How Meeting Notes Pro Handles Your Data
This page shows you exactly what happens to your data when you use Meeting Notes Pro. The architecture, the claims I can make, and the claims I cannot.
The Six-Step Process
Client-identifying information is removed on your device before any data is transmitted. This is the core of how Meeting Notes Pro works.
The diagram below shows what happens at each step. The left side represents your device. The right side represents AWS infrastructure. The data flow moves through six stages, with a critical control point at Step 3 where you review exactly what will be sent.
Your Device
- 1
Recording Input
Your meeting recording enters the system on your device. At this point, it contains all client information exactly as spoken.
- 2
Local PII Removal
The desktop application identifies and removes personally identifiable information. Client names, account numbers, phone numbers, addresses, and other identifying details are stripped from the transcript. This happens entirely on your machine.
- 3
Advisor Review (Control Point)
Before anything leaves your device, you see exactly what will be transmitted. The de-identified content appears on screen. If something looks wrong, you can adjust it. Nothing proceeds without your approval.
AWS Infrastructure
- 4
AWS Processing
Only de-identified content travels to AWS Bedrock in the Montreal region (ca-central-1). The AI processes this content to generate your meeting notes. This is inference-only processing with zero data at rest. The de-identified content is processed and immediately discarded.
Back on Your Device
- 5
Local PII Replacement
The AI-generated output returns to your device. Your desktop application reinserts the client information that was removed in Step 2, matching names and details back to their original positions.
- 6
Complete Output
Your finished meeting notes, complete with all client information, exist only on your device. The original recording never left. The complete output never left. What travelled externally contained no personally identifiable information.
What I Can and Cannot Claim
Evaluating security claims requires knowing what's accurate and what isn't. Most vendors only tell you what they can do. Below is both: what I can claim with confidence, and what would be inaccurate to claim.
What I Can Claim
PII is removed locally on your device before any data is transmitted
Step 2 happens entirely on your machine
You review exactly what will be sent before it leaves your device
Step 3 gives you visibility and control
Original recordings never leave your device
Raw audio stays local throughout the process
No client data is stored on external servers
Step 4 is inference-only with zero data at rest
Data at rest remains in Canada (AWS ca-central-1)
Any stored data uses the Montreal region
What crosses borders for AI processing contains no personally identifiable information
PII is removed before transmission
What I Cannot Claim
AI processing happens entirely in Canada
I use AWS Bedrock in Montreal as the infrastructure layer. The API endpoint is Canadian. However, I chose Claude Opus for its superior output quality, and that model’s processing may be routed through US regions. A less capable model could run entirely in Canada, but the notes wouldn’t be as good.
Your data never leaves Canadian borders
De-identified content may cross borders during the AI processing step. What crosses those borders contains no personally identifiable information.
SOC 2 certified or ISO 27001 certified
These certifications belong to AWS infrastructure, not to Meeting Notes Pro
The distinction matters. The infrastructure endpoint is Canadian. The cross-border element is limited to the AI processing step, and it exists because I chose the model that produces the best notes for your practice. What sounds concerning (cross-border data flow) and what is actually concerning (client PII leaving your control) are different things. Your clients' identifying information never leaves your device.
Canadian Regulatory Awareness
Meeting Notes Pro is designed with Canadian financial services regulations in mind.
PIPEDA
The architecture aligns with PIPEDA principles by keeping personally identifiable information under your control. PII removal happens locally, and you approve what leaves your device before it goes.
CIRO
Documentation requirements for client interactions are supported through complete, consistent meeting notes. The process has been reviewed during an actual CIRO compliance audit (see Validation section below).
Quebec Law 25
For advisors operating in Quebec, the architecture aligns with Law 25's enhanced privacy requirements:
- Data minimisation: Only de-identified content leaves the device; original recordings and complete notes remain local
- Explicit consent: Advisors control exactly what is transmitted through the Step 3 review process
- Local control: PII removal happens on the advisor's device, not on external servers
- Breach notification scope: Since PII never leaves the device, cloud infrastructure incidents would not trigger Law 25 breach notification obligations for client data
Quebec Law 25 has broader reach than any US state omnibus privacy law. The local PII removal architecture was designed with these requirements in mind.
Infrastructure
Meeting Notes Pro is built on AWS infrastructure. AWS maintains ISO 27001, SOC 2, and CCCS (Canadian Centre for Cyber Security) assessments for their services. These are AWS certifications; Meeting Notes Pro builds on their infrastructure.
For detailed documentation requirements and compliance procedures, the CIRO Compliance Documentation Guide provides comprehensive coverage.
Third-Party Validation
One of our early users went through a CIRO compliance audit while using Meeting Notes Pro. The auditor reviewed the documentation process and the security architecture.
“This is fantastic. This is a great process.”
This wasn't a theoretical review. It was an actual regulatory audit of an advisor's practice, including their use of Meeting Notes Pro for client meeting documentation.
Documentation for Your Review
If you need materials for your compliance officer or for your own reference, the Data Handling Guide provides detailed documentation of the security architecture.
The guide covers:
- Complete data flow with technical specifications
- Privacy and security controls
- Regulatory alignment documentation
- Infrastructure details and certifications (properly attributed)
I'll email the guide to you directly.
For materials specifically designed for compliance officers and institutional review, see For Compliance Officers.
Ready to Try It?
If you've reviewed the security architecture and feel confident in the approach, Meeting Notes Pro is open to Canadian financial advisors. No cost, no commitment, and no time limit.
If you're not ready to try it but want to continue evaluating, the Data Handling Guide above provides documentation you can review on your own timeline. There's no pressure to decide now.