Compliance Certifications & Standards

Last updated: April 28, 2026

Available on: Mac, Windows, iOS. Android supports the Privacy Mode toggle only — no BAA signing or enterprise compliance settings.

Wispr Flow is SOC 2 Type II, ISO 27001:2022, and HIPAA compliant. Use this guide to review what we're certified for, sign a Business Associate Agreement (BAA), or request compliance documentation for your security review.

What it is

Wispr Flow's compliance program covers the security certifications, privacy frameworks, and regulatory standards that protect your data. All certifications are independently audited.

Compliance settings live under Settings → Data & Privacy in the desktop app and include:

  • Privacy Mode toggle: Enables zero data retention.

  • Context awareness toggle: Controls whether Flow reads surrounding text for accuracy.

  • Local data storage: Choose to store locally, auto-delete every 24 hours, or never store.

  • Sync notes: Forces a cloud sync.

  • HIPAA BAA: Sign or view your Business Associate Agreement.

How it works in Flow

Overview

Flow holds three primary certifications — SOC 2 Type II, ISO 27001:2022, and HIPAA — and aligns with additional frameworks including ISO/IEC 42001:2023, GDPR, and CCPA. Healthcare customers can sign a BAA in-app to enable HIPAA-compliant usage.

Current certifications

SOC 2 Type II

Wispr Flow has completed SOC 2 Type II attestation covering the Security trust service criteria. The report covers February 15, 2025 to May 15, 2025, and was prepared by ACCORP Partners.

The examination validates security controls across:

  • Access controls: Authentication and authorization mechanisms.

  • Data protection: Encryption at rest and in transit.

  • Incident response: Monitoring and response procedures.

  • Change management: Controlled deployment processes.

  • Vendor management: Third-party risk assessment.

  • Physical security: Environmental controls and safeguards.

SOC 2 Type II reports are available to customers and prospects under NDA. Contact your account representative to request a copy.

ISO 27001:2022

Wispr AI, Inc. is certified to ISO/IEC 27001:2022, the international standard for information security management systems. Certificate GCI/IS/202509008 was issued on September 8, 2025 by Gradient Certification Inc. and is valid through September 7, 2026.

The certification scope covers:

  • Platform systems: All infrastructure and personnel involved in the design, development, deployment, and maintenance of Wispr Flow.

  • ISMS: The Information Security Management System supporting the Wispr Flow service.

HIPAA compliance

Wispr Flow operates in compliance with HIPAA and maintains administrative, physical, and technical safeguards to protect Protected Health Information (PHI). Healthcare customers can sign a Business Associate Agreement (BAA) directly in the app — see How to sign a BAA below for steps.

Other frameworks

Flow's security program also aligns with:

  • ISO/IEC 42001:2023: AI governance.

  • GDPR: Data protection and privacy requirements for EU users.

  • CCPA: California Consumer Privacy Act requirements.

Ongoing compliance

  • Audits: Regular internal and external assessments.

  • Policy reviews: Annual updates to security policies.

  • Vulnerability assessments: Continuous security testing.

  • Training: Employee security awareness programs.

How to sign a BAA

Warning: Signing a BAA permanently locks Privacy Mode (zero data retention) to ON for your account. This action cannot be undone.

Mac and Windows (individual user)

  1. Open Wispr Flow and go to Settings → Data & Privacy.

  2. Click "View and accept" next to HIPAA BAA.

  3. Enter your full legal name to sign.

  4. Confirm. The button changes to "View" so you can review the signed BAA PDF anytime.

Mac and Windows (enterprise admin)

  1. Open Settings → Data & Privacy.

  2. Click "Open admin portal" next to HIPAA BAA.

  3. Sign on behalf of your organization in the admin portal.

Note: Enterprise BAA signing requires a live Enterprise-tier subscription. Team and Pro plans cannot sign an enterprise BAA.

iOS

  1. Open the Wispr Flow app and go to Settings → Data & Privacy.

  2. Tap the BAA option to start the in-app PDF signing flow.

  3. Enter your full legal name and confirm.

What changes after signing

  • Privacy Mode locks ON: Zero data retention is enforced for the account and cannot be turned off.

  • Notes are stored locally only: The Notes page (Scratchpad) stays visible in the sidebar, but notes are saved only on your device and will not sync across devices. The manual sync and refresh buttons are hidden, and a notice on the Notes page explains this behavior.

  • Enterprise ZDR toggle locks: Once an organization-wide BAA is signed, admins can no longer disable Zero Data Retention.

Note: The ZDR toggle is only available on Enterprise-tier plans. Admins on Team or Pro plans see it disabled with a prompt to upgrade. If Wispr support has enabled ZDR Lock for your organization, contact support to modify the setting.

How to request compliance documentation

Enterprise customers can request the following under NDA:

  • SOC 2 Type II report

  • ISO 27001 certificate

  • Security and compliance questionnaire responses

  • Penetration test summaries

  • HIPAA Business Associate Agreement (also available for in-app signing)

Contact your account representative or the security team to request documentation. Enterprise admins can also access compliance settings directly through the admin portal.

FAQs

How do I request a SOC 2 report?

Contact your account representative to request a copy under NDA.

What enterprise security controls are available?

Zero Data Retention enforcement, SSO enforcement, SCIM provisioning for directory sync, domain-based auto-invite, per-member usage monitoring, usage data export, and minimum local data retention policies.

Can I undo a BAA signing?

No. Signing a BAA permanently locks Privacy Mode to ON and cannot be undone.

Is compliance available on Android?

Android supports the Privacy Mode toggle only. BAA signing and enterprise compliance settings are not available on Android.

Can I use Notes after signing a BAA?

Yes. The Notes page stays visible in the sidebar, but notes are stored only on your device and will not sync across devices. The sync and refresh buttons are hidden while a BAA is active.

Limitations and notes

  • BAA signing and enterprise compliance settings are available on Mac, Windows, and iOS only.

  • Android supports the Privacy Mode toggle only. Enterprise users on Android have Privacy Mode automatically enabled during setup, but the Settings screen does not enforce this lock after onboarding.

  • Enterprise BAA signing requires a live Enterprise-tier subscription. Team and Pro plans cannot sign an enterprise BAA.

  • SOC 2 reports and penetration test summaries are available under NDA only.

  • Changing local data storage to auto-delete or never store deletes existing transcripts and polish history. A confirmation dialog appears before the change takes effect. This setting may be restricted by your organization's enterprise policy.

  • When SCIM provisioning is enabled, user management syncs with your identity provider. Users added or removed in your IdP are automatically reflected in Wispr.

  • Enterprise admins can disable context awareness (screen text reading) organization-wide. When disabled, the setting is locked in users' Data & Privacy settings.