Materials for Your Compliance Review
This page provides materials for navigating the institutional approval process for Meeting Notes Pro. The compliance package includes documentation written for compliance officer review: data handling architecture, regulatory mapping, and direct answers to common questions.
PDF format, designed for compliance officer review
Key Points for Review
For compliance officers or advisors preparing materials, here are the essential points:
Local PII Removal
Client-identifying information is removed on the advisor's device before any data is transmitted
No Data at Rest
AWS Bedrock processes de-identified content with zero data retention
Canadian Infrastructure
Data at rest uses AWS ca-central-1 (Montreal)
Advisor Control
Advisors review exactly what will be transmitted before it leaves their device
Third-Party Validation
A CIRO compliance auditor reviewed the process during an actual audit and found it "fantastic"
The compliance package expands on each of these points with technical documentation suitable for institutional review.
What's in the Compliance Package
The compliance package includes documentation mapped to what institutional review typically requires.
| Document | Addresses |
|---|---|
| Data Handling Guide | Complete data flow architecture; where data goes and doesn’t go; PII removal process; AWS infrastructure details |
| Regulatory Alignment Summary | PIPEDA principles alignment; CIRO documentation requirements; Quebec Law 25 considerations |
| Security Architecture Overview | Six-step process diagram; control points; what crosses borders (and what doesn’t) |
| FAQ for Compliance Officers | Direct answers to common institutional questions; evidence-based responses |
| AWS Infrastructure Documentation | Properly attributed certifications (ISO 27001, SOC 2, CCCS assessment); regional configuration |
Each document is written for compliance review. The language is precise, the claims are verifiable, and the limitations are disclosed.
All documents in PDF format
How Data is Handled
The core architectural feature: client-identifying information is removed on the advisor's device before any data is transmitted.
- 1
Recording Input
Recording captured on your device
- 2
Local PII Removal
PII stripped from transcript locally
- 3
Advisor Review (Control Point)
You review and approve what is sent
- 4
AWS Processing
De-identified content processed by AI
- 5
Local PII Replacement
Client details reinserted on your device
- 6
Complete Output
Complete notes on your device only
For the complete technical architecture, see the Security page.
What Crosses Borders
Meeting Notes Pro connects to AWS Bedrock in Montreal. The API endpoint is Canadian. However, I chose Claude Opus for its superior output quality, and that model's processing may be routed through US regions. What crosses those borders contains no personally identifiable information. The original recording never leaves the device. Complete meeting notes with client information never leave the device.
What I Cannot Claim
I cannot claim AI processing happens entirely in Canada. The infrastructure layer is Canadian (AWS Bedrock, Montreal region), but the AI model I selected for output quality may process in US regions. A less capable model could run entirely in Canada, but the notes would not be as good. What I can claim: what crosses borders contains no PII.
For the complete technical architecture, see the Security page.
Canadian Regulatory Context
Meeting Notes Pro is designed with Canadian financial services regulations in mind. The compliance package provides detailed regulatory mapping; below is a summary of how the architecture relates to each framework.
PIPEDA
PII stays under advisor control through local removal and advisor review before transmission. The compliance package includes a detailed PIPEDA principles alignment document.
CIRO
Complete, consistent meeting notes support documentation requirements for client interactions. The process has been reviewed during an actual CIRO compliance audit.
Quebec Law 25
The architecture aligns with Law 25's enhanced privacy requirements through data minimisation (only de-identified content leaves the device), explicit consent (advisor controls what is transmitted), and local PII control. Since PII never leaves the device, cloud infrastructure incidents would not trigger Law 25 breach notification obligations for client data.
Infrastructure Credentials
Meeting Notes Pro is built on AWS infrastructure. AWS maintains ISO 27001, SOC 2, and CCCS assessments for their services. These are AWS certifications; Meeting Notes Pro builds on their infrastructure.
For the complete regulatory treatment, see the Security page.
Questions Compliance Officers Ask
These are questions compliance officers commonly ask during institutional review.
“Where does client data go?”
Client-identifying information is removed on the advisor's device before any data is transmitted. The original recording stays on the device. Complete meeting notes stay on the device. Only de-identified content travels externally for processing.
“What about cross-border data transfers?”
De-identified content may cross borders for AI processing. This content contains no personally identifiable information. PII is removed before transmission and reinserted locally after processing.
“How does this align with PIPEDA?”
PIPEDA requires appropriate safeguards for personal information. The architecture keeps personally identifiable information under advisor control through local PII removal and advisor review before transmission.
“What certifications does Meeting Notes Pro have?”
Meeting Notes Pro is built on AWS infrastructure. AWS maintains ISO 27001, SOC 2, and CCCS assessments. These are AWS certifications; Meeting Notes Pro builds on their certified infrastructure.
“Has this passed regulatory review?”
One early user went through a CIRO compliance audit while using Meeting Notes Pro. The auditor reviewed the documentation process and the security architecture and found it satisfactory.
“What happens in a data breach?”
Because client-identifying information stays on the advisor's device, a breach of cloud infrastructure would not expose PII. The de-identified content processed externally cannot be reconnected to specific clients.
“Is any data stored outside Canada?”
No. The cloud processing (AWS Bedrock) is inference-only with zero data retention. Any data at rest uses AWS ca-central-1 (Montreal). What crosses borders for AI processing contains no personally identifiable information and is not stored.
Next Steps
Request the Compliance Package
The compliance package is available by request. After contacting me, you'll receive the materials directly. There are no sales sequences or unsolicited follow-up calls.
Request Compliance PackagePDF format, suitable for compliance review
Try It Directly
If your firm doesn't require formal compliance approval, you can try Meeting Notes Pro directly. No cost, no commitment.
For additional technical details, see the Security page.