Security as a Core Principle: ISO/IEC 27001:2022 Certification
Tiro achieved ISO/IEC 27001:2022 certification on June 4, 2026.
Tiro handles important work data, including meetings, customer conversations, and internal discussions. From the beginning, protecting customer data has been one of the most important principles in how we build and operate the product.
This certification is an independent validation that Tiro’s security principles and information security management system meet an internationally recognized standard.
Our principles for handling important data
Recording a meeting is not just about converting speech into text. Meetings often contain business decisions, customer conversations, internal discussions, future plans, and context that teams rely on every day.
That is why Tiro has always treated information security as a priority that goes beyond fast and accurate meeting notes.
From the early stages of the product, we have built security into how Tiro operates, including access control, data encryption, audio data deletion, system access management, and continuous monitoring.
What ISO/IEC 27001:2022 means
ISO/IEC 27001:2022 is an international standard for information security management systems, also known as ISMS. It defines requirements for how an organization establishes, operates, maintains, and improves its approach to managing information security risks.
This certification is not just about having security policies or documents in place. It also reviews how security practices are operated in real environments, including how services are developed and maintained, how system access is managed, how team members handle devices and information, and how security risks are identified and improved over time.
Through this certification, Tiro’s information security management system has been verified against the requirements of ISO/IEC 27001:2022 through an independent assessment.
How Tiro protects customer data
Tiro’s security principles are designed around the full lifecycle of customer data, from creation and processing to storage, access, monitoring, and deletion.
Below are the key principles we apply to protect customer data.
1. Immediate deletion of audio and related data
Tiro processes meeting audio only to the extent necessary to convert speech into text. By default, we do not store raw audio.
For real-time meeting notes, audio is discarded from memory and streams after speech-to-text processing. Uploaded audio and video files are also automatically deleted after processing is complete. Raw audio is retained only when a user explicitly enables that option.
When a user deletes a note, related data is permanently removed according to our deletion procedures, so unnecessary data does not remain in our systems.
2. Never used for AI model training
Tiro does not use customer conversations, transcripts, or summaries to train or fine-tune AI models.
This principle applies consistently across free, paid, and enterprise customers. We also require our LLM and STT partners to follow clear restrictions on customer data training and data retention through our agreements.
Customer data is used to provide Tiro’s meeting notes, summaries, and related product experiences. It is not used to train AI models.
3. Full data encryption
Tiro applies encryption to protect customer data both when it is stored and when it is transmitted.
Transcripts, summaries, and related service data are encrypted at rest using AES-256. Data transmitted between user devices and Tiro servers is protected using TLS 1.3.
We also operate a separate encryption key management system to help ensure that customer data remains protected throughout its lifecycle.
4. Strict access control
Access to customer data and critical systems is limited to what is necessary for each role.
Tiro manages permissions based on the principle of least privilege. Access to major systems and data is logged so that activity can be reviewed and audited when needed.
Customer data is designed to be accessible only to the customer and the people they choose to share it with. Internal operational access is strictly limited and managed through controlled, auditable processes.
5. Communication and network security
Tiro operates communication and network security controls to protect the service environment.
Firewall and network security configurations help block malicious traffic, DDoS attacks, and abnormal access attempts. Core systems are managed in isolated network environments to reduce the risk of unauthorized access.
We continuously review and improve these controls so that customer data can be processed in a secure service environment.
6. Audit logs and real-time monitoring
Security is not something we set up once and leave unchanged.
Tiro continuously monitors the security posture of its service environment to detect unusual activity, vulnerabilities, and potential risks.
System access, changes, and query activity are logged in an auditable format. We also operate monitoring processes for threat detection, vulnerability scanning, web attack protection, and suspicious activity detection. This helps us identify potential risks early and respond quickly when action is needed.
Custom security for enterprise customers
For enterprise customers, Tiro supports additional security configurations to align with each company’s security policies and operating environment.
This includes SAML 2.0-based SSO, multi-factor authentication, role-based access control, SCIM-based user provisioning, IP access restrictions, and dedicated support for security and compliance requests.
Tiro works with enterprise customers to support more detailed access control, account security, and operational security requirements.
Certification is part of continuous improvement
The security landscape continues to change. As AI technology advances, security threats are also becoming more sophisticated. Tiro continues to review and improve its service infrastructure, internal processes, and security controls to keep pace with these changes.
Starting in June, Tiro is conducting penetration testing to proactively identify and address potential security risks.
ISO/IEC 27001:2022 certification is an important milestone in Tiro’s security journey. At the same time, we do not see certification as the finish line. We see it as part of an ongoing process to build a more secure and trustworthy meeting notes experience.
We will continue to monitor, assess, and improve our security practices so that customers can use Tiro with confidence.
Certification information
Item | Details |
|---|---|
Standard | ISO/IEC 27001:2022 |
Certification date | June 4, 2026 |
Certification body | Sensiba LLP |
Certified subject | Tiro Information Security Management System |
This certification was issued following an independent assessment by Sensiba LLP, an ANAB-accredited certification body authorized to perform ISO/IEC 27001 certification audits.
You can learn more about Tiro’s security practices and certification information in the Tiro Trust Center.
For certificate verification, security review materials, DPA requests, or other security-related inquiries, please contact partners@theplato.io.