Standards applicable to the Fast Dictate Pro plan. Last updated: 17 May 2026.
This document describes the safeguards applicable to the Fast Dictate Pro plan.
The commitments relating to the processing of professional content (audio and transcriptions handled exclusively in France on ISO 27001:2022 and HDS-certified infrastructure, zero audio retention, self-hosted AI models, signing of a DPA) apply to the Pro plan. Technical account data (email, authentication, subscription) is processed by international sub-processors that comply with GDPR through Standard Contractual Clauses, see section 1 below. The Free and Standard plans rely on GDPR-compliant partners but do not benefit from the full set of contractual guarantees described here. For any high-compliance requirement, IT departments, regulated professions, sensitive data, the Pro plan is the appropriate offering.
Fast Dictate distinguishes between two categories of data, subject to different location rules and providers: on the one hand, the professional content dictated by the user (audio and associated transcriptions), and on the other, the technical account data (identifiers, subscription, billing).
The content of what you dictate never leaves French territory. Speech-to-text transcription (using the Whisper Large V3 model) and language post-processing (using the GPT-OSS-120B model) are self-hosted on French servers. The application back-end is also hosted in France. Everything is certified ISO 27001:2022 and HDS.
No third-party API call (OpenAI, Anthropic, Google, AWS, Azure or others) is made to process this data.
The data required to create and manage the user account (email address, subscription identifier, payment status) is entrusted to international sub-processors that comply with GDPR through the European Commission's Standard Contractual Clauses (SCC). These providers cover three standard SaaS functions: the user database, optional social authentication, and payment processing.
No professional content (audio, transcription) transits through these providers: they only see the email and account metadata. Users sensitive to this distinction can sign up with a dedicated email address and disable social sign-on.
The detailed list of sub-processors, their location and the categories of data processed are set out in our privacy policy and in the Data Processing Agreement (DPA) provided on request to Pro plan customers.
Audio recordings transmitted by the Fast Dictate application for transcription are processed in memory only by our transcription provider, for the time strictly necessary to generate the text. They are then immediately deleted.
Fast Dictate applies a zero-day retention policy (0-day retention) for audio recordings. No audio file is kept on our servers, archived, or shared between customers.
The text resulting from transcription is returned to the application installed on the user's device. It is stored locally on that device. Fast Dictate keeps no transcription on its servers.
The data required to manage the account (email address, optional name, subscription status, billing history) is retained for the duration of the subscription. Billing data is retained beyond that period in accordance with applicable accounting obligations.
Application logs (IP addresses, timestamps, request identifiers) are kept for thirty (30) days for security and incident resolution purposes, then deleted or anonymised.
Audio recordings and generated transcriptions are never used to train, retrain, fine-tune or improve any artificial intelligence model, whether internal to Fast Dictate or operated by a third party.
This commitment is set out in the Pro plan's Data Processing Agreement (DPA). It is also contractually enforced on our technical transcription provider, whose terms of service explicitly state that it does not collect, read, reuse or analyse the content of inputs or outputs generated by its programming interfaces.
Your account data is not pooled with that of other customers in shared storage: audio is processed in memory and then destroyed, and transcriptions are returned directly to the local application without persistence on the server side.
All communications between the Fast Dictate application, our servers and our technical sub-processors are encrypted via HTTPS/TLS. No data is transmitted in cleartext over the network.
Account data persisted in our database is protected by the at-rest encryption obligations applicable to our hosts under their ISO 27001:2022 and HDS certifications. Since audio files are never persisted, the question of encryption at rest does not apply to these recordings.
Fast Dictate does not implement end-to-end encryption, which is technically incompatible with the nature of the service: transcription requires that the audio stream be decrypted on the transcription infrastructure side to be converted into text. The confidentiality guarantees rely on the combination of encryption in transit, the absence of audio storage, the infrastructure certifications and the contractual commitments imposed on our sub-processors.
The entire technical chain of the Pro plan relies on French infrastructures certified ISO/IEC 27001:2022 and HDS (Hébergeur de Données de Santé, French Healthcare Data Host). These infrastructures host both the AI inference chain (speech-to-text transcription and language post-processing) and the Fast Dictate application back-end (business API, authentication, account and subscription management). The legal identity of the hosting providers is set out in the legal notice.
These certifications cover, among other things, the physical security of data centres (access control, electrical and climate redundancy), network security (WAF application firewall, virtualisation isolation, Zero Trust architecture on the host side), security incident management (CSIRT teams on the provider side), and regular vulnerability and penetration testing of the infrastructure.
Fast Dictate, as a software publisher, does not currently hold its own ISO 27001 or SOC certification. By design, the service only exposes a limited attack surface: no audio or transcription is persisted on the server side, and only the data strictly necessary to manage the account is retained.
User authentication relies on signed tokens with limited expiry. No application route handling user data is accessible without prior presentation of a valid token.
Per-user rate limiting is applied to prevent abusive use and brute-force attack attempts.
Within Fast Dictate, access to production systems is restricted to authorised personnel, under the principle of least privilege. Authorised personnel are bound by a confidentiality obligation.
In the event of a personal data breach within the meaning of Article 4(12) of the GDPR, Fast Dictate undertakes to notify the Pro plan customer within a maximum of twenty-four (24) hours after becoming aware of the incident.
The notification specifies the nature of the breach, the categories and approximate number of data subjects concerned, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed to remedy the breach and mitigate its effects.
Fast Dictate provides the customer with all the assistance necessary to comply with their obligations to notify the supervisory authority (CNIL in France) and, where applicable, the data subjects concerned.
In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your personal data:
Any request to exercise a right must be sent to contact@fastdictate.com, from the email address associated with the account. Proof of identity may be requested in case of reasonable doubt.
| Request | Timeline |
|---|---|
| Response to a request to exercise rights | 1 month (3 months for complex requests) |
| Assistance to the Pro plan customer in responding to data subject requests | 5 business days |
| Complete and irreversible deletion of data after account closure request | 48 hours |
| Return of data in a structured format (at the end of the subscription, on written request) | 14 days |
| Deletion at the end of the subscription (default) | 30 days |
If you believe your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL,Commission Nationale de l'Informatique et des Libertés), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07,www.cnil.fr. Users in other EU Member States may also contact their national supervisory authority.
The Fast Dictate Pro plan was designed to be compatible with the requirements of professions subject to professional confidentiality within the meaning of Article 226-13 of the French Criminal Code, in particular lawyers, in-house counsel and bailiffs.
The combination of the following safeguards, full processing in France, immediate deletion of audio recordings, local storage of transcriptions, ISO 27001:2022 and HDS-certified infrastructure, complete absence of use of data for AI training, formal contractual commitment via a DPA, enables the Pro plan to fit within the scope of tools usable by these professions, subject to the diligence of each professional regarding the use of the tool and the content dictated.
A detailed presentation of the professional confidentiality framework and how Fast Dictate Pro fits within it is available on the dedicated page: Fast Dictate Pro and lawyer-client confidentiality.
The Data Processing Agreement (DPA) applicable to the Pro plan is available on written request to contact@fastdictate.com. It specifies, in particular:
Any question relating to data protection, compliance or service security can be sent to contact@fastdictate.com. The indicative response time for GDPR requests is five (5) business days.
Fast Dictate is a service published from France. Applicable law: French law and Regulation (EU) 2016/679 (GDPR). Competent jurisdiction: courts of Toulouse, France. Contact: contact@fastdictate.com. The full legal identity of the publisher is set out in the legal notice.
The Fast Dictate Pro plan is designed for IT departments, legal teams and regulated professions. To request our DPA or ask a security question, write to us at the address below.