SAMPLE REPORT  ·  real · unedited · generated in under 30 min

REAL · UNEDITED Generated by the AI research agent in under 30 minutes — sample to demonstrate output quality.

Get your own assessment →

Recommendation

CONDITIONALLY APPROVED

Overall Risk

CRITICAL

ScriberAI Meet

scriberai.example

AI meeting recording, transcription, and summary capture

3

Critical

3

High

3

Medium

2

Low

6

Positive

Vendor incidents

Breaches, lawsuits, and regulatory actions detected via web search

2

Risk heatmap

Findings by section and severity — darker cells indicate concentration

Section C H M L P Total
2. Authentication & Authorization
·
1
1
·
1
 3
3. Data Protection & Privacy
3
2
·
·
2
 7
4. Endpoint Security
·
·
2
·
1
 3
5. Network Security
·
·
1
1
1
 3
6. Compliance & Certifications
·
1
1
·
1
 3
7. Operational Security
·
·
1
1
2
 4

1.Executive Summary

ScriberAI Meet.ai (https://example.com/redacted-for-demo Meet.ai/) is an AI-powered meeting recording, transcription, and summarisation platform. It joins video calls (Zoom, Google Meet, Microsoft Teams, Webex, and others) as a bot participant, captures audio and video streams, and uses third-party AI sub-processors — confirmed to include OpenAI and Anthropic — to generate transcripts, summaries, and meeting analytics. The intended deployment at VendorReviews.io is company-wide for team meetings and calls that routinely contain PII, intellectual property, and financial data.

Deployment model:SaaS; default infrastructure on AWS and GCP in the United States; EU data residency optionally available on Enterprise plan. All meeting audio, video, transcripts, summaries, and participant PII are transmitted to ScriberAI Meet cloud infrastructure and onward to third-party AI sub-processors for processing. ScriberAI Meet contractually enforces Zero Data Retention (ZDR) with sub-processors, prohibiting storage or model training after processing completes, but data does leave VendorReviews.io's control boundary during processing.

AI component:Transcription uses ASR (Automatic Speech Recognition) third-party vendors; summarisation and analysis use OpenAI and/or Anthropic APIs. Voice characteristics (voiceprints) may be extracted by sub-processors for speaker differentiation — these may constitute biometric data under applicable law. Data residency defaults to the United States; EU residency requires Enterprise plan and explicit configuration.

Overall Risk Rating

CRITICAL — audio/video recordings, meeting transcripts, participant PII, biometric voice data, and financial/IP content are transmitted to named third-party AI sub-processors (OpenAI, Anthropic, ASR vendors) outside VendorReviews.io's control boundary. Multiple critical controls (SSO, SCIM, audit logs, private storage) are gated to the Enterprise plan and are not available on lower tiers. Active BIPA class action litigation introduces regulatory risk.

Finding counts

Critical3
High3
Medium3
Low2
Positive6

Key positive indicators

  • SOC 2 Type II certified with annual audits (report available under mNDA)
  • GDPR-compliant with publicly available DPA incorporating SCCs
  • Zero Data Retention policy contractually enforced with all AI and ASR sub-processors
  • 256-bit AES encryption at rest and TLS in transit
  • SAML 2.0 SSO and SCIM 2.0 provisioning available (Enterprise plan)
  • HackerOne-powered bug bounty programme and responsible disclosure policy in place

2.Authentication & Authorization

Current State

ScriberAI Meet supports the following authentication methods:email/password, OAuth via Google or Microsoft, and SAML 2.0 SSO. SAML 2.0 SSO is documented to work with Microsoft Entra ID (Azure AD), Okta, JumpCloud, and OneLogin. SCIM 2.0 provisioning is supported for automated user lifecycle management, enabling auto-provisioning and immediate de-provisioning from the IdP. RBAC is available with role-based group controls and a Super Admin role providing organisation-wide visibility and data access. Critically, all enterprise-grade controls — SAML SSO, SCIM provisioning, Super Admin, audit logs — are gated exclusively to the Enterprise pricing tier ($39+/user/month, annual billing). No documented evidence of enforced MFA at the application layer for non-SSO authentication paths.

HIGH

SAML SSO and SCIM Provisioning Gated to Enterprise Plan — Not Available on Lower Tiers

VendorReviews.io enforces MFA via Microsoft Entra ID and uses SAML 2.0 as its SSO standard. If ScriberAI Meet is deployed on a Pro or Business tier, users will authenticate via email/password or OAuth outside the Entra ID control boundary. This bypasses VendorReviews.io's enforced MFA policy and means ScriberAI Meet accounts are not subject to Entra ID Conditional Access policies. Additionally, without SCIM provisioning, user de-provisioning on ScriberAI Meet is a manual process. Since VendorReviews.io has no documented offboarding process in its current toolchain and SCIM is not in use, there is a direct risk of orphaned ScriberAI Meet accounts retaining access to meeting recordings containing PII and IP after employee departure. CrowdStrike Falcon and Intune do not provide visibility into SaaS account state, so orphaned accounts would not be detected automatically.

→ Require Enterprise plan as a condition of deployment. Configure SAML 2.0 SSO via Microsoft Entra ID before any user accounts are provisioned. Enable SCIM 2.0 provisioning against Entra ID to enforce automated de-provisioning. Document and test the offboarding runbook — confirm that revoking the user in Entra ID immediately terminates ScriberAI Meet access via SCIM. Do not approve deployment on Pro or Business plans.

MEDIUM

No Documented Enforced MFA for Non-SSO Authentication Paths

Research found no evidence that ScriberAI Meet supports admin-enforced MFA at the application layer for email/password or OAuth login paths. If any VendorReviews.io user authenticates to ScriberAI Meet without going through the Entra ID SAML SSO flow (e.g., directly via Google OAuth), Entra ID's MFA enforcement does not apply. Given that ScriberAI Meet accounts may store recordings and transcripts containing VendorReviews.io IP and PII, a compromised credential without MFA would grant full access to that content. This risk is mitigated if SSO is configured with forced redirect, but the forcing mechanism must be validated.

→ After configuring SAML SSO via Entra ID, verify with ScriberAI Meet that non-SSO login methods (email/password, Google OAuth) can be disabled or blocked for the VendorReviews.io workspace. Confirm this in writing with the ScriberAI Meet account team before go-live. If non-SSO paths cannot be disabled, implement an Entra ID Conditional Access policy that monitors for anomalous access patterns and document this as a residual risk.

POSITIVE

SAML 2.0 SSO, SCIM 2.0, and RBAC Fully Documented for Enterprise Tier

ScriberAI Meet Enterprise supports SAML 2.0 SSO with confirmed compatibility with Microsoft Entra ID, enabling VendorReviews.io to enforce Entra ID Conditional Access and MFA policies. SCIM 2.0 provisioning allows the IdP to automatically provision new accounts and immediately de-provision departing users. The Super Admin role and group-based RBAC allow granular control over who can access meeting recordings across the workspace. This is a well-structured enterprise IAM story when the Enterprise plan is in place.

→ Proceed with Enterprise plan procurement. Prioritise SAML and SCIM configuration as the first deployment milestone before any meeting recording is enabled.

3.Data Protection & Privacy

Current State

ScriberAI Meet collects and processes the following data categories originating from VendorReviews.io meetings:full audio and video recordings of meetings; meeting transcripts and AI-generated summaries; participant names and email addresses; meeting titles, URLs, calendar event descriptions, and attendee lists; voice characteristics extracted for speaker differentiation (potentially constituting biometric identifiers under BIPA and analogous EU legislation); AskFred chat inputs; and integration data (calendar metadata from Microsoft Entra ID/Microsoft 365 if integrated). Data is transmitted to ScriberAI Meet cloud infrastructure (AWS/GCP, US by default), and from there to named third-party AI sub-processors including OpenAI and Anthropic for summarisation/analysis, and to undisclosed ASR (Automatic Speech Recognition) vendors for transcription. ScriberAI Meet contractually enforces Zero Data Retention (ZDR) with these sub-processors — data is not stored or used for model training after processing. A public sub-processor list is maintained at https://example.com/redacted-for-demo Meet.ai/subprocessors. A GDPR-compliant DPA incorporating SCCs is publicly available and auto-incorporated for business customers. Default data residency is the United States. EU residency via Private Storage is available on Enterprise plan only, but ScriberAI Meet notes that even with EU storage, processing occurs in the United States.

CRITICAL

Meeting Audio, Video, Transcripts, Participant PII, and Biometric Voice Data Transmitted to OpenAI and Anthropic for AI Processing

ScriberAI Meet transmits meeting audio recordings, generated transcripts, meeting summaries, and participant PII (names, email addresses) to OpenAI and Anthropic as named sub-processors for AI summarisation and analysis. Additionally, ASR sub-processor(s) — not individually named in public documentation — process raw audio for transcription, and during this process voice characteristics (voiceprints) are extracted that may constitute biometric identifiers under GDPR (as special category biometric data) and Illinois BIPA. All of these data categories — audio/video recordings, transcripts, biometric voice data, PII, and meeting content that will routinely include VendorReviews.io's IP and financial data — leave VendorReviews.io's control boundary and are processed under OpenAI's and Anthropic's terms and data agreements, not VendorReviews.io's. ScriberAI Meet states it has BAAs/ZDR agreements with OpenAI and Anthropic prohibiting storage and model training post-processing, but these agreements are not independently verifiable from public documentation. VendorReviews.io's GDPR obligations require documented, lawful basis for all such onward transfers; the adequacy of ScriberAI Meet' SCCs and sub-processor DPAs to cover this transfer chain has not been independently verified. There is no CASB or web proxy in VendorReviews.io's environment to monitor or control this outbound data flow.

→ Before deployment: (1) Request and review ScriberAI Meet' current sub-processor list from https://example.com/redacted-for-demo Meet.ai/subprocessors — confirm OpenAI, Anthropic, and all ASR vendors are listed with their processing roles. (2) Request copies of ScriberAI Meet' BAAs/ZDR agreements with OpenAI and Anthropic to validate contractual protections — acceptable under the mNDA process. (3) Execute the ScriberAI Meet DPA and confirm SCCs are in place covering onward transfers to US sub-processors, satisfying VendorReviews.io's GDPR Article 28 and 46 obligations. (4) Ensure the DPA includes sub-processor notification obligations (30-day minimum) so VendorReviews.io can object before new AI vendors are added. (5) Conduct a Transfer Impact Assessment (TIA) for data transferred to OpenAI and Anthropic under the EU-US data flow, given GDPR requirements for VendorReviews.io's customer PII.

CRITICAL

Biometric Voice Data (Voiceprints) Collected from Meeting Participants Without Guaranteed Consent Mechanism for Non-Account Holders

ScriberAI Meet' speaker recognition feature extracts voice characteristics from meeting audio that may constitute biometric identifiers under GDPR (Article 9 special category data) and Illinois BIPA. Critically, this data is extracted from all meeting participants — including VendorReviews.io customers, partners, and external parties who are not ScriberAI Meet account holders and who have not consented to biometric data collection. Two active BIPA class action lawsuits (Cruz v. ScriberAI Meet.AI Corp., Dec 2025; Fricker v. ScriberAI Meet.AI, Case No. 1:26-cv-02675) allege exactly this scenario: collection of voiceprints from non-account-holder participants without written consent. Under GDPR, processing biometric data as special category data requires explicit consent or another Article 9(2) basis. If VendorReviews.io's meetings include EU-based participants (customers, prospects, partners), VendorReviews.io — as the meeting host and ScriberAI Meet customer — may bear joint controller liability for this processing. The ScriberAI Meet privacy policy acknowledges voice data may be biometric and delegates responsibility to the meeting host to obtain consent, but provides no enforceable mechanism for VendorReviews.io to verify or record that consent.

→ (1) Conduct a GDPR Data Protection Impact Assessment (DPIA) for the biometric voice processing before deployment, given Article 35 requirements for large-scale special category data processing. (2) Implement a mandatory pre-meeting disclosure process: all meeting invites must include a notice that the call will be recorded and transcribed by ScriberAI Meet, with a link to ScriberAI Meet' privacy policy. (3) Consult VendorReviews.io's legal team on whether speaker identification/voiceprint features must be disabled to avoid GDPR Article 9 liability and BIPA exposure. (4) Request written confirmation from ScriberAI Meet on whether speaker recognition can be disabled at the workspace level on the Enterprise plan. (5) Do not deploy for meetings with external participants until the consent mechanism and DPIA are complete.

CRITICAL

Third-Party MCP Connector Integrations (ChatGPT, Claude) Bypass ScriberAI Meet' ZDR Protections — Uncontrolled Data Exit

ScriberAI Meet documentation explicitly states that when users connect ScriberAI Meet through third-party MCP connectors such as ChatGPT or Claude, data exchanged through those platforms is processed under their respective terms of service, and ScriberAI Meet cannot guarantee deletion, storage duration, or non-training of data once it leaves the ScriberAI Meet environment. This means that if any VendorReviews.io employee enables these optional integrations, meeting transcripts, summaries, and any IP or PII therein are transmitted to OpenAI's ChatGPT or Anthropic's Claude infrastructure under consumer/standard API terms — not under the ZDR agreement or BAA that governs ScriberAI Meet' own sub-processor relationship. VendorReviews.io has no CASB and no web proxy, so there is no technical control to detect or block individual users enabling these integrations without IT awareness. This creates an uncontrolled data exfiltration path that bypasses all contractual protections.

→ (1) Before deployment, confirm with ScriberAI Meet whether MCP connector integrations (ChatGPT, Claude, and similar) can be disabled at the workspace/admin level on the Enterprise plan via the Rules Engine. (2) If admin-level disablement is available, configure it as part of initial deployment and document the setting. (3) If disablement is not available, this risk must be accepted in writing by VendorReviews.io's CISO and documented as a residual risk in the Data Register. (4) Publish an internal acceptable use policy explicitly prohibiting use of ScriberAI Meet MCP connectors with external AI platforms. (5) Consider deploying a CASB (e.g., Microsoft Defender for Cloud Apps, which is available within the Microsoft ecosystem VendorReviews.io already uses) to monitor and block unauthorised SaaS-to-SaaS data flows.

HIGH

EU Data Residency Unavailable Below Enterprise Plan; Processing Occurs in US Even on Enterprise

By default, all VendorReviews.io meeting data is stored and processed in ScriberAI Meet' US infrastructure (AWS/GCP). ScriberAI Meet offers EU data residency via Private Storage on the Enterprise plan, but explicitly states that even with EU storage, data is processed in the United States. For VendorReviews.io's GDPR obligations — particularly meeting content containing EU data subjects' PII — this means an international data transfer to the US is unavoidable. While ScriberAI Meet is listed on the EU-US Data Privacy Framework and provides SCCs in its DPA, VendorReviews.io must verify the DPA adequately covers this transfer chain before processing EU personal data.

→ Execute the ScriberAI Meet DPA before any EU data subject's PII enters the platform. Verify that SCCs (Module 2 for VendorReviews.io as Controller) are correctly executed and cover onward transfers to US sub-processors. Enable EU Private Storage on the Enterprise plan to minimise data residency exposure even though processing remains US-based. Document the lawful transfer mechanism in VendorReviews.io's Article 30 Record of Processing Activities.

HIGH

Broad Content Licence Granted to ScriberAI Meet in Terms of Service

Section 5(b) of the ScriberAI Meet Terms of Service grants ScriberAI Meet a 'nonexclusive, royalty-free, worldwide, fully paid, and sublicensable (through multiple tiers)' licence to use, reproduce, modify, adapt, publish, translate, create derivative works from, and distribute User Content 'in all media formats and channels now known or later developed without compensation.' Section 5(c) states this licence is 'perpetual and irrevocable.' While Section 5(c)(i) limits exercise of rights to 'providing the Services,' and (ii) prohibits AI model training, the breadth of the sublicensable, perpetual licence in the ToS is significantly wider than the practical limitation. For VendorReviews.io, meeting content will include trade secrets, unreleased product information, customer PII, and financial data. The ToS language, if relied upon in a dispute, could be interpreted to grant ScriberAI Meet rights to VendorReviews.io's IP that exceed what is necessary for service delivery. This is a legal risk, not a technical one, but it is material for a company whose primary asset is IP.

→ Legal team to review Section 5(b) and 5(c) of the ScriberAI Meet ToS and negotiate a Master Services Agreement (MSA) or Order Form addendum that supersedes the standard ToS licence grant with a narrower, service-delivery-only licence. Specifically: remove 'sublicensable through multiple tiers,' replace 'perpetual and irrevocable' with a licence that terminates on account closure, and explicitly exclude derivative works creation from meeting content. This should be a pre-deployment contractual condition.

POSITIVE

Zero Data Retention Policy Contractually Enforced with All AI Sub-Processors

ScriberAI Meet contractually enforces a Zero Data Retention (ZDR) policy with all third-party sub-processors including OpenAI, Anthropic, and ASR vendors. Meeting audio, video, transcripts, and summaries are not stored by sub-processors after processing is complete, and are contractually prohibited from being used for AI model training. ScriberAI Meet also states it does not use customer data for training its own models. This significantly reduces the risk of VendorReviews.io's IP and PII being incorporated into third-party AI training datasets.

→ Request a copy of the ZDR agreement or relevant DPA clauses with OpenAI and Anthropic as part of the vendor onboarding process to independently verify contractual protections.

POSITIVE

GDPR DPA with SCCs Publicly Available and Auto-Incorporated for Business Customers

ScriberAI Meet provides a publicly accessible DPA at ScriberAI Meet.ai/data-processing-agreement incorporating Standard Contractual Clauses for EEA, UK, and Switzerland to US transfers. The DPA is auto-incorporated by reference in the Terms of Service for business customers, providing a baseline GDPR Article 28 compliance framework. A sub-processor list is maintained at https://example.com/redacted-for-demo Meet.ai/subprocessors.

→ Execute the DPA formally (do not rely solely on auto-incorporation) and retain a signed copy for VendorReviews.io's compliance records. Review the sub-processor notification terms and ensure VendorReviews.io has adequate notice periods before new sub-processors are added.

4.Endpoint Security

Current State

ScriberAI Meet operates primarily as a SaaS platform accessed via web browser. It deploys a bot (Fred) that joins meetings server-side — this does not require software installation on endpoints for core transcription functionality. However, ScriberAI Meet offers: (1) a Chrome browser extension for enhanced in-meeting features and live transcription; (2) mobile apps for iOS and Android; (3) a desktop app (less prominently documented). The Chrome extension requests access to browser activity and meeting content. Mobile apps are available for iOS and Android, aligning with VendorReviews.io's OS mix (Windows, macOS, iOS, Android managed by Intune). Update behaviour for the Chrome extension and mobile apps is managed by the respective stores (Chrome Web Store, Apple App Store, Google Play Store). The ScriberAI Meet meeting bot joins calls server-side and does not require endpoint installation for recording.

MEDIUM

Chrome Extension Requests Broad Browser Permissions — Not Deployed via Managed Channel

The ScriberAI Meet Chrome extension requires permissions to access browser activity and meeting content. On VendorReviews.io's Windows and macOS endpoints managed via Intune, Chrome extensions are not necessarily controlled via managed extension policy unless explicitly configured. If employees install the ScriberAI Meet Chrome extension without IT management, it operates outside CrowdStrike Falcon's application control visibility for browser-based extensions, and Intune device compliance policies do not by default block or audit Chrome extension installations. The extension's access to browser content could expose data beyond meeting transcriptions if misconfigured or if a future version increases its permission scope.

→ If the Chrome extension is required for specific use cases, deploy it as a managed extension via Intune's Chrome Enterprise management policy (or via Entra ID group policy) rather than allowing self-installation. Pin the approved version and configure automatic updates. If the core bot functionality is sufficient (server-side joining), evaluate whether the Chrome extension is necessary at all and restrict its installation via Chrome Enterprise managed policy.

MEDIUM

Mobile App Access on Personal and BYOD Devices Not Controlled

ScriberAI Meet has iOS and Android apps. VendorReviews.io's OS mix includes iOS and Android, managed by Intune. If Intune MAM (Mobile Application Management) policies are not applied to the ScriberAI Meet mobile app, employees on personal or BYOD devices can install and use ScriberAI Meet independently of IT control, potentially uploading meeting content recorded outside of sanctioned meetings. Without a CASB and without Intune MAM enforcement on the ScriberAI Meet app, there is no control preventing an employee from recording a meeting on their personal device and uploading it to their personal ScriberAI Meet account, bypassing the company's Enterprise workspace controls entirely.

→ Add the ScriberAI Meet mobile app to Intune's managed app catalogue and apply MAM policies requiring corporate account authentication. If BYOD mobile use is not required for the ScriberAI Meet deployment, publish an acceptable use policy explicitly restricting ScriberAI Meet use to corporate-managed devices and corporate workspace accounts. Consider blocking the ScriberAI Meet app on personal device profiles via Intune App Protection Policies.

POSITIVE

Core Recording Functionality is Server-Side Bot — No Mandatory Endpoint Software Required

ScriberAI Meet' primary recording mechanism is the Fred bot, which joins meetings as a server-side participant. This means the core transcription and recording functionality does not require installation of any software on VendorReviews.io endpoints, reducing the endpoint attack surface. CrowdStrike Falcon's endpoint telemetry is not affected by the bot's operation, and Intune device compliance policies do not need to accommodate a local agent for core functionality.

→ Default deployment should use the server-side bot only. Evaluate whether Chrome extension or desktop app is required before approving those components separately.

5.Network Security

Current State

ScriberAI Meet operates as an outbound SaaS application. The meeting bot joins calls over standard HTTPS/WSS protocols. Data transmission between ScriberAI Meet infrastructure and sub-processors (OpenAI, Anthropic, ASR vendors) occurs server-side within ScriberAI Meet' infrastructure — meeting audio is not sent directly from VendorReviews.io endpoints to sub-processors. ScriberAI Meet uses AWS and GCP as primary cloud infrastructure (US default). TLS encryption is in place for all data in transit. VendorReviews.io does not operate a web proxy or TLS inspection, and has no CASB. There are no published firewall allowlist requirements in ScriberAI Meet' public documentation.

MEDIUM

No CASB or Web Proxy — No Visibility into ScriberAI Meet SaaS Data Flows or Unauthorised Account Usage

VendorReviews.io operates without a CASB or web proxy, meaning there is no network-layer visibility into which users are accessing ScriberAI Meet, from which devices, or whether personal (non-corporate) ScriberAI Meet accounts are in use. Shadow IT use of ScriberAI Meet on personal accounts — bypassing Enterprise workspace controls, ZDR agreements, and DPA protections — would be invisible to IT. CrowdStrike Falcon provides endpoint process telemetry but does not provide SaaS access governance. Microsoft Entra ID Sign-in logs would only cover Entra ID-federated access, not direct email/password or personal Google OAuth login to ScriberAI Meet.

→ Consider deploying Microsoft Defender for Cloud Apps (MDCA), which is included in several Microsoft 365 E3/E5 licences and integrates natively with Entra ID and Intune. MDCA can provide CASB functionality including discovery of ScriberAI Meet usage across accounts, enforcement of corporate-only account policies, and session controls for sanctioned SaaS apps. At minimum, enable Entra ID MCAS App Governance policies for ScriberAI Meet. If MDCA is not available, implement a conditional access policy that requires Entra ID SSO for all ScriberAI Meet access and document the residual shadow IT risk.

LOW

No Published Network Allowlist Requirements for ScriberAI Meet Bot Infrastructure

ScriberAI Meet does not publish a documented list of IP ranges or domain names required for the meeting bot to function. For VendorReviews.io's current network architecture this is low impact since there is no web proxy or egress firewall enforcing allowlists. However, if network controls are tightened in future, the absence of documented allowlist requirements would complicate allowlisting the ScriberAI Meet bot's outbound connections.

→ Request a list of ScriberAI Meet infrastructure domains and IP ranges from the account team at contract signing. Document these for future network security planning even if not immediately required.

POSITIVE

TLS in Transit and AES-256 at Rest Confirmed

ScriberAI Meet documents TLS encryption for all data in transit and 256-bit AES encryption for data at rest, including meeting recordings, transcripts, and summaries. Sub-processor data transmissions (to OpenAI, Anthropic, ASR vendors) occur server-side within ScriberAI Meet' infrastructure rather than from VendorReviews.io endpoints, limiting the network attack surface on VendorReviews.io's side.

→ No action required. Note for the record during SOC 2 vendor review.

6.Compliance & Certifications

Current State

6.1Vendor Compliance Posture

SOC 2 Type II:Confirmed, certified since December 2021, maintained with annual audits. Report available under mNDA. Source: trust.ScriberAI Meet.ai

GDPR:Confirmed. DPA with SCCs publicly available at ScriberAI Meet.ai/data-processing-agreement. Listed on EU-US Data Privacy Framework.

HIPAA/BAA:Confirmed, but exclusive to Enterprise plan. BAA available on request.

FERPA:Stated with Data Sharing Agreements available (source: trust.ScriberAI Meet.ai).

ISO 27001:Alignment claimed but formal certification status is ambiguous — documentation from 2021 suggests certification was a strategic goal for 2022; current certification status not independently confirmed in research findings.

FedRAMP:Listed as compliant in Nudge Security database — not independently verifiable from ScriberAI Meet' own documentation.

BIPA compliance:Subject of two active class action lawsuits as of late 2025/early 2026 alleging violations of Illinois Biometric Information Privacy Act.

6.2Company-Specific Considerations for VendorReviews.io

GDPR:Directly relevant. ScriberAI Meet' DPA with SCCs satisfies Article 28 and Article 46 requirements for VendorReviews.io's EU data subject processing obligations. However, VendorReviews.io must formally execute the DPA and conduct a Transfer Impact Assessment for US sub-processor transfers.

SOC 2:Directly relevant. VendorReviews.io's own SOC 2 obligations require vendor assessment. ScriberAI Meet' SOC 2 Type II certification provides assurance over security and availability controls. Request the report under mNDA as part of vendor onboarding.

HIPAA:Not relevant to VendorReviews.io's stated use case (Technology/SaaS, no PHI).

FedRAMP:Not relevant to VendorReviews.io's industry or use case.

ISO 27001:Not independently confirmed — treat as unverified until certificate is produced.

POSITIVE

SOC 2 Type II Certified with Annual Audits — Directly Satisfies VendorReviews.io's Vendor Assessment Requirement

ScriberAI Meet holds a current SOC 2 Type II certification maintained with annual audits, which directly supports VendorReviews.io's own SOC 2 compliance programme's vendor management controls. The report is available under mNDA, which is standard practice.

→ Initiate the mNDA process and request the most recent SOC 2 Type II report as part of vendor onboarding. Review the report for exceptions or qualified opinions, particularly in the availability and confidentiality trust service criteria.

MEDIUM

ISO 27001 Certification Status Unconfirmed — Treat as Unverified

ScriberAI Meet' security page and trust center reference alignment with ISO 27001, but research findings identified a 2021 blog post indicating ISO 27001 certification was a strategic goal for 2022 rather than a current certification at that time. No independently verifiable certificate or accreditation body reference was found in current documentation. For VendorReviews.io's vendor risk register, this should be treated as unconfirmed.

→ Request a current ISO 27001 certificate (accreditation body name, certificate number, expiry date) from ScriberAI Meet during contract negotiation. If not available, this does not block deployment given the SOC 2 Type II certification, but it should be noted as unconfirmed in VendorReviews.io's vendor record.

HIGH

Active BIPA Class Action Litigation — Regulatory and Reputational Risk to VendorReviews.io as Deploying Organisation

Two active class action lawsuits allege ScriberAI Meet collects voiceprints (biometric identifiers) from meeting participants — including non-account-holders — without proper written consent, retention schedule publication, or BIPA-compliant disclosure. If VendorReviews.io deploys ScriberAI Meet for meetings involving external participants (customers, partners, vendors), VendorReviews.io as the meeting host may face co-defendant exposure in similar actions, particularly if VendorReviews.io's meetings include Illinois-resident participants. Separately, under GDPR, biometric data is special category data requiring explicit consent under Article 9 — if VendorReviews.io hosts EU-resident participants in recorded meetings, VendorReviews.io bears controller responsibility for ensuring the legal basis for that processing exists. The current litigation signals that ScriberAI Meet' consent and disclosure mechanisms may be legally insufficient in certain jurisdictions.

→ (1) Legal team to assess VendorReviews.io's potential BIPA and GDPR Article 9 exposure for meetings with external participants before deployment. (2) Implement a mandatory pre-meeting disclosure template for all externally-facing meetings recorded via ScriberAI Meet. (3) Request from ScriberAI Meet their current written BIPA retention schedule (required under BIPA §15(a)) and assess adequacy. (4) Consider restricting initial deployment to internal-only meetings (VendorReviews.io employees only) until the consent framework is resolved. (5) Monitor litigation outcomes — an adverse ruling against ScriberAI Meet on BIPA could require rapid deployment suspension.

7.Operational Security

Current State

7.1Incident Response & Transparency

ScriberAI Meet maintains a public status page (Powered by Freshstatus) at a dedicated URL. A Trust Center is maintained at trust.ScriberAI Meet.ai with certifications, sub-processor list, and FAQs. A HackerOne-powered bug bounty programme is in place with a responsible disclosure policy; the security contact is security@ScriberAI Meet.ai with a stated 5-business-day acknowledgement SLA. No public breach notification SLA is documented beyond what is required under GDPR (72-hour notification to supervisory authority) and as incorporated in the DPA. Known security incidents: one email/domain leak via Growthbook SDK in February/March 2024 (remediated within hours of disclosure). No formal CVEs assigned. No confirmed data breaches in 2026.

7.2Data Retention

Personal account data retained while account is active; deleted within 30 days of account closure. Meeting content (audio, video, transcripts, summaries) subject to Zero Data Retention with all third-party sub-processors — not stored after processing. Enterprise plan offers Custom Data Retention policies and Rules Engine for admin-controlled retention governance. Deletion of individual meetings is available to users via account settings. Account closure deletion is account-holder-initiated.

7.3Patch & Update Management

As a SaaS platform, backend patching is transparent and managed by ScriberAI Meet. OWASP alignment is stated for development, staging, and production with peer-reviewed code. Chrome extension and mobile app updates are distributed via Chrome Web Store and app stores respectively — update timing is not admin-controllable without managed deployment. No documented vulnerability management SLA or patch cadence published.

MEDIUM

No Published Breach Notification SLA Beyond Regulatory Minimum — DPA Terms Must Be Verified

ScriberAI Meet' public documentation does not specify a contractual breach notification timeline beyond GDPR's 72-hour supervisory authority requirement. For VendorReviews.io's SOC 2 programme and GDPR compliance, the DPA should specify the timeline for notifying VendorReviews.io (as Controller) of a personal data breach affecting meeting content — this is typically 24-48 hours in enterprise DPAs to allow VendorReviews.io time to assess and meet its own 72-hour obligation to the ICO or relevant supervisory authority. Without a contractual notification SLA in the DPA, VendorReviews.io cannot guarantee it will receive timely notification to meet its own regulatory obligations.

→ During DPA review, confirm and negotiate a contractual breach notification period of no more than 48 hours from ScriberAI Meet' detection of a breach affecting VendorReviews.io's personal data. Ensure the DPA specifies minimum breach notification content (nature, categories affected, approximate number of records, contact point, remediation steps). Document this SLA in VendorReviews.io's incident response plan.

LOW

Growthbook SDK Feature Flag Leak (March 2024) — Remediated but Indicates Third-Party SDK Risk

A researcher disclosed in March 2024 that the ScriberAI Meet Chrome extension was calling Growthbook's SDK endpoint with feature flags containing customer email addresses and domain names, which were publicly accessible. The vulnerability was remediated within hours. While this specific issue is closed and no formal CVE was issued, it indicates that third-party SDKs embedded in ScriberAI Meet' extension or web application can inadvertently expose configuration data including user email addresses. Given VendorReviews.io will have 26-100 users with PII in the ScriberAI Meet workspace, any recurrence of this pattern would expose VendorReviews.io user emails.

→ Note in VendorReviews.io's vendor risk register. During annual vendor review, check for any recurrence of similar SDK-related disclosures via ScriberAI Meet' bug bounty programme or security disclosure channels. No immediate action required given prompt remediation history.

POSITIVE

HackerOne Bug Bounty Programme and Responsible Disclosure Policy in Place

ScriberAI Meet operates a HackerOne-powered bug bounty programme with a stated 5-business-day acknowledgement SLA and a responsible disclosure policy requesting coordinated disclosure before public release. This indicates a proactive vulnerability management posture. The prompt remediation of the March 2024 Growthbook disclosure (within hours) supports this assessment.

→ No action required. Reference the bug bounty programme URL in VendorReviews.io's vendor record for ongoing monitoring.

POSITIVE

Custom Data Retention and Rules Engine Available on Enterprise Plan

The Enterprise plan includes Custom Data Retention policies and a Rules Engine that allows admins to define recording, transcription, and retention governance across the workspace. This enables VendorReviews.io to align ScriberAI Meet' data retention with its own SOC 2 and GDPR data minimisation obligations, and to enforce policies such as auto-deletion of recordings after a defined period.

→ Configure Custom Data Retention policies during initial Enterprise deployment. Set a retention period aligned with VendorReviews.io's data retention policy (recommend 90-day maximum for meeting recordings unless a specific business need requires longer). Use the Rules Engine to enforce workspace-wide governance rather than relying on individual user settings.

8.Risk Summary & Overall Recommendation

8.1Risk Register

CRITICAL

Meeting Audio, Video, Transcripts, Participant PII, and Biometric Voice Data Transmitted to OpenAI and Anthropic

Context

ScriberAI Meet transmits meeting recordings, transcripts, participant names and emails, and voice characteristics to OpenAI, Anthropic, and undisclosed ASR sub-processors for AI processing. This data leaves VendorReviews.io's control boundary. The intended deployment covers company-wide meetings containing PII, IP, and financial data. ScriberAI Meet enforces ZDR with these sub-processors contractually, but the agreements are not independently verifiable from public documentation. VendorReviews.io has no CASB to monitor this outbound data flow.

Impact

If ScriberAI Meet' contractual ZDR protections with OpenAI or Anthropic are insufficient or not honoured, VendorReviews.io's IP, customer PII, and financial data could be retained in or used to train third-party AI models, constituting a GDPR Article 28 breach and potential regulatory sanction. Even with ZDR protections, the transfer itself requires documented SCCs under GDPR — absence of a formally executed DPA would make every meeting recording processed through ScriberAI Meet an unlawful international data transfer.

Mitigation

(1) Execute the ScriberAI Meet DPA incorporating SCCs before any meeting is recorded — do this before pilot. (2) Request and review sub-processor DPA/BAA terms with OpenAI and Anthropic before full rollout. (3) Conduct a Transfer Impact Assessment for US sub-processor transfers within 30 days of contract signing. (4) Subscribe to ScriberAI Meet' sub-processor change notification to receive advance notice of new AI vendors.

CRITICAL

Biometric Voice Data (Voiceprints) Collected Without Guaranteed Consent for Non-Account Holders

Context

ScriberAI Meet' speaker recognition feature extracts voiceprints from all meeting participants including external parties who are not ScriberAI Meet account holders. Two active BIPA class action lawsuits (Dec 2025/Jan 2026) allege this practice violates BIPA. Under GDPR, biometric data is special category data. VendorReviews.io's meetings will include external participants (customers, partners) who have not consented to voiceprint collection. VendorReviews.io as meeting host bears controller responsibility for this processing under GDPR Article 9.

Impact

VendorReviews.io could face GDPR enforcement action for processing special category data without a valid Article 9(2) legal basis. Co-defendant exposure in BIPA-style litigation for meetings involving Illinois-resident external participants is possible. University institutions have already blocked ScriberAI Meet for this reason, signalling broad reputational risk in the market.

Mitigation

(1) Complete a DPIA before deployment — mandatory given large-scale biometric data processing. (2) Confirm with ScriberAI Meet whether speaker recognition can be disabled at the workspace level on Enterprise. (3) Implement mandatory pre-meeting disclosure for all externally-facing recorded meetings before full rollout. (4) Restrict initial pilot to internal-only meetings until the consent framework is validated.

CRITICAL

Third-Party MCP Connector Integrations Bypass ZDR Protections — Uncontrolled Data Exit

Context

When users enable ScriberAI Meet MCP connectors (ChatGPT, Claude), meeting content is transmitted to those platforms under their own terms — ScriberAI Meet explicitly states it cannot guarantee deletion, storage, or non-training for data leaving via these connectors. VendorReviews.io has no CASB to detect or block this. Individual users can enable these integrations without IT awareness.

Impact

An employee enabling ChatGPT or Claude connectors would transmit meeting transcripts (potentially containing customer PII, IP, financial data) to OpenAI/Anthropic under standard API or consumer terms, with no ZDR or DPA protections. This would constitute an uncontrolled personal data breach under GDPR and a loss of IP containment.

Mitigation

(1) Confirm with ScriberAI Meet before pilot whether MCP connectors can be admin-disabled via the Enterprise Rules Engine. (2) If yes, configure this setting on day one. (3) If no, publish an explicit acceptable use policy and escalate to CISO for risk acceptance before rollout. (4) Evaluate Microsoft Defender for Cloud Apps deployment to gain SaaS-to-SaaS data flow visibility.

HIGH

SAML SSO and SCIM Provisioning Gated to Enterprise Plan

Context

Core IAM controls required for VendorReviews.io's Entra ID environment — SAML SSO, SCIM provisioning, audit logs — are exclusively available on the Enterprise plan. On lower tiers, users authenticate outside Entra ID's control boundary, bypassing enforced MFA and Conditional Access. Without SCIM, user de-provisioning is manual and orphaned accounts are not detected by Intune or CrowdStrike Falcon.

Impact

Deployment on a non-Enterprise plan would mean VendorReviews.io's meeting recording data is accessible via accounts that bypass its security controls. A departing employee retaining ScriberAI Meet access could exfiltrate meeting recordings containing IP and customer PII after their Entra ID account is disabled.

Mitigation

Procurement must specify Enterprise plan as a contract requirement before any accounts are created. SSO and SCIM configuration must be completed and tested before pilot begins. No exceptions.

HIGH

Active BIPA Class Action Litigation

Context

Two class action lawsuits filed in late 2025/early 2026 allege ScriberAI Meet violates BIPA by collecting voiceprints without consent, retention schedule, or disclosure. VendorReviews.io as the deploying organisation may face co-defendant exposure for meetings involving Illinois-resident external participants.

Impact

Adverse ruling could require ScriberAI Meet to disable speaker recognition or face injunctive relief, causing service disruption. VendorReviews.io's legal exposure depends on participant geography and whether adequate disclosures are made. Brand risk from association with a product under active biometric data litigation.

Mitigation

Legal team to assess BIPA exposure within 30 days. Implement pre-meeting disclosure process before any external participant meetings are recorded. Monitor litigation progress quarterly.

HIGH

EU Data Residency Unavailable Below Enterprise; US Processing Unavoidable Even on Enterprise

Context

All VendorReviews.io meeting data defaults to US infrastructure. Even with EU Private Storage on Enterprise, ScriberAI Meet processes data in the US. VendorReviews.io's GDPR obligations require lawful transfer mechanism for EU personal data to the US.

Impact

Without a formally executed DPA and SCCs, every meeting recording involving EU data subjects is an unlawful international transfer. GDPR enforcement risk from the ICO or relevant supervisory authority.

Mitigation

Execute DPA before pilot. Document transfer mechanism in Article 30 register. Enable EU Private Storage on Enterprise as a partial mitigation even though processing remains US-based.

MEDIUM

Broad Perpetual Sublicensable Content Licence in ToS

Context

ScriberAI Meet ToS Section 5(b)-(c) grants a perpetual, irrevocable, sublicensable licence to User Content. While limited to service delivery by 5(c)(i), the breadth of the language creates IP risk for VendorReviews.io.

Impact

In a contractual dispute, ScriberAI Meet could assert licence rights over VendorReviews.io's IP contained in meeting recordings. Sublicensing language could be exercised in corporate transaction scenarios.

Mitigation

Legal team to negotiate MSA addendum narrowing the licence before contract signing.

MEDIUM

No CASB or Web Proxy — No Visibility into Shadow IT ScriberAI Meet Usage

Context

VendorReviews.io has no CASB or web proxy. Personal ScriberAI Meet account usage by employees is invisible to IT and bypasses Enterprise workspace DPA and ZDR protections.

Impact

Shadow IT use of ScriberAI Meet on personal accounts transmits VendorReviews.io meeting content without contractual data protection, potentially constituting a data breach.

Mitigation

Deploy Microsoft Defender for Cloud Apps (available in Microsoft 365 licensing VendorReviews.io likely already has) to detect and block unsanctioned ScriberAI Meet account usage within 90 days of deployment.

MEDIUM

Chrome Extension and Mobile App Not Under Managed Deployment

Context

ScriberAI Meet Chrome extension and mobile apps are available for self-installation. Without Intune-managed deployment, these components operate outside VendorReviews.io's MDM visibility.

Impact

Unmanaged extensions/apps could retain meeting data locally or grant broader browser permissions than the sanctioned use case requires.

Mitigation

Deploy Chrome extension via Intune managed policy. Apply Intune MAM policies to ScriberAI Meet mobile app before rollout on mobile devices.

LOW

Growthbook SDK Feature Flag Leak (March 2024, Remediated)

Context

Chrome extension called a public Growthbook endpoint containing user emails/domains. Remediated within hours. No recurrence documented.

Impact

Minimal given prompt remediation and no recurrence. Indicates third-party SDK risk in Chrome extension.

Mitigation

Note in vendor risk register. Monitor for recurrence at annual review.

LOW

No Published ScriberAI Meet Bot Network Allowlist Requirements

Context

No documented IP ranges or domain allowlist for ScriberAI Meet bot infrastructure.

Impact

Low immediate impact given no current proxy/firewall controls. Future network hardening would require allowlist data retroactively.

Mitigation

Request from account team at contract signing. Document for future use.

Positive Indicators

SOC 2 Type II Certified, Annual Audits

Positive Indicators

GDPR DPA with SCCs Publicly Available

Positive Indicators

Zero Data Retention Policy Contractually Enforced with AI Sub-Processors

Positive Indicators

SAML 2.0, SCIM 2.0, RBAC, Audit Logs Available on Enterprise

Positive Indicators

AES-256 Encryption at Rest and TLS in Transit

Positive Indicators

HackerOne Bug Bounty and Responsible Disclosure Policy

CONDITIONALLY APPROVED

Overall Recommendation

ScriberAI Meet is a technically capable, compliance-aware meeting AI platform with genuine enterprise security controls — SOC 2 Type II, GDPR DPA, ZDR with AI sub-processors, and SAML/SCIM support.

However, the combination of mandatory critical findings (biometric/PII data transmitted to named AI sub-processors without verified contractual adequacy, active BIPA litigation, and the MCP connector data exfiltration path) means deployment cannot be approved without specific preconditions being met.

All critical and high findings can be substantially mitigated through plan selection, contractual controls, and configuration — but these must be completed before any meeting is recorded.

Approved For

  • Internal team meetings (VendorReviews.io employees only) once Enterprise plan is deployed, SAML/SCIM is configured, MCP connectors are admin-disabled, DPA is executed, and pre-meeting disclosure policy is in place

  • Sales and customer calls only after DPIA completion, legal review of biometric consent framework, and mandatory pre-meeting disclosure is implemented and tested

  • Financial discussions and IP-sensitive meetings only after EU Private Storage is enabled (Enterprise), DPA is executed with verified SCCs, and sub-processor ZDR agreements with OpenAI/Anthropic are reviewed

Mandatory Controls Before Deployment

  • ⚠️

    Execute ScriberAI Meet DPA (incorporating SCCs) formally before any meeting is recorded — obtain signed copy for compliance records

  • ⚠️

    Procure Enterprise plan — SSO, SCIM, audit logs, custom retention, and MCP connector admin controls are not available below this tier

  • Configure SAML 2.0 SSO via Microsoft Entra ID and verify all VendorReviews.io users are routed through Entra ID — non-SSO login methods must be disabled or blocked at the workspace level

  • Enable SCIM 2.0 provisioning via Entra ID and test automated de-provisioning before pilot go-live

  • ⚠️

    Confirm with ScriberAI Meet whether MCP connectors (ChatGPT, Claude) can be admin-disabled via Enterprise Rules Engine — if yes, disable before any accounts are active

  • ⚠️

    Request and review ScriberAI Meet' ZDR/BAA agreements with OpenAI, Anthropic, and ASR sub-processors under mNDA

  • Conduct GDPR Data Protection Impact Assessment (DPIA) for biometric voice processing before recording any external participant meetings

  • Implement mandatory pre-meeting disclosure template for all recorded meetings, particularly those involving external participants

  • Configure Custom Data Retention policy on Enterprise plan aligned with VendorReviews.io's data retention schedule (recommend 90-day maximum for recordings)

  • ⚠️

    Legal team to negotiate MSA addendum narrowing the User Content licence in ToS Section 5(b)-(c) before contract signing

Not Recommended For

  • Meetings involving healthcare PHI without a separately executed HIPAA BAA

    HIPAA BAA is exclusively available on the Enterprise plan and must be requested separately; without it, PHI in meeting recordings would violate HIPAA Safe Harbour requirements and create regulatory liability for VendorReviews.io

  • Recording external participant meetings before DPIA completion and consent framework is implemented

    ScriberAI Meet extracts voiceprints from all participants including non-account-holders; without a documented Article 9(2) legal basis and participant disclosure, every external-participant recording is an unlawful processing of biometric special category data under GDPR, and VendorReviews.io as controller bears primary regulatory exposure

  • Deployment on Pro or Business plans

    These tiers lack SAML SSO, SCIM provisioning, audit logs, and admin-controlled MCP connector disablement; without SAML/SCIM, ScriberAI Meet accounts are outside VendorReviews.io's Entra ID MFA enforcement and automated offboarding, creating persistent access risk for departed employees

9.Action Items

  1. 1

    1. [Procurement] Specify ScriberAI Meet Enterprise plan as a hard requirement in the vendor contract. Do not allow pilot accounts to be created on Pro or Business plans. Target: Before contract signing.

  2. 2

    2. [Legal/Compliance] Execute the ScriberAI Meet DPA (available at ScriberAI Meet.ai/data-processing-agreement) formally and retain a signed copy. Negotiate MSA addendum narrowing the User Content licence in ToS Section 5(b)-(c). Target: Before any account provisioning.

  3. 3

    3. [IT Admin] Configure SAML 2.0 SSO integration between ScriberAI Meet Enterprise and Microsoft Entra ID. Verify that non-SSO login methods (email/password, Google OAuth) are disabled at the ScriberAI Meet workspace level. Target: Before pilot launch.

  4. 4

    4. [IT Admin] Enable SCIM 2.0 provisioning against Entra ID. Test automated user de-provisioning by deactivating a test account in Entra ID and confirming immediate ScriberAI Meet access revocation. Document the result. Target: Before pilot launch.

  5. 5

    5. [IT Admin] Confirm with ScriberAI Meet account team whether MCP connectors (ChatGPT, Claude) can be admin-disabled via the Enterprise Rules Engine. If yes, disable before any accounts go live. If no, escalate to CISO for risk acceptance decision. Target: Before pilot launch.

  6. 6

    6. [Security/Legal] Request ScriberAI Meet' current sub-processor list from trust.ScriberAI Meet.ai/subprocessors and verify OpenAI, Anthropic, and all ASR vendors are listed. Request copies of ScriberAI Meet' ZDR/BAA agreements with these sub-processors under mNDA for independent review. Target: Within 30 days of contract signing.

  7. 7

    7. [Compliance/Legal] Conduct a GDPR Data Protection Impact Assessment (DPIA) for biometric voice processing (voiceprint extraction during speaker recognition). Engage VendorReviews.io's DPO or external counsel to assess GDPR Article 9 legal basis options. Target: Before recording any meeting with external participants.

  8. 8

    8. [Legal] Assess VendorReviews.io's BIPA and GDPR co-controller exposure for meetings involving Illinois-resident and EU-resident external participants. Determine whether speaker recognition must be disabled and document decision. Target: Within 30 days of contract signing.

  9. 9

    9. [IT Admin/Legal] Implement a mandatory pre-meeting disclosure template: all meeting invites for ScriberAI Meet-recorded meetings must include participant notice of recording/transcription and a link to the ScriberAI Meet privacy policy. Roll out to all users before first external-participant meeting is recorded. Target: Before external-participant recordings begin.

  10. 10

    10. [IT Admin] Configure Enterprise Custom Data Retention policy. Set meeting recording retention to a maximum of 90 days unless a documented business case requires longer. Use the Rules Engine to enforce this policy workspace-wide. Target: Within 14 days of Enterprise deployment.

  11. 11

    11. [IT Admin] Deploy ScriberAI Meet Chrome extension as a managed extension via Intune/Chrome Enterprise policy rather than allowing self-installation. Apply Intune MAM policies to the ScriberAI Meet mobile app on iOS and Android. Target: Before broad rollout.

  12. 12

    12. [IT/Security] Evaluate deployment of Microsoft Defender for Cloud Apps (check existing Microsoft 365 licence entitlement) to gain CASB visibility into ScriberAI Meet account usage and detect personal account shadow IT use. Target: Within 90 days of ScriberAI Meet deployment.

  13. 13

    13. [Compliance] Update VendorReviews.io's Article 30 Record of Processing Activities to include ScriberAI Meet as a processor, documenting data categories, processing purposes, US transfer mechanism (SCCs), and sub-processors. Target: Before go-live.

  14. 14

    14. [Security] Initiate mNDA process with ScriberAI Meet to obtain the current SOC 2 Type II report. Review for exceptions or qualified opinions before final deployment approval. Target: Within 30 days of contract signing.

10.Additional Resources

11.Document Control

Version:1.0

Product Reviewed:ScriberAI Meet.ai — AI Meeting Recording, Transcription, and Summarisation Platform (https://example.com/redacted-for-demo Meet.ai/)

Deployment Type:Company-wide SaaS deployment, 26–100 users

Prepared by:VendorReviews.io Automated Security Review (vendorreviews.io)

Reviewed by:[Pending analyst sign-off]

Next Review Date:2026-08-05 (90 days) — or immediately upon material change in ScriberAI Meet sub-processor list, BIPA litigation outcome, or pricing tier changes affecting security feature availability

Classification:Internal — Vendor Risk Assessment

Regulatory Context:GDPR, SOC 2

Note:This review is based on publicly available documentation and research findings as of 2026-05-07. It does not substitute for independent legal advice on GDPR, BIPA, or contractual matters. VendorReviews.io's legal and compliance teams should be engaged before contract signing.

Get an assessment like this for your stack.

free · no credit card · 11 sections · contextualized to your IdP & compliance regime

Start free → See pricing