How a fast-growth company that delivers hardened security for data exchange evaluated AI notetakers for its employees.
Kiteworks is the control plane for secure data exchange, used by enterprises and government agencies to govern sensitive data across email, file sharing, managed file transfer, SFTP, data forms, APIs, and AI data access. The company’s customers in finance, healthcare, defense, and government trust them because they hold themselves to the same standards they sell.
The stakes
Meeting notes are some of the most sensitive data a company generates
Customer conversations, product roadmaps, financial discussions, legal reviews, it all ends up in a transcript. When employees across Kiteworks started requesting an AI notetaking tool, IT took it seriously. This wasn't a tool they could leave to chance or let employees adopt individually.
Rather than let employees find their own solutions, and end up with a different tool in every team, Kiteworks ran a formal evaluation to find one solution IT could trust and have full governance over. The same way they'd assess any system that touches sensitive company data.
Kumud Kokal, Kiteworks’ CIO, put it simply:
"What I needed was something that works, and is secure and flexible enough that our employees will actually use it."
Kumud Kokal, CIO, Kiteworks
That meant finding one tool IT could actually stand behind.
The solution
What IT needed before saying yes
As a company that maintains FedRAMP, SOC 2 Type II, ISO 27001, 27017, 27018, BSI C5, among other security validations, Kiteworks applied the same governance discipline to its AI tool selection that it recommends to its customers. Kiteworks’ criteria were simple: the tool had to be easy enough that employees would actually use it, and the admin controls had to be strong enough that IT could enforce policy without constant hand-holding.
Almost every tool passed the first test. Very few passed the second.
The evaluation
Why Fellow cleared the security review
For Kiteworks, approving an AI meeting tool meant treating it like any other system that touches sensitive company data. The evaluation focused on three areas: how data is processed, who controls access, and how information is governed once it exists.
Data is processed without third-party retention
A major concern with AI meeting tools is where meeting data ends up after it is processed. Many vendors rely on third-party AI services that store or retain data as part of their model operations.
Fellow’s architecture addressed that concern directly. When AI models are used to generate transcripts or summaries, the processing happens without the data being retained or used to train models. However, the AI providers used by Fellow are contractually required to process data ephemerally, meaning meeting content is handled only for the duration of the request and is not stored afterward.
For a company with internal meetings that regularly involve customer data, product strategy, and security discussions, ensuring that transcripts and recordings were not leaving the control of the organization or becoming training data for external models was a baseline requirement.
IT maintains centralized administrative control
Security approval also depended on whether IT could enforce policies at scale rather than relying on individual user behavior.
Fellow provides centralized administrative controls that allow IT teams to manage how the tool is used across the organization. Administrators can provision users directly, disable self-signup, and enforce authentication through existing identity providers such as Microsoft.
Recording policies can be defined at the workspace level, including restricting which meetings can be recorded, excluding certain users, and controlling how recordings and transcripts are stored. Retention rules can also be applied so that recordings and transcripts are automatically deleted after a defined period.
These capabilities gave Kiteworks the ability to implement clear governance policies without requiring manual enforcement for each team or meeting.
Meeting content stays within the organization by default
Another requirement was ensuring that meeting summaries and transcripts did not unintentionally expose information outside the company.
Fellow’s recap sharing model limits access by default to internal participants on the calendar invite. External attendees can be prevented from accessing recap links entirely, eliminating the risk of meeting summaries being forwarded outside the organization without oversight.
For security teams, this default behavior reduces the likelihood of sensitive information being shared unintentionally.
Independent security review
Before moving forward commercially, Kiteworks conducted its own internal security assessment of the platform. The review focused on data processing, access controls, and governance capabilities.
The assessment did not surface any concerns, and a Data Processing Agreement was executed to cover the handling of data associated with European employees and customer meetings under GDPR.
For Kiteworks, Fellow was the only vendor in the evaluation that satisfied both the usability requirements employees needed and the governance requirements IT had to enforce.
The IT team provisioned accounts directly; no self-signup, no way for employees to spin up their own workspaces. Microsoft authentication handled login, which meant no new identity layer to manage and no friction for end users.
Fellow's professional services team worked through each department, spending time with directors and above to configure settings, improve transcription accuracy for Kiteworks-specific vocabulary, and make sure recap emails worked the way teams expected.
What Changed
Not just adoption. A proof point.
IT Finally Had Control
IT had visibility and control over a category that, for most organizations, has been a blind spot. One tool. One set of policies. One place to manage who had access, what was being recorded, and how long data was kept.
Meeting Context Moved Across the Org
For the first time, information from meetings wasn't stuck with whoever attended. Product, CS, and Marketing could tap into customer call intelligence without anyone needing to forward a note. Teams that were never in the room could see what was discussed.
No Shadow IT Risk
But the bigger win wasn't adoption. It was what Fellow represented for a company that sells data security and governance to some of the most compliance-focused organizations in the world.
Four weeks into deployment, Kumud's team gathered feedback from across the organization. The read was clear: people liked it.