Security
The page to send to your IT department.
Last updated 4 June 2026
The short version
Parakeety is a Mac menu-bar dictation app. The speech model runs on your Mac's Neural Engine, so transcription happens on the device. Audio and transcripts are never transmitted anywhere and never written to disk. The app makes exactly two kinds of network call: license checks against my license server, and a one-time speech-model download.
This page exists for whoever has to sign off on that claim: an IT team, an information-governance reviewer, a compliance officer, or you. The privacy policy covers the same ground as policy; this page covers it as architecture.
Data flow at transcription time
While you hold the push-to-talk key, the microphone is captured into a memory buffer. When you release, that buffer is fed to the speech model running locally on the Neural Engine, the transcript is pasted at your cursor and copied to your clipboard, and the audio buffer is discarded. Transcripts are not written to disk.
There is no network call anywhere in that path, and no cloud transcription fallback. If the model isn't on the machine yet, Parakeety doesn't transcribe; it never sends audio out instead.
The reviewer checklist
The questions a security review usually starts with, answered in one place.
| Question | Answer |
|---|---|
| Does audio leave the device? | No. Captured to memory, transcribed locally, discarded. |
| Are transcripts stored server-side? | No. They're never transmitted, and they aren't written to local disk either. |
| Is there a cloud transcription fallback? | No. On-device is the only path. |
| Subprocessors in the transcription path? | None. The only processor anywhere is Supabase, for license checks. |
| Analytics or crash-reporting SDKs? | None. No Sentry, Firebase, PostHog, Mixpanel, Amplitude or similar. |
| Is an account required? | No. A license key activates the app; there is no sign-in. |
| What does the vendor ever receive? | License key, SHA-256 hash of the hardware ID, machine name. Nothing else. |
| Where does the speech model come from? | A one-time download from huggingface.co, cached locally after that. |
What does touch the network
Three things, and only the first is recurring.
License checks. The app activates your key, revalidates it every few hours, and tracks trial state against a small backend hosted by Supabase Inc. (US, on AWS). What's sent: your license key, a SHA-256 hash of your Mac's hardware ID, and your machine name. No audio, no transcripts, no usage data.
The speech-model download. On first launch, Parakeety fetches the model (around 600 MB) from huggingface.co and caches it. After that, transcription is fully offline.
Diagnostic reports, if you send one. The "Report an issue" button builds a report (system info plus the app log, with transcript content redacted), copies it to your clipboard and opens the contact form. Nothing is submitted unless you paste and send it yourself.
That's the complete list. If a future version ever needs another network call, it gets written on the privacy page before it ships.
Where HIPAA fits
Cloud dictation tools handle HIPAA contractually: audio leaves the device, so the vendor signs a Business Associate Agreement promising to handle it properly. Parakeety's answer is architectural: no Protected Health Information ever reaches me or any subprocessor, because audio and transcripts never leave the Mac. There is no business associate relationship to paper over, so no BAA is needed.
The distinction between those two models is unpacked in HIPAA and dictation: architectural vs contractual privacy, and the direct question gets a direct answer in Is Parakeety HIPAA compliant?
Where GDPR fits
For UK and EU reviews: I'm the data controller for the little the app does send (the license checks above), with Supabase as processor. Dictated audio and transcripts are out of scope entirely, because they're never sent to anyone. The privacy policy covers your rights and how to exercise them.
What local processing doesn't solve
On-device transcription removes the network from the threat model. It doesn't remove the Mac. The perimeter is now the device itself, so the usual endpoint controls still matter: FileVault on, a screen lock that actually engages, and sensible handling of a laptop that could be lost or stolen.
And the transcript lands wherever your cursor is. If you dictate into a notes app that syncs to iCloud, the text is in iCloud; if you dictate into your EHR, your EHR's controls apply. Parakeety keeps the audio and the transcription step on the device. What you do with the text afterwards is governed by the systems you paste it into.
Verify it yourself
None of this needs to be taken on trust. Turn Wi-Fi off and dictate: it works, because the model is on the Mac. Or leave the network up and watch the app's outbound traffic with a network monitor while you dictate; you'll see the periodic license check and nothing else. A claim a reviewer can falsify in two minutes is worth more than any certificate I could buy.
FAQ
- Do I need a BAA to use Parakeety with patient information?
- No. A Business Associate Agreement exists to bind a third party that receives Protected Health Information on your behalf. Parakeety never receives audio or transcripts; transcription happens on your Mac and the result is pasted at your cursor. No PHI reaches me or any subprocessor, so no business associate relationship is created and there is nothing for a BAA to cover. The full reasoning is in the article on whether Parakeety is HIPAA compliant.
- Is Parakeety HIPAA certified?
- No software is. There is no government-issued HIPAA certification for products; HHS does not certify software, and any vendor claiming a HIPAA certificate is describing a third-party assessment, not an official status. What HIPAA actually governs is how a covered entity handles Protected Health Information. Parakeety's answer to that is architectural: audio and transcripts never leave the Mac, so there is no PHI in transit or at rest on anyone else's systems.
- Has Parakeety had a SOC 2 audit?
- No. A SOC 2 report describes the controls a vendor operates around customer data held on its systems. Parakeety holds no customer audio, transcripts or documents on any system; the license server stores a license key, a hardware-ID hash and a machine name. Rather than trusting a report about servers your data never touches, you can verify the architecture directly: turn Wi-Fi off and dictate. It works, because the model is on the Mac.
- What data does the license server hold?
- Your license key, a SHA-256 hash of your Mac's hardware ID, your machine name, and activation and expiry timestamps. It is hosted by Supabase Inc. (US, on AWS), acting as a data processor. It never holds audio, transcripts or usage data, because the app never sends any.
Questions
If your review needs something this page doesn't answer, use the contact page. It comes to me directly, and if the question is one other reviewers will have too, the answer ends up here.