Attorney–client privilege does not survive a third party on the line.

By Fazit

For a lawyer, the risk of a cloud AI notetaker is not only whether you may record the call. It is what recording does to the privilege. Streaming a client conversation to a vendor and its subprocessors is a disclosure to third parties — which invites a waiver argument and leaves a discoverable record. On-device transcription avoids the disclosure by never sending the audio. It does not, however, remove your duty to tell your client.

This is general information for practicing attorneys, not legal advice, and it does not create an attorney–client relationship. Privilege and ethics rules vary by jurisdiction and are fact-specific; rely on your own bar’s current rules and opinions.

Three duties a notetaker touches at once

A meeting-notes tool sits directly on top of three overlapping obligations, and cloud transcription strains all three:

  • Confidentiality (Model Rule 1.6). You must make reasonable efforts to prevent unauthorized disclosure of information relating to the representation. Routing that information through a third-party pipeline is exactly the kind of choice the rule asks you to make deliberately.
  • Technological competence (Rule 1.1, comment 8). The duty of competence now includes understanding the benefits and risks of the technology you use. “I didn’t know it uploaded the audio” is not a defense the comment leaves open.
  • The privilege itself. Distinct from your ethical duties, the attorney–client privilege is an evidentiary protection that can be waived — and waiver is where the notetaker does its real damage.

The waiver problem

The general rule is stark: voluntarily disclosing a privileged communication to a third party can waive the privilege as to that communication. A cloud notetaker is, by construction, a set of third parties — the vendor, plus whatever ASR and LLM subprocessors it streams your audio to. The moment your client’s privileged words reach those servers, you have created a disclosure you then have to defend.

There is a counter-argument, and it is worth stating fairly: disclosures to agents who facilitate the representation — interpreters, e-discovery vendors, experts under Kovel — often do not waive privilege. A notetaker vendor might be characterized the same way. But notice what that costs you: you have turned a settled protection into a fact-specific argument you now have to win, one that a confidentiality agreement papers over but does not eliminate, and that says nothing about audio swept into a training set. Cloud transcription trades a clean privilege for a defensible one. On-device transcription lets you keep the clean one, because there is no third-party disclosure to characterize.

The discovery problem

Even set privilege aside. A recording or transcript on a vendor’s server is an artifact, and artifacts are discoverable. Opposing counsel can seek it. It can surface in a matter unrelated to the one it was made for. It falls within litigation holds. It can be breached. And the metadata — which client, which date, which duration — can itself be sensitive in a way that survives deletion of the content.

WHERE THE PRIVILEGED AUDIO ENDS UP        WHO CAN REACH IT
Cloud recorder + bot (Otter, Fireflies)   Vendor, subprocessors, subpoena,
                                          breach, sometimes training sets
Bot-free cloud transcription (Granola)    ASR/LLM subprocessors, then deleted
On-device transcription (Fazit)           No one — the audio never leaves
                                          the machine, no file is created

The ladder is the whole argument in three rows. Each step down removes a category of party who can reach your client’s words. The bottom row removes all of them — not by policy, but because the audio was never written or sent.

The bot problem

Bot-based tools add a second liability on top of the first. A visible “notetaker has joined” bot records everyone on the call — including opposing parties, witnesses, and third parties whose consent you do not have and whose words you may have no right to capture. In an all-party-consent jurisdiction, that bot can create exposure before anything is transcribed. The consent map is here, and the argument that a notetaker should not attend as a participant at all is in An AI Notetaker Should Not Be a Participant in Your Call.

The privilege question and the consent question are different, and both matter. Consent asks whether you were allowed to record. Privilege asks whether recording handed your client’s confidences to someone who can now be compelled to produce them. A tool can be perfectly compliant on the first and catastrophic on the second.

What on-device changes — and what it does not

Be precise about the boundary. On-device transcription does not excuse you from the consent and disclosure duties covered in the consent guide. If your jurisdiction or your client relationship requires notice, you still give it.

What it removes is the third-party disclosure and the discoverable artifact. Fazit holds call audio in a RAM ring buffer, transcribes it with an on-device model on Apple Silicon, and writes the note to your own vault as Markdown. No audio file is created, no subprocessor receives the conversation, and the note carries audio_retained: false in its frontmatter because that line describes the execution path, not a promise. There is no recording to subpoena, no vendor to compel, and no disclosure to characterize as a waiver — because the privileged audio never left your machine. The mechanism is documented in Why “Never Records” Is Not Marketing, and the architecture-level comparison in On-Device vs. Cloud AI Notetakers.

Evaluating a notetaker as a lawyer: five questions

  1. Does the client’s audio leave my device? If yes, you have a third-party disclosure to justify.
  2. Is there a subprocessor list? Every name on it is a party who receives privileged material.
  3. Is a recording or transcript stored where a subpoena can reach it? If so, it is discoverable — plan for the litigation hold now.
  4. Does a bot join and record everyone? If so, you are capturing non-clients whose consent you may lack.
  5. Can the vendor use my audio to train models? Find the answer before the call, not in the terms after.

A tool that answers no / none / no / no / no is doing on-device transcription. For a practice built on privilege, that row is not a nicety — it is the difference between a note-taking tool and a future discovery target.

General information, not legal advice — rely on your own bar’s current rules. See the call-recording consent map, how the on-device pipeline avoids creating a recording, or the full cloud-notetaker comparison. If it fits your practice, early access pricing is live. Firms and security teams: source access for independent review is available on request — hello@getfazit.com