign-on for all users.

• Restricted model improvement data sharing: Prevents user data from being used for model improvement.

Admins can set a minimum floor for the local data deletion policy — users can only choose options at or more restrictive than the organization's policy. These controls require an Enterprise plan (Business tier or above).

Breach determination

A breach is presumed unless Wispr can demonstrate a low probability that PHI has been compromised, based on:

• Nature and extent of PHI involved

• Who accessed or could have accessed the PHI

• Whether PHI was actually acquired or viewed

• Extent to which risk was mitigated

Notification to covered entities

• Timeline: Notification is provided without unreasonable delay, no later than 60 calendar days after breach discovery, in accordance with HIPAA requirements.

• Information provided: Identities of affected individuals and details needed for covered entity notifications.

• Documentation: Written documentation of the breach and notification timing.

Delay for law enforcement

If law enforcement requests a delay due to an ongoing investigation:

• Written requests: Honored for the specified delay period.

• Oral requests: Documented, and delays are limited to 30 days unless followed by a written request.

FAQs

Limitations and notes

• HIPAA BAA signing is available on Mac, Windows, and iOS. It is not available on Android.

• Privacy Mode is available on all platforms, including Android.

• On Android, enterprise users have Privacy Mode enabled by default and cannot modify the setting.

• Enterprise security controls (Zero Data Retention, local data deletion, mandatory SSO) require an Enterprise plan (Business tier or above).

• All incident-related documentation is retained for a minimum of six years.

• In-app incident alerts (Hub banner and desktop notification) are shown on Mac and Windows only, and only to users in regions affected by an active incident. The desktop notification appears at most once per hour.