---
title: "How safe is that, actually"
description: "A vendor I vouched for got challenged twice in one week. I couldn't answer with more than trust, so I built a method to climb past it."
url: "https://hoeijmakers.net/how-safe-is-that-actually/"
date: 2026-06-29
author: "Rob Hoeijmakers"
site: "hoeijmakers.net"
language: "en"
tags: ["AI Governance"]
---

# How safe is that, actually

A vendor I had vouched for was challenged twice in one week. My answer was thinner than I liked, so I built a way to climb past habit into evidence.

Someone I work with asked how safe [Fireflies](https://hoeijmakers.net/fireflies-ai-transcriptions/) actually is. It did not land as a question. It landed as a sneer.

A few days later, in a privacy meeting, someone else started poking at the same tool. I had vouched for it both times. And both times, my answer amounted to: it’s fine, I use it, I trust it.

That is not an answer. It is a habit.

## The five layers

Most vendor trust sits on a ladder nobody climbs unless pushed.

At the bottom is marketing language: badges, reassurances, and the claims a company puts on its own homepage. One step up are named frameworks, stated but not shown: “SOC 2 compliant”, “GDPR ready”, “enterprise grade”. A step further are public artefacts you can actually read yourself: a dated data processing agreement, a subprocessors list, a public trust page.

Above that is evidence gated behind an NDA: the actual audit report, available only inside a formal relationship. And at the top is what you find by probing: a pointed question to support, an independent scan, a breach history search, or anything else the vendor does not fully control.

Most of us, including people who care about security, stop too low on that ladder. Not because the higher layers are impossible to reach, but because checking feels disproportionate in an ordinary vendor relationship. Until it suddenly does not.

## What was actually there

So I went and looked.

Fireflies has [a public trust page](https://trust.fireflies.ai), a dated data processing agreement, and a subprocessors list. Those documents sit in the open, readable without asking anyone’s permission. The actual SOC 2 report sits behind a mutual NDA, which tells you something interesting in itself: the strongest evidence is the one thing you do not get to inspect directly.

You get confirmation that evidence exists. You do not automatically get the evidence itself.

That is not a complaint. It is how most credentialing works, for vendors and for people. A diploma works the same way. You do not see the exam. You see the institution’s claim that the exam was passed, and you trust the institution because checking universities one by one is not something most of us do either.

The interesting question was never whether Fireflies has flaws. Every vendor has flaws. The question is whether the certifications attached to it are doing the work people assume they are doing, or whether they are simply standing in for that work.

## A scale, not a snapshot

The instinct, once you start checking, is to treat the result as a one-time pass or fail. That is the wrong model.

A **SOC 2 Type II report** already points to a better one. It does not certify a single state on a single afternoon. It looks at behaviour over a period: months of controls, processes, and consistency. The honest version of trust looks more like a scale that needs rechecking than a stamp that lasts.

There is a Dutch saying that captures the asymmetry better than any framework: "*vertrouwen komt te voet en gaat te paard"*. Trust arrives on foot and leaves on horseback.

It builds slowly, through small consistent acts. And it can disappear in one bad afternoon. That asymmetry is the real argument for climbing the ladder before something forces you to, not after.

I have seen the same dynamic from the inside, [setting up a verified sender badge](https://hoeijmakers.net/brand-indicators-for-message-identification-bimi/) years ago. The badge was not really the achievement. The waiting list, certificate, DNS validation, and process behind it were. The badge was just the part anyone else could see.

## What the sting was worth

What changed was not my opinion of Fireflies. I still use it.

What changed is that I now have an actual answer when someone pokes at it: an answer built from documents, dates, and evidence layers rather than from how the product has felt to use.

[Disclosure of this kind](https://hoeijmakers.net/model-cards-system-cards/) is its own small genre. A company says: here is what we built, here is what you should know, here is what we are willing to show. The reader then has to decide whether that is enough.

The sting was not the challenge. It was realising how thin my own answer had been until someone made me defend it.

SOC 2 Type II audits behaviour over a period, typically 3 to 12 months, rather than a single point in time. That distinction is doing more work than the badge usually gets credit for.### Further reading

- [Exploring ISO 42001 and AI governance](https://hoeijmakers.net/iso-42001-ai-governance/)