granola-security-basics

# Granola Security Basics

## Overview
Granola achieved SOC 2 Type 2 certification in July 2025. It encrypts data with AES-256 at rest and TLS 1.3 in transit. Audio is transcribed server-side and not stored after processing. This skill covers security configuration, compliance posture, and organizational controls.

## Prerequisites
- Granola Business or Enterprise plan (for admin/security controls)
- Understanding of your organization's compliance requirements
- Admin access for workspace-level settings

## Instructions

### Step 1 — Understand Granola's Data Architecture

```
Audio Capture (your device)
  │
  ├─→ Transmitted via TLS 1.3
  │
  ▼
Granola Cloud (transcription)
  │
  ├─→ Transcript generated (GPT-4o / Claude)
  ├─→ Audio DELETED after processing (not stored)
  │
  ▼
Encrypted Storage (AES-256 at rest)
  │
  ├─→ Meeting notes (your typed + AI enhanced)
  ├─→ Transcript text (stored, searchable)
  ├─→ Attendee metadata
  │
  ▼
Your Device (local cache: cache-v3.json)
```

**Key security properties:**
- No bot joins your meeting — audio is captured locally via system audio
- Raw audio is **never stored** after transcription
- Granola does **not** allow OpenAI or Anthropic to train on customer data
- Enterprise plan enforces org-wide AI training opt-out by default
- Local cache (`cache-v3.json`) contains meeting data on your device

### Step 2 — Configure Account Security

| Control | How to Enable | Plan Required |
|---------|--------------|---------------|
| Google/Microsoft SSO | Default (social login) | All |
| Enterprise SSO (Okta, Azure AD) | Settings > Security > SSO | Enterprise |
| SCIM provisioning | Settings > Security > SCIM | Enterprise |
| Session timeout | Settings > Security | Enterprise |
| IP allowlisting | Contact Granola support | Enterprise |

### Step 3 — Configure Data Controls

**Sharing defaults:**
```
Settings > Privacy:
  Default sharing: Private (recommended)
  Auto-share with attendees: Off (enable per-folder instead)
  External sharing: Disabled or Admin Approval Required
  Public links: Disabled
  Link expiration: 30 days (if external sharing enabled)
```

**Data retention:**
```
Settings > Data Retention:
  Meeting notes: Organization policy (1-2 years typical)
  Transcripts: 90 days (recommended for storage efficiency)
  Audio: Deleted after processing (Granola default, not configurable)
```

**AI training opt-out:**
```
Settings > Privacy > AI Training:
  Organization-wide opt-out: Enabled (Enterprise: enforced by default)
```
This ensures your meeting data is never used to train foundational models.

### Step 4 — Meeting Recording Consent

Granola records audio from your device. You are responsible for informing meeting participants:

**Legal requirements by jurisdiction:**
- **One-party consent** (US federal, most US states, UK): You can record if you are a participant
- **Two-party/all-party consent** (California, Illinois, EU GDPR): All participants must be informed
- **Always recommended:** Announce recording at meeting start or include notice in calendar invites

**Calendar invite consent notice:**
```
Note: This meeting will be recorded using Granola AI for note-taking
purposes. By joining, you consent to the recording and AI processing
of the discussion. Contact [your-email] to opt out.
```

### Step 5 — Compliance Posture

| Framework | Granola Status | Evidence |
|-----------|---------------|----------|
| SOC 2 Type 2 | Certified (July 2025) | Available on request |
| GDPR | Compliant | DPA available |
| CCPA | Compliant | Privacy policy updated |
| HIPAA | Not certified | Do not use for PHI without BAA |
| ISO 27001 | Not certified | Covered by SOC 2 controls |

**GDPR requirements you must implement:**
- Right of Access: Export user's data via Settings > Data > Export
- Right to Erasure: Delete user's notes and request account deletion
- Data Processing Agreement: Request DPA from Granola (required for EU data)
- Subject Access Requests: 30-day response deadline

### Step 6 — Sensitive Meeting Protocol

For confidential meetings (board discussions, HR, legal, M&A):

1. **Before:** Disable auto-recording for the meeting
2. **During:** Announce recording consent to all participants
3. **After:** Review and redact sensitive content before sharing
4. **Sharing:** Set link expiration, restrict to named recipients
5. **Retention:** Apply shorter retention (30 days) for sensitive workspaces

## Output
- Account secured with SSO and appropriate authentication
- Sharing defaults configured per organizational policy
- Data retention policies set per data type
- Compliance posture documented and gaps identified
- Sensitive meeting protocol established

## Error Handling

| Error | Cause | Fix |
|-------|-------|-----|
| SSO login fails | SAML/OIDC misconfigured | Verify Entity ID and ACS URL with IdP |
| Cannot disable external sharing | Individual override | Set workspace-level policy to override user settings |
| Data export fails | Insufficient permissions | Request export access from workspace admin |
| Consent notice ignored | Not in calendar template | Add to organization's default calendar template |

## Local Cache Security
The local cache file (`~/Library/Application Support/Granola/cache-v3.json`) contains meeting data in plaintext. For sensitive environments:
- Enable FileVault (macOS) or BitLocker (Windows) for disk encryption
- Restrict file permissions: `chmod 600 "$HOME/Library/Application Support/Granola/cache-v3.json"`
- Be aware that MCP servers and local scripts can read this file

## Resources
- [Granola Security Page](https://www.granola.ai/security)
- [Security Standards (Docs)](https://docs.granola.ai/help-center/consent-security-privacy/our-security-standards)
- [Privacy & Data FAQs](https://docs.granola.ai/help-center/consent-security-privacy/security-privacy-data-faqs)
- [Data Processing Addendum](https://help.granola.ai/article/data-processing-addendum)

## Next Steps
Proceed to `granola-prod-checklist` for production rollout preparation.