Where is In Parallel data stored?

EU by default. Helsinki-hosted infrastructure. US data residency available per workspace on request.

Does In Parallel train AI models on my data?

No. Your meetings, decisions, plans, and commitments are used to provide the service and are never used to train models. This is a contractual commitment, audited.

How does AI access work?

AI access is permissioned: an AI sees what its user can see, nothing more. Every read by an AI is logged in a full audit trail.

What about SSO and SCIM?

Okta, Azure AD, Google Workspace SSO are supported. SCIM provisioning is available. SSO/SAML is enforced at Enterprise.

Security

The trust review, decided in advance.

We don’t leave the security review until the last meeting of the deal. The trust layer is wrapped around the whole product — built so your security team can say yes the first time, and your CISO doesn’t kill it in the last meeting. Seven commitments, in plain language.

EU-hosted
No model training
ISO 42001certified
SOC 2in flight
SSO + SCIM
Full audit log

Seven commitments

What we promise. Not what we hope.

EU data residency by default

Helsinki-hosted infrastructure. Your data never leaves European borders unless you ask it to. US residency available on request.

No model training on your data

Ever. Contractually. Audited. Your meetings, decisions, and plans are used to provide the service — and nothing else.

Permissioned by design

A project’s context is visible to a project’s people. AIs see what their user can see — permissions are a property of context, not a feature of chat.

Full audit log

Every read, every write, every tool call by an AI — logged, exportable, reviewable. Your trust review knows what your AI accessed.

SSO, SCIM, MFA

Okta, Azure AD, Google Workspace. SCIM provisioning. SSO/SAML enforced at Enterprise. MFA available on every tier.

Sub-processors, listed

A clear, current list of every third party that touches your data, and what they do with it. Updated when it changes — not when you ask.

Incident response, in writing

Notification SLAs, escalation paths, and the post-incident report you’ll get. Decided in advance, not in the hour.

Data flow

Where your meeting data lives, end to end.

Four stages, all inside the EU by default. Encrypted at rest and in transit. Retention windows you control.

01

Join

Notes joins the call as a participant. The host sees it in the participant list. The host can remove it at any time.

Your meeting platform · Zoom / Teams / Meet
02

Capture

Audio is transcribed in real time. Nine signal types extracted. Stored encrypted at rest (AES-256) and in transit (TLS 1.3).

EU servers · Helsinki, Finland
03

Surface

Decisions, actions, and signals routed to the relevant Living Plan. Permissioned to your workspace policy. Visible to the people who should see them.

Your workspace · permission-scoped
04

Retain

You set retention windows per workspace (default: 12 months for transcripts, indefinite for decisions). Deletion is a hard delete — not a soft-flag.

Configurable · 30 days to forever

AI access model

The most-asked question, answered first.

AI agents acting on In Parallel context are bound by the same permissions as the user they represent. Four rules, enforced at the storage layer.

An AI sees what its user can see.

Permissions are a property of the context, not a feature of the chat surface. If a user cannot read a meeting, an AI acting on their behalf cannot read it either.

Every AI read is logged.

Every read, every tool call, every search — captured in an audit log scoped to the user, the AI agent, the resource, and the timestamp. Exportable as JSON or CSV for your trust review.

No cross-workspace bleed.

An AI authenticated to one workspace cannot reach data in another workspace, even if the same user is in both. Workspace isolation is enforced at the storage layer, not the prompt.

Prompt injection is treated as input, not instruction.

Content extracted from a meeting cannot escalate the AI agent’s permissions. The agent operates on a fixed grant from its user, regardless of what a transcript contains.

Incident response

Targets, written down before they’re needed.

Detection, notification, containment, and the post-incident report you’ll receive. The full incident response policy is on the trust portal.

Detection

< 15 min

24/7 monitoring on availability, integrity, and access anomalies.
Initial notification

< 4 hours

Direct email to your nominated security contact. No PR-managed silence.
Containment

< 24 hours

Targeted access revocation, key rotation, or service pause as scoped.
Post-incident report

< 5 business days

Root cause, scope of impact, remediation, prevention. PDF.

Want a sample post-incident report? Ask — we’ll send one redacted to a previous (resolved) event.

Certifications & standards

Audited, attested, current.

SOC 2 Type II

In flight. Letter of attestation available on request.

ISO 27001

Information security management. Certified.

ISO 42001

AI management system. Certified.

GDPR-ready

DPA out of the box. DPIA documentation on request.

Sub-processors

The third parties that touch your data.

A representative selection. Updated when it changes, not when you ask. The full, current list lives on the trust portal.

Cloudflare

CDN, DDoS protection, bot management

EU edge
Hosting provider

Compute and storage (Helsinki region)

EU only
Transcription / LLM provider

Speech-to-text and signal extraction

EU enclaves where available
Email delivery

Transactional email (DPA in place)

EU
Observability

Logs and metrics for service uptime

EU

See the full sub-processor list on the trust portal

Talk to security.

We’ll send the SOC 2 letter, the DPA, the sub-processor list, and walk your team through any concern they have.

Trust portal Talk to us