> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mavioapp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance

> Mavio compliance certifications: SOC 2 Type II, GDPR, HIPAA, and CCPA.

Mavio maintains rigorous compliance with industry standards and regulations to give you confidence that your meeting data is handled responsibly.

## Compliance certifications

<CardGroup cols={2}>
  <Card title="SOC 2 Type II" icon="shield-check">
    Independently audited controls for security, availability, processing integrity, confidentiality, and privacy.
  </Card>

  <Card title="GDPR" icon="flag">
    Full compliance with the EU General Data Protection Regulation for all EU user data.
  </Card>

  <Card title="HIPAA" icon="hospital">
    HIPAA-eligible plans with Business Associate Agreements for healthcare organizations.
  </Card>

  <Card title="CCPA" icon="scale-balanced">
    California Consumer Privacy Act compliance for California residents.
  </Card>
</CardGroup>

## SOC 2 Type II

Mavio has completed a SOC 2 Type II audit conducted by an independent auditing firm. The audit verifies that Mavio's controls are not only designed properly (Type I) but have been operating effectively over a sustained period (Type II).

### What SOC 2 covers

| Trust principle          | What Mavio demonstrates                                          |
| ------------------------ | ---------------------------------------------------------------- |
| **Security**             | Unauthorized access to systems and data is prevented             |
| **Availability**         | Services are available per SLA commitments                       |
| **Processing integrity** | Data processing is complete, valid, and accurate                 |
| **Confidentiality**      | Confidential information is protected                            |
| **Privacy**              | Personal information is collected, used, and retained per policy |

### Requesting the SOC 2 report

Enterprise and Team plan customers can request the full SOC 2 Type II report:

1. Contact [security@mavioapp.com](mailto:security@mavioapp.com).
2. Sign an NDA (standard mutual NDA provided).
3. Receive the report within 1 business day.

## GDPR

Mavio is fully compliant with the General Data Protection Regulation (GDPR) for all users in the European Economic Area (EEA), United Kingdom, and Switzerland.

### Your rights under GDPR

| Right             | How to exercise it                                              |
| ----------------- | --------------------------------------------------------------- |
| **Access**        | Export all your data from **Settings > Data > Export all data** |
| **Rectification** | Edit your profile and transcript data directly in the app       |
| **Erasure**       | Delete individual recordings or your entire account             |
| **Portability**   | Export data in standard formats (JSON, PDF, TXT)                |
| **Restriction**   | Contact support to restrict processing of specific data         |
| **Objection**     | Opt out of non-essential processing in Settings                 |

### Data Processing Agreement

A Data Processing Agreement (DPA) is available for organizations that require one:

1. Download the standard DPA from [mavioapp.com/legal/dpa](https://mavioapp.com/legal/dpa).
2. Sign and return to [legal@mavioapp.com](mailto:legal@mavioapp.com).
3. Or request a custom DPA for Enterprise plans.

### Data residency

By default, data is stored in the United States. Enterprise customers can choose data residency in:

* **United States** (US-East, US-West)
* **European Union** (EU-West, Frankfurt)
* **Asia-Pacific** (Singapore, Sydney)

<Note>
  Data residency selection determines where your audio, transcripts, and metadata are stored and processed. Once set, data does not leave the selected region.
</Note>

## HIPAA

Mavio offers HIPAA-eligible plans for healthcare organizations and any entity handling Protected Health Information (PHI).

### HIPAA features

* **Business Associate Agreement (BAA)** — required for HIPAA compliance, available on Enterprise plans
* **PHI handling** — audio, transcripts, and summaries containing PHI are encrypted and access-controlled
* **Audit logs** — all access to PHI is logged and auditable
* **Privacy mode** — process PHI entirely on-device for maximum protection
* **Minimum necessary access** — role-based access ensures only authorized users see recordings

### Getting HIPAA compliance

1. Contact [sales@mavioapp.com](mailto:sales@mavioapp.com) to discuss your requirements.
2. Sign a Business Associate Agreement.
3. Enable HIPAA mode on your workspace — this enforces additional security controls (mandatory 2FA, session timeouts, audit logging).

<Warning>
  HIPAA compliance requires an Enterprise plan with a signed BAA. Using Mavio with PHI without a BAA is not compliant, regardless of security settings.
</Warning>

## CCPA

For California residents, Mavio complies with the California Consumer Privacy Act:

* **Right to know** — see what data we collect about you
* **Right to delete** — request deletion of your personal information
* **Right to opt out** — opt out of the sale of personal information (Mavio does not sell personal information)
* **Non-discrimination** — exercising your rights does not affect your service or pricing

Submit CCPA requests through **Settings > Data** or by emailing [privacy@mavioapp.com](mailto:privacy@mavioapp.com).

## Additional security measures

Beyond certifications, Mavio implements:

* Regular penetration testing by third-party firms
* Automated vulnerability scanning in CI/CD
* Annual security awareness training for all employees
* Incident response procedures with defined SLAs
* Vendor security assessments for all third-party services

## Compliance documentation

| Document                  | Availability                               |
| ------------------------- | ------------------------------------------ |
| SOC 2 Type II report      | On request (NDA required)                  |
| Data Processing Agreement | [Download](https://mavioapp.com/legal/dpa) |
| Privacy Policy            | [View](https://mavioapp.com/privacy)       |
| Terms of Service          | [View](https://mavioapp.com/terms)         |
| Security whitepaper       | On request                                 |
| HIPAA BAA                 | Enterprise plan (contact sales)            |
| Penetration test summary  | On request (NDA required)                  |

## Compliance certifications details

<AccordionGroup>
  <Accordion title="SOC 2 Type II details">
    The SOC 2 Type II audit is the most rigorous of the SOC 2 certifications. Key details:

    * **Audit period:** The Type II audit covers a continuous period (typically 6-12 months) during which controls are evaluated for operating effectiveness, not just design.
    * **Trust principles covered:** Security, Availability, Processing Integrity, Confidentiality, and Privacy — all five trust service criteria.
    * **Auditor:** The audit is conducted by an independent, AICPA-accredited auditing firm.
    * **Scope:** All production systems, infrastructure, personnel processes, and vendor management practices that handle customer data.
    * **Recertification:** The audit is repeated annually to ensure ongoing compliance.

    The SOC 2 report is available to Team and Enterprise plan customers under NDA. Request it from [security@mavioapp.com](mailto:security@mavioapp.com).

    <Tip>
      If your security team needs to evaluate the platform, the SOC 2 Type II report is the most comprehensive document available. It covers controls testing over time, not just point-in-time design.
    </Tip>
  </Accordion>

  <Accordion title="GDPR compliance measures">
    Specific measures implemented for GDPR compliance:

    * **Lawful basis for processing** — processing is based on contractual necessity (providing the service you signed up for) and legitimate interest. Consent is obtained where required (e.g., marketing communications).
    * **Data minimization** — only data necessary for service delivery is collected. Audio recordings can be deleted at any time by the user.
    * **Right to be forgotten** — deleting your account permanently removes all personal data, audio recordings, transcripts, and metadata within 30 days.
    * **Data portability** — export all your data in standard formats (JSON, PDF, TXT) from **Settings > Data > Export all data**.
    * **Sub-processors** — a list of sub-processors (third-party services that handle your data) is published and updated at [mavioapp.com/legal/sub-processors](https://mavioapp.com/legal/sub-processors). You are notified of changes.
    * **Data Protection Officer** — reachable at [dpo@mavioapp.com](mailto:dpo@mavioapp.com) for any GDPR-related inquiries.
    * **Data residency** — EU customers can choose to store all data in the Frankfurt (EU) region, ensuring data does not leave the European Economic Area.
  </Accordion>

  <Accordion title="HIPAA eligibility requirements">
    HIPAA compliance requires specific steps beyond enabling a feature toggle:

    1. **Enterprise plan** — HIPAA compliance is available exclusively on Enterprise plans.
    2. **Business Associate Agreement (BAA)** — a signed BAA is mandatory. Contact [sales@mavioapp.com](mailto:sales@mavioapp.com) to initiate the process.
    3. **HIPAA workspace mode** — once the BAA is signed, HIPAA mode is enabled on your workspace. This enforces:
       * Mandatory two-factor authentication for all team members
       * Automatic session timeout after 15 minutes of inactivity
       * Comprehensive audit logging of all data access
       * Encryption at rest and in transit (always active, but verified under HIPAA mode)
       * Restricted sharing — recordings containing PHI cannot be shared via public links
    4. **Staff training** — your organization is responsible for training users on HIPAA-compliant use of the platform.

    <Warning>
      Using the platform with Protected Health Information without a signed BAA is not HIPAA-compliant, regardless of which security settings you enable.
    </Warning>
  </Accordion>

  <Accordion title="CCPA compliance">
    For California residents, the following CCPA rights are supported:

    * **Right to know** — request a detailed report of what personal information is collected, the categories of sources, and the business purpose. Submit a request via **Settings > Data** or email [privacy@mavioapp.com](mailto:privacy@mavioapp.com).
    * **Right to delete** — request deletion of all personal information. You can delete individual recordings in the app or request full account deletion. Deletion is completed within 45 days per CCPA requirements.
    * **Right to opt out of sale** — the platform does not sell personal information to third parties. No action is needed.
    * **Right to non-discrimination** — exercising any CCPA right does not result in different pricing, service quality, or access levels.
    * **Authorized agents** — you can designate an authorized agent to submit CCPA requests on your behalf with appropriate verification.
    * **Verification** — identity verification is required for all CCPA requests to protect against unauthorized access to your data.
  </Accordion>

  <Accordion title="Data Processing Agreement (DPA)">
    A DPA formalizes the relationship between your organization (data controller) and the platform (data processor):

    **Standard DPA:**

    * Available for download at [mavioapp.com/legal/dpa](https://mavioapp.com/legal/dpa).
    * Covers GDPR Article 28 requirements including sub-processor lists, data breach notification obligations, and data handling procedures.
    * Sign and return to [legal@mavioapp.com](mailto:legal@mavioapp.com). Countersigned copies are returned within 3 business days.

    **Custom DPA (Enterprise):**

    * Enterprise customers can negotiate custom DPA terms to address specific organizational requirements.
    * Custom DPAs may include additional clauses for data residency, audit rights, and specialized retention policies.
    * Contact [legal@mavioapp.com](mailto:legal@mavioapp.com) to begin the process.

    **What the DPA covers:**

    * Scope of data processing activities
    * Technical and organizational security measures
    * Sub-processor management and notification
    * Data breach notification procedures (within 72 hours per GDPR)
    * Data subject rights assistance
    * Data return and deletion procedures upon contract termination
  </Accordion>
</AccordionGroup>
