Mavio maintains rigorous compliance with industry standards and regulations to give you confidence that your meeting data is handled responsibly.

Compliance certifications

SOC 2 Type II

Independently audited controls for security, availability, processing integrity, confidentiality, and privacy.

GDPR

Full compliance with the EU General Data Protection Regulation for all EU user data.

HIPAA

HIPAA-eligible plans with Business Associate Agreements for healthcare organizations.

CCPA

California Consumer Privacy Act compliance for California residents.

SOC 2 Type II

Mavio has completed a SOC 2 Type II audit conducted by an independent auditing firm. The audit verifies that Mavio’s controls are not only designed properly (Type I) but have been operating effectively over a sustained period (Type II).

What SOC 2 covers

Trust principleWhat Mavio demonstrates
SecurityUnauthorized access to systems and data is prevented
AvailabilityServices are available per SLA commitments
Processing integrityData processing is complete, valid, and accurate
ConfidentialityConfidential information is protected
PrivacyPersonal information is collected, used, and retained per policy

Requesting the SOC 2 report

Enterprise and Team plan customers can request the full SOC 2 Type II report:
  1. Contact security@mavioapp.com.
  2. Sign an NDA (standard mutual NDA provided).
  3. Receive the report within 1 business day.

GDPR

Mavio is fully compliant with the General Data Protection Regulation (GDPR) for all users in the European Economic Area (EEA), United Kingdom, and Switzerland.

Your rights under GDPR

RightHow to exercise it
AccessExport all your data from Settings > Data > Export all data
RectificationEdit your profile and transcript data directly in the app
ErasureDelete individual recordings or your entire account
PortabilityExport data in standard formats (JSON, PDF, TXT)
RestrictionContact support to restrict processing of specific data
ObjectionOpt out of non-essential processing in Settings

Data Processing Agreement

A Data Processing Agreement (DPA) is available for organizations that require one:
  1. Download the standard DPA from mavioapp.com/legal/dpa.
  2. Sign and return to legal@mavioapp.com.
  3. Or request a custom DPA for Enterprise plans.

Data residency

By default, data is stored in the United States. Enterprise customers can choose data residency in:
  • United States (US-East, US-West)
  • European Union (EU-West, Frankfurt)
  • Asia-Pacific (Singapore, Sydney)
Data residency selection determines where your audio, transcripts, and metadata are stored and processed. Once set, data does not leave the selected region.

HIPAA

Mavio offers HIPAA-eligible plans for healthcare organizations and any entity handling Protected Health Information (PHI).

HIPAA features

  • Business Associate Agreement (BAA) — required for HIPAA compliance, available on Enterprise plans
  • PHI handling — audio, transcripts, and summaries containing PHI are encrypted and access-controlled
  • Audit logs — all access to PHI is logged and auditable
  • Privacy mode — process PHI entirely on-device for maximum protection
  • Minimum necessary access — role-based access ensures only authorized users see recordings

Getting HIPAA compliance

  1. Contact sales@mavioapp.com to discuss your requirements.
  2. Sign a Business Associate Agreement.
  3. Enable HIPAA mode on your workspace — this enforces additional security controls (mandatory 2FA, session timeouts, audit logging).
HIPAA compliance requires an Enterprise plan with a signed BAA. Using Mavio with PHI without a BAA is not compliant, regardless of security settings.

CCPA

For California residents, Mavio complies with the California Consumer Privacy Act:
  • Right to know — see what data we collect about you
  • Right to delete — request deletion of your personal information
  • Right to opt out — opt out of the sale of personal information (Mavio does not sell personal information)
  • Non-discrimination — exercising your rights does not affect your service or pricing
Submit CCPA requests through Settings > Data or by emailing privacy@mavioapp.com.

Additional security measures

Beyond certifications, Mavio implements:
  • Regular penetration testing by third-party firms
  • Automated vulnerability scanning in CI/CD
  • Annual security awareness training for all employees
  • Incident response procedures with defined SLAs
  • Vendor security assessments for all third-party services

Compliance documentation

DocumentAvailability
SOC 2 Type II reportOn request (NDA required)
Data Processing AgreementDownload
Privacy PolicyView
Terms of ServiceView
Security whitepaperOn request
HIPAA BAAEnterprise plan (contact sales)
Penetration test summaryOn request (NDA required)

Compliance certifications details

The SOC 2 Type II audit is the most rigorous of the SOC 2 certifications. Key details:
  • Audit period: The Type II audit covers a continuous period (typically 6-12 months) during which controls are evaluated for operating effectiveness, not just design.
  • Trust principles covered: Security, Availability, Processing Integrity, Confidentiality, and Privacy — all five trust service criteria.
  • Auditor: The audit is conducted by an independent, AICPA-accredited auditing firm.
  • Scope: All production systems, infrastructure, personnel processes, and vendor management practices that handle customer data.
  • Recertification: The audit is repeated annually to ensure ongoing compliance.
The SOC 2 report is available to Team and Enterprise plan customers under NDA. Request it from security@mavioapp.com.
If your security team needs to evaluate the platform, the SOC 2 Type II report is the most comprehensive document available. It covers controls testing over time, not just point-in-time design.
Specific measures implemented for GDPR compliance:
  • Lawful basis for processing — processing is based on contractual necessity (providing the service you signed up for) and legitimate interest. Consent is obtained where required (e.g., marketing communications).
  • Data minimization — only data necessary for service delivery is collected. Audio recordings can be deleted at any time by the user.
  • Right to be forgotten — deleting your account permanently removes all personal data, audio recordings, transcripts, and metadata within 30 days.
  • Data portability — export all your data in standard formats (JSON, PDF, TXT) from Settings > Data > Export all data.
  • Sub-processors — a list of sub-processors (third-party services that handle your data) is published and updated at mavioapp.com/legal/sub-processors. You are notified of changes.
  • Data Protection Officer — reachable at dpo@mavioapp.com for any GDPR-related inquiries.
  • Data residency — EU customers can choose to store all data in the Frankfurt (EU) region, ensuring data does not leave the European Economic Area.
HIPAA compliance requires specific steps beyond enabling a feature toggle:
  1. Enterprise plan — HIPAA compliance is available exclusively on Enterprise plans.
  2. Business Associate Agreement (BAA) — a signed BAA is mandatory. Contact sales@mavioapp.com to initiate the process.
  3. HIPAA workspace mode — once the BAA is signed, HIPAA mode is enabled on your workspace. This enforces:
    • Mandatory two-factor authentication for all team members
    • Automatic session timeout after 15 minutes of inactivity
    • Comprehensive audit logging of all data access
    • Encryption at rest and in transit (always active, but verified under HIPAA mode)
    • Restricted sharing — recordings containing PHI cannot be shared via public links
  4. Staff training — your organization is responsible for training users on HIPAA-compliant use of the platform.
Using the platform with Protected Health Information without a signed BAA is not HIPAA-compliant, regardless of which security settings you enable.
For California residents, the following CCPA rights are supported:
  • Right to know — request a detailed report of what personal information is collected, the categories of sources, and the business purpose. Submit a request via Settings > Data or email privacy@mavioapp.com.
  • Right to delete — request deletion of all personal information. You can delete individual recordings in the app or request full account deletion. Deletion is completed within 45 days per CCPA requirements.
  • Right to opt out of sale — the platform does not sell personal information to third parties. No action is needed.
  • Right to non-discrimination — exercising any CCPA right does not result in different pricing, service quality, or access levels.
  • Authorized agents — you can designate an authorized agent to submit CCPA requests on your behalf with appropriate verification.
  • Verification — identity verification is required for all CCPA requests to protect against unauthorized access to your data.
A DPA formalizes the relationship between your organization (data controller) and the platform (data processor):Standard DPA:
  • Available for download at mavioapp.com/legal/dpa.
  • Covers GDPR Article 28 requirements including sub-processor lists, data breach notification obligations, and data handling procedures.
  • Sign and return to legal@mavioapp.com. Countersigned copies are returned within 3 business days.
Custom DPA (Enterprise):
  • Enterprise customers can negotiate custom DPA terms to address specific organizational requirements.
  • Custom DPAs may include additional clauses for data residency, audit rights, and specialized retention policies.
  • Contact legal@mavioapp.com to begin the process.
What the DPA covers:
  • Scope of data processing activities
  • Technical and organizational security measures
  • Sub-processor management and notification
  • Data breach notification procedures (within 72 hours per GDPR)
  • Data subject rights assistance
  • Data return and deletion procedures upon contract termination