How Secure Are Your AI Note-Takers and Meeting Apps?

A Deep Dive

Sep 19, 2025

TL;DR:

The Reality Check: Most meeting platforms don't encrypt group conversations end-to-end. Only Zoom does. Your strategy sessions are flowing through corporate servers in plain text.

The Vulnerability Gap: Microsoft Teams had 1,360 reported vulnerabilities in 2024 vs. Zoom's proactive $10M bug bounty program finding issues before bad actors do.

AI Training Wild West: Some platforms (Fireflies, Rev.ai, Zoom) never touch your data. Others (Otter.ai facing class-action lawsuit) train on "de-identified" conversations. Many unclear.

Zoom's Technical Edge: Federated AI approach achieves enterprise-grade results at 6% traditional costs by intelligently routing between OpenAI, Anthropic, Meta models. Includes AI free vs. competitors' $30/month.

Recent Incidents: Webex data breach, Microsoft nation-state compromise, Granola API exposure. Even mature platforms face ongoing security challenges.

Bottom Line: Pick tools based on security requirements, not just features. Encryption capabilities, AI training policies, and proactive vs. reactive security management should drive decisions.

Personal Use: Granola for impromptu/non-web meetings (no bots, local processing). Fireflies.ai when you need API access for workflow integration.

The Answer: Most people have no idea what's happening behind the scenes with their meeting tools. The convenience comes with real trade-offs you should understand.

David Goodman asked me a question that stuck with me: "Do you actually know what's happening with all these meeting bots and transcription tools?"

I don’t. He's right. We use them constantly. They probably outnumber us in most meetings now—Fireflies joining from the left, Otter.ai from the right, that mysterious "Notebook" participant that nobody remembers inviting. Recording everything. Processing everything. Storing everything.

But what's actually happening behind the scenes?

Thanks to David's prodding, I spent three weeks diving into the security posture of every major meeting platform and AI transcription service. What I found ranges from impressive to concerning, with most platforms landing somewhere in the messy middle.

Key Takeaway: The Security Reality Check

The impressive: Zoom leads with end-to-end encryption for up to 1,000 participants and a $10 million bug bounty program. Fireflies.ai never uses your data for training and offers bring-your-own-storage.

The concerning: Microsoft Teams had 1,360 reported vulnerabilities in 2024. Otter.ai faces a class-action lawsuit for recording without consent and trains models on "de-identified" customer data.

The reality: Only Zoom offers group meeting encryption. Everyone else? Your conversations flow through their servers in plain text. Google Meet—no group encryption. Teams—one-on-one calls only.

Pick your tools carefully. The convenience comes with real trade-offs.

The Encryption Reality Gap

Here's what caught me off guard: Most platforms don't encrypt your group meetings end-to-end.

I assumed this was table stakes in 2025. Wrong.

Zoom: E2EE for up to 1,000 participants
Webex: Optional E2EE (if you know where to find it)
Microsoft Teams: One-on-one only
Google Meet: No group E2EE at all

Think about this. Your product strategy session, client calls, board meetings—they're all flowing through corporate servers where employees can theoretically access them.

Most platforms promise they don't look. But the technical capability exists.

Only Krisp processes audio locally among AI tools. Everything else? Cloud processing with varying security standards.

The AI Training Data Problem

The AI transcription space gets messy when it comes to data usage. Fast.

Never touch your data:

Fireflies.ai: Explicit zero data retention with AI providers
Rev.ai: Uses 72,000+ human transcribers with NDAs
Zoom: Customer content never used for training

Gets complicated:

Otter.ai: Uses "de-identified" data for model training (facing litigation over this)
Gong: Trains on aggregate sales conversations (potential competitive intelligence issues)

Unclear or concerning:

Many smaller platforms: Vague privacy policies
Some tools: Data retention unclear or excessive

The class-action lawsuit against Otter.ai centers on their bot joining meetings without explicit consent from all participants. If you have an Otter account and invite their bot, other meeting participants didn't consent to being recorded.

Legal experts see this spreading to other platforms.

Microsoft's Vulnerability Mountain

Microsoft Teams commands 53% market share. But struggles with security management.

1,360 reported vulnerabilities in 2024. That's not a typo.

The recent ones hurt:

CVE-2025-53783: Remote code execution
Midnight Blizzard compromise: Nation-state actors accessed Microsoft's own corporate network

Compare that to Zoom's bug bounty program. 90% improvement in time-to-resolution from February 2024 to January 2025. They're paying researchers over $10 million since 2019 to find problems before bad actors do.

Different approaches to security. Microsoft patches reactively. Zoom pays for proactive discovery.

Zoom's Federated AI Architecture (Let's Get Technical)

Zoom's AI approach surprised me. Instead of betting on one model, they built what they call a "federated approach." Dynamically combining proprietary models with third-party providers.

According to Zoom's internal benchmarking, their federated approach achieves quality matching single high-end models while reducing infrastructure costs by up to 94%.

Their Z-Scorer system processes 7 petabytes daily and routes tasks based on requirements:

OpenAI's GPT-4 for complex reasoning
Anthropic's Claude for advanced analysis
Meta's Llama for routine summaries
Perplexity for web search
ElevenLabs for voice synthesis

Three deployment options address different security needs:

Standard: Full federation for maximum capability
Zoom-hosted Models Only: Data sovereignty for regulated industries
ZM+: Adds Anthropic via Bedrock for enhanced features

This matters because competitors charge $30/month for AI features. Zoom includes theirs free with paid plans.

57% of Fortune 500 companies use AI Companion. In Zoom's own comparative testing, they report 36% fewer transcription errors than Microsoft Copilot with 15% fewer summary errors—though these metrics come from Zoom's internal evaluation, not independent benchmarking.

**Key Insight:** Compliance isn't binary—different platforms excel in different regulatory frameworks

The Enterprise Compliance Divide

Government and healthcare requirements reveal which platforms take security seriously.

FedRAMP Moderate authorization (the gold standard for federal use):

Zoom: Achieved 2024 for AI Companion
Webex: Covers meetings, messaging, calling, contact center
Teams: Working on it
Everyone else: Not even trying

Healthcare compliance (HIPAA with Business Associate Agreements):

Most major platforms: Available
Fireflies.ai: Full SOC 2 Type II across all five trust principles
Otter.ai: HIPAA compliant as of July 2024 (despite the lawsuit)

Financial services (PCI-DSS compliance):

Gong: Full compliance with automatic payment data redaction
RingCentral: Comprehensive coverage with data residency controls

Recent Security Incidents That Should Worry You

May 2024: Webex Frankfurt data center breach. Unauthorized access to meeting metadata.

June 2024: Microsoft Midnight Blizzard. Nation-state actors compromised Microsoft's corporate network.

May 2025: Granola API key exposure. Critical vulnerability affected 333 beta users. Small scale, but shows how quickly things can go wrong.

Late 2024: Google Meet social engineering attacks through fake meeting pages.

The pattern? Even mature platforms face ongoing security challenges.

The question isn't whether your platform will have vulnerabilities—it's how quickly they find and fix them.

What This Means for Your Organization

Healthcare and Legal: Security First

Meetings: Zoom Enterprise with E2EE and FedRAMP
Transcription: Fireflies.ai Enterprise with private storage or Rev.ai human transcription
Why: Maximum compliance with data sovereignty options

Financial Services: Compliance Matters

Meetings: RingCentral or Zoom with advanced encryption
Transcription: Gong for PCI-DSS or Rev.ai for privilege protection
Key feature: Automatic PII/PCI redaction

General Enterprise: Balance Cost and Features

Meetings: Zoom with free AI Companion or Teams for Microsoft environments
Transcription: Fathom for accuracy or Fireflies.ai for security
Consider: Total cost including AI capabilities

Privacy-Conscious: Maximum Control

Meetings: Zoom with Zero Data Retention
Transcription: Krisp (local processing) or Fireflies.ai with bring-your-own-storage
Avoid: Any platform training on customer data

Startups: Practical Choices

Meetings: Google Meet or Teams (bundled with productivity suites)
Transcription: Supernormal or Otter.ai (despite privacy concerns)
Trade-off: Functionality and cost over maximum security

Where We Stand Now

We've gradually shifted into a world where AI assistants attend more meetings than humans. They're processing our most sensitive conversations, learning from our strategies, storing our competitive insights.

Based on architecture and public disclosures, some platforms appear to take trust more seriously. Zoom's technical leadership, Fireflies.ai's privacy commitments, Rev.ai's human-first approach show deliberate security choices. Others... less so.

The convenience is real. But so are the risks.

Three takeaways:

First: Encryption isn't universal. Only Zoom encrypts group meetings end-to-end. Everyone else can technically access your content.

Second: AI training varies wildly. Some platforms never touch your data. Others use it to improve their models. Read the fine print.

Third: Security incidents happen. Pick platforms that find problems proactively (bug bounties) rather than reactively (after breaches).

Thanks to David Goodman for pushing me down this rabbit hole. Short answer? Most folks have no idea what's happening behind the scenes with their meeting tools.

Now you do.