BYOK cloud voice notes for legal and clinical work - under a BAA you sign with the provider
For attorneys, clinicians, and other regulated professionals: when you bring your own cloud provider, jotty.pro routes audio to that AI provider under a BAA, DPA, or equivalent agreement your organization holds. We're a routing layer. The agreement is between your organization and the provider you choose.
When a cloud provider is the right call
If your organization has a Business Associate Agreement (HIPAA), a Data Processing Agreement (GDPR), or the equivalent arrangement your jurisdiction requires, and that agreement is with one of the providers we support, you can route transcription and summarization to them under your key.
We're not a party to that agreement; it sits between your organization and the provider. We route requests using the key your IT or compliance team supplies. We don't provision keys, don't sign BAAs ourselves, and don't act as a Business Associate on your behalf. Transcripts land in local DuckDB on the device, and we don't store them server-side under any configuration.
We don't claim that using a cloud provider automatically satisfies HIPAA, GDPR, attorney-client privilege, or any other regulatory obligation. That call belongs to your compliance owner, who has to evaluate the provider's terms, subprocessor list, data residency, and retention policy against your obligations.
How it works
- Pick a provider whose terms include a BAA (for HIPAA-covered content), a GDPR-compliant DPA, or the equivalent for your jurisdiction.
- Your IT or compliance team provisions the API key with that provider and pastes it into the app. We don't issue or hold enterprise keys for you.
- Capture the note. We route the audio to that provider for transcription, and optionally summarization, under their terms.
- Review the transcript and summary inside the app before it goes into a client file, medical record, or legal document.
- The final transcript persists in local DuckDB on the device, where your team's retention and legal-hold procedures can pick it up.
How it compares
| Dimension | Generic cloud transcription, no BAA | On-device (no external calls) | jotty.pro with a BAA-covered provider key |
|---|---|---|---|
| Regulatory coverage | Usually none for HIPAA/GDPR content | Narrowest technical posture; no external calls | Depends on your agreement with the chosen provider |
| Who signs the BAA | Nobody | N/A (no external processing) | Your organization and the provider you select |
| Where the transcript lives | Vendor's servers | Local DuckDB on the device | Local DuckDB on the device; audio handled by provider under your agreement |
| Who holds the API key | Vendor | N/A | Your organization's IT issues and manages it |
Honest answers
Is this app HIPAA-compliant when I use a cloud provider?
No, and we don't claim it is. We're a routing layer: we send audio to the provider your organization picks and store the transcript locally. We don't sign BAAs, don't store transcripts server-side, and don't act as a Business Associate. HIPAA coverage depends entirely on the BAA you hold with the chosen provider and on how your organization manages the key and the local DuckDB store.
Which providers can carry a BAA?
We support nine providers for cloud calls: OpenAI, Groq, Deepgram, HuggingFace, Ollama, X.AI, Google, Mistral, and DeepSeek. BAA availability varies by provider and account tier. Your compliance or legal team should confirm with the provider directly whether a BAA is available for the account type you use and which services it covers.
Where do transcripts ultimately live for legal hold?
Locally, in DuckDB on the device, no matter which provider you use. We don't transmit or retain transcripts server-side. Your legal-hold and records-retention workflows operate on that local DuckDB store. Your IT or records management team decides how to include it in litigation hold, export, or archival.
If your organization hasn't signed a BAA with any of our supported providers, keep transcription on-device for the narrower posture. Nothing external to evaluate, only the device and your own retention policy.