Compliance Certifications & Standards

Last updated: May 22, 2026

Available on: Mac, Windows, iOS. Android supports the Privacy Mode toggle only.

Wispr Flow is SOC 2 Type II, ISO 27001:2022, and HIPAA compliant. Use this guide to review our certifications, sign a Business Associate Agreement (BAA), or request compliance documentation for your security review.

What it is

Wispr Flow's compliance program covers the security certifications, privacy frameworks, and regulatory standards that protect your data. All certifications are independently audited.

Compliance settings live under Settings → Data & Privacy in the desktop app and include:

  • Privacy Mode toggle: Enables zero data retention.

  • Context awareness toggle: Controls whether Flow reads surrounding text for accuracy.

  • Local data storage: Store locally, auto-delete every 24 hours (runs daily at noon local time while the app is open), or never store.

  • Sync notes: Triggers an on-demand refresh of notes from the cloud.

  • HIPAA BAA: Sign or view your Business Associate Agreement.

How it works in Flow

Overview

Flow holds three primary certifications — SOC 2 Type II, ISO 27001:2022, and HIPAA — and aligns with additional frameworks including ISO/IEC 42001:2023, GDPR, and CCPA. Healthcare customers can sign a BAA in-app to enable HIPAA-compliant usage.

Current certifications

SOC 2 Type II

Wispr Flow has completed SOC 2 Type II attestation covering the Security trust service criteria. The report covers February 15, 2025 to May 15, 2025, and was prepared by ACCORP Partners.

The examination validates security controls across:

  • Access controls: Authentication and authorization mechanisms.

  • Data protection: Encryption at rest and in transit.

  • Incident response: Monitoring and response procedures.

  • Change management: Controlled deployment processes.

  • Vendor management: Third-party risk assessment.

  • Physical security: Environmental controls and safeguards.

SOC 2 Type II reports are available to customers and prospects under NDA. Request access through the Wispr Trust Center.

ISO 27001:2022

Wispr AI, Inc. is certified to ISO/IEC 27001:2022, the international standard for information security management systems. Certificate GCI/IS/202509008 was issued on September 8, 2025 by Gradient Certification Inc. and is valid through September 7, 2026.

The certification scope covers:

  • Platform systems: All infrastructure and personnel involved in the design, development, deployment, and maintenance of Wispr Flow.

  • ISMS: The Information Security Management System supporting the Wispr Flow service.

HIPAA compliance

Wispr Flow operates in compliance with HIPAA and maintains administrative, physical, and technical safeguards to protect Protected Health Information (PHI). Healthcare customers can sign a Business Associate Agreement (BAA) directly in the app — see the next section for steps.

Other frameworks

Flow's security program also aligns with:

  • ISO/IEC 42001:2023: AI governance.

  • GDPR: Data protection and privacy requirements for EU users.

  • CCPA: California Consumer Privacy Act requirements.

Ongoing compliance

  • Audits: Regular internal and external assessments.

  • Policy reviews: Annual updates to security policies.

  • Vulnerability assessments: Continuous security testing.

  • Training: Employee security awareness programs.

How to sign a BAA

Warning: Signing a BAA permanently locks Privacy Mode (zero data retention) to ON for your account and disables Meeting Recorder. This action cannot be undone.

Mac and Windows (individual user)

  1. Open Wispr Flow and go to Settings → Data & Privacy.

  2. Click "View and accept" next to HIPAA BAA.

  3. Enter your full legal name to sign.

  4. Click "I agree" to confirm. The button changes to "View" so you can review the signed BAA PDF anytime.

Mac and Windows (enterprise admin)

  1. Open Settings → Data & Privacy.

  2. Click "Open admin portal" next to HIPAA BAA.

  3. Sign on behalf of your organization in the admin portal.

Note: Enterprise BAA signing requires a Business Monthly or Business Yearly plan with an Active subscription. Trials and past-due subscriptions fall through to the individual signing flow.

iOS

  1. Open the Wispr Flow app and go to Settings → Data & Privacy.

  2. Tap the BAA option to start the in-app PDF signing flow.

  3. Enter your full legal name and confirm.

What changes after signing

  • Privacy Mode locks ON: Zero data retention is enforced for the account and cannot be turned off.

  • Meeting Recorder is disabled: The Meeting Recorder feature is turned off while a BAA is active.

  • Enterprise ZDR toggle locks: Once an organization-wide BAA is signed, admins can no longer disable Zero Data Retention. The tooltip reads: "Privacy mode cannot be disabled once a HIPAA BAA is signed."

Note: The ZDR toggle is only available on Enterprise-tier plans. Admins on Team or Pro plans see it disabled with a prompt to upgrade. ZDR Lock can only be modified by Wispr superadmins — contact support to request a change.

How to request compliance documentation

Visit the Wispr Trust Center to request the following under NDA:

  • SOC 2 Type II report

  • ISO 27001 certificate

  • Security and compliance questionnaire responses

  • Penetration test summaries

  • HIPAA Business Associate Agreement (also available for in-app signing)

Enterprise admins can also access compliance settings directly through the admin portal.

IT admin configuration (MDM)

IT admins can deploy an UpdateFrequency policy to control how often Flow checks for updates:

  • macOS: Deploy via MDM (Jamf, Kandji, Intune).

  • Windows: Deploy via Group Policy or Registry at HKLM\SOFTWARE\Policies\WisprAI\Flow.

  • Values: auto (default), weekly, bi-weekly, monthly.

Changes take effect after the app restarts.

FAQs

How do I request a SOC 2 report?

Request access through the Wispr Trust Center under NDA.

What enterprise security controls are available?

Admins can configure the following directly:

  • ZDR enforcement

  • Local data policy (Managed individually / Auto-delete 24h / Never store)

  • Context awareness availability

  • SSO enforcement

  • SCIM provisioning

  • Auto-invite by domain

  • Disable team trial

  • Hide team leaderboard

  • IP allowlist (if visible)

The following are controlled by Wispr — contact support to change them:

  • ZDR Lock

  • Usage data export

  • IP allowlist visibility and lock

Can I undo a BAA signing?

No. Signing a BAA permanently locks Privacy Mode to ON and cannot be undone.

Is compliance available on Android?

Android supports the Privacy Mode toggle only. BAA signing and enterprise compliance settings are not available on Android.

What happens if I change local data storage?

Switching to Auto-delete or Never store deletes existing transcripts and polish history. A confirmation dialog appears before the change takes effect. Never store also prevents new records from being saved going forward.

Limitations and notes

  • BAA signing and enterprise compliance settings are available on Mac, Windows, and iOS only.

  • Android supports the Privacy Mode toggle only. Enterprise users on Android have Privacy Mode automatically enabled during setup, but it is not locked after onboarding.

  • Enterprise BAA signing requires a live Enterprise-tier subscription. Team and Pro plans cannot sign an enterprise BAA.

  • SOC 2 reports and penetration test summaries are available under NDA only.

  • Local data storage changes may be restricted by your organization's enterprise policy.

  • Privacy Mode is also locked ON when your organization enforces Zero Data Retention (ZDR), with a tooltip identifying the org-wide lock.

  • iOS Data & Privacy also includes an Auto-delete transcripts toggle and a Refresh notes from cloud action.

  • When SCIM provisioning is enabled, user management syncs with your identity provider. The Add New User button is hidden, and admin attempts to add or remove members return an error directing them to manage users in the IdP.

  • Enterprise admins can disable context awareness (screen text reading) organization-wide. When disabled, the setting is locked in users' Data & Privacy settings.