MinuteMaster is built for organisations that handle confidential information and expect enterprise-grade security. ISO 27001 and ISO 9001 certified, UK-hosted, and designed to withstand the scrutiny of serious procurement teams.
Data residency is among the most consequential concerns in enterprise security review. MinuteMaster is designed around a clear, defensible geographic model with no ambiguity.
Application hosting
All application servers, databases, APIs and compute run in UK data centres (Azure UK South).
UK
Customer data storage
All persistent customer data — minutes, agendas, board packs, actions, metadata — stored at rest in the UK.
UK
Encrypted backups
Disaster recovery backups are encrypted and retained in the UK for 14 days.
UK
AI / LLM processing
Azure OpenAI inference occurs within the EU data boundary — the same infrastructure used by Microsoft 365 Copilot. Never processed in the US.
EU only
US data processing
No customer data is routed to, processed in, or stored in the United States.
Not used
Data protection
Meeting recordings are never stored.
MinuteMaster applies the strictest treatment to the most sensitive content — your meeting recordings. Beyond that, clients retain full control over their data lifecycle.
Recordings immediately deleted
Uploaded recordings are transcribed in real time and deleted immediately on completion. No copies exist anywhere — not in storage, backups or failover sites.
Hard deletion — no soft deletes
When you delete content in MinuteMaster, it is hard-deleted from active storage immediately. Encrypted backups expire after 14 days, after which deleted data is unrecoverable.
Client-controlled transcript lifecycle
Delete transcripts manually at any time, or configure automatic deletion on signature of minutes. You decide how long derived content is retained.
No AI training on your data
Meeting content is never used for AI model training, fine-tuning or product improvement. This is both a technical configuration and a contractual commitment.
GDPR & regulatory alignment
Processing conducted under UK GDPR. Data processing agreements, DPIA support and records of processing activities available as part of legal review.
Full export on termination
Full data export provided within 3 months of termination at no charge, in PDF, DOCX, CSV or JSON. Data is then securely disposed of.
Identity & access
Enterprise-grade access control by default.
Controlling who can access what — and under what conditions — is a fundamental determinant of real-world security. MinuteMaster applies access control as an operational discipline across every layer.
EntraID SSO & SCIM provisioning
Single sign-on via Microsoft EntraID with SCIM provisioning for automated user lifecycle management. MFA can be enforced alongside SSO.
Role-based access control (RBAC)
Least-privilege model with granular permissions. Admin roles can manage users without accessing meeting content, supporting segregation of duties.
Conditional access & IP restriction
Login can be restricted by IP range via EntraID Conditional Access. Device compliance, location restrictions and session controls supported.
No default vendor access
MinuteMaster personnel do not access customer meeting content under normal operations. Support access requires documented justification, is limited and fully logged.
Sub-processors
Third-party supply chain transparency.
All sub-processors are appointed under written agreements with materially equivalent data protection and security obligations. Clients are notified of material changes.
Sanitised logs only — zero-PII policy, no meeting content
EU (Frankfurt) or disabled
SOC 2 Type II
Okta (optional)
SSO identity provider
Auth tokens, user IDs
Per client Okta tenant
ISO 27001, SOC 2 Type II
Shared responsibility
Clear boundaries. Strong outcomes.
Strong security comes from a partnership between supplier controls and client-side governance. Clear delineation helps both parties manage risk effectively and avoid ambiguity.
The following materials can be shared as part of the due diligence process, subject to appropriate confidentiality arrangements.
ISO certificates & scope
ISO 27001 and ISO 9001 certificates with full scope details.
Statement of Applicability
SoA and document index detailing controls selected and implemented within the ISMS.
Security questionnaire responses
Aligned to your preferred format — SIG, CAIQ, bespoke or other.
Penetration test summary
Executive summary of third-party penetration test results, available under NDA.
Architecture documentation
Hosting and architecture summary documentation for technical review.
Data processing agreement
DPA, privacy documentation and sub-processor register with jurisdictions.
Common questions
Questions from real security reviews.
These questions are drawn from actual client due diligence reviews and represent the concerns most frequently raised during enterprise procurement.
Where exactly is our data stored?
All customer data is stored at rest in Azure UK South. This includes minutes, agendas, board packs, actions, user metadata and encrypted backups.
Which LLM do you use and where does it process data?
We use Azure OpenAI — Whisper for transcription, GPT-series and Reasoning-series for intelligence. Processing occurs within the EU data boundary, the same data centres used by Microsoft 365 Copilot. No data is sent to the US.
If I delete a recording, is it really gone?
Meeting recordings are processed and deleted immediately upon completion — they are never retained. Transcripts and minutes can be deleted at any time; hard deletion from active storage is immediate, with encrypted backups expiring after 14 days.
Can you guarantee no PII leaks into error logs?
We operate a zero-PII telemetry policy with aggressive log sanitisation. No meeting content or personal data is captured in error or monitoring logs. For clients requiring strict UK-only telemetry, non-UK monitoring services can be disabled.
What certifications do you hold?
ISO 27001 (Information Security Management) and ISO 9001 (Quality Management) — both certified by an accredited third-party certification body. Additional certifications are evaluated on our security roadmap.
Can we see your penetration test results?
Yes. Penetration test executive summaries can be shared under NDA as part of the due diligence process.
What happens to our data if we terminate the contract?
Full data export is provided within 3 months of written request at no additional charge, in your preferred formats — typically PDF/DOCX for minutes and CSV/JSON for actions and metadata. Data is then securely disposed of unless legal retention obligations apply.
Do your audit rights extend to our regulators?
Yes. Our terms grant audit rights to clients and their regulators, including on-site inspection and access to documentation.
Do you support DORA requirements?
Yes. We contractually support key DORA-aligned operational resilience requirements including incident notification within 24 hours of becoming aware.
Ready for a deeper review?
MinuteMaster is designed to make vendor security approval straightforward, not difficult. Every control described here is backed by certified management systems, documented policies and evidence that can be shared during your review.
