u/Superblygreat656

Copy Fail Tuesday properly did me in. Patched until stupid o’clock, slept four hours, did it again Wednesday. By Friday I was staring at the SIEM like it owed me money.

Found a long read this weekend that pulled me out of the spiral a bit. Will not link it in the post because rules, but happy to drop it in comments if anyone wants it.

The bit that landed for me was the argument that we have got the burnout conversation backwards. The wellness app and meditation breaks framing treats fatigue as a personal failing. It is not. It is what happens when the operating model assumes infinite human elasticity and the threat volume keeps compounding. AI vuln research is going to make that worse, not better. Patch queues are going to get longer.

The fix the writer pushes is structural. Build environments where persistence is hard by design. Segment properly so a breach does not become a mess. Lean on the open source detection ecosystem instead of having every team rewrite the same content. Boring stuff. Unsexy stuff. The stuff that actually reduces the number of 3am calls.

Honest question. What have you read recently that did not make you want to walk into the sea? My reading list is currently 90 percent doom and 10 percent vendor whitepapers and I need a better mix.

12 years in Singapore, man in his late thirties. Just moved from the East to YT. Love the area for more bang for buck as it’s genuinely cooler temperature but much quieter, but the social dislocation has been bigger than I expected.

Most of my mates here have kids now. Weekends are playgrounds and birthday parties. I don’t have kids and I’m not sure I will. The drift isn’t anyone’s fault, it’s just the maths of life stages diverging.

Tried the member club route. Nice spaces, polite people, didn’t really click. Felt like networking in a more comfortable chair.

Running clubs are everywhere but I’m a powerlifter, so my body objects to anything involving sustained cardio. Happy to squat heavy on a Tuesday. Cannot jog 8km on a Sunday morning. Tried meetup events. Tried randomly turning up to different sports events. I am pretty in good shape and did a lot of consultancy in setting up some wellness brands but…. Anyone can tell you that industry sometimes removes the wellness you put in. My main career is in mostly technology resilience.

I work for myself by running my own company, which I love, but it removes the default social scaffolding an office gives you. No water cooler. No after work pints with colleagues. Did big corporate for a long time, was good at it, walked away because I wanted balance. The balance is real. The isolation is the tax.

What I’d actually like is to meet gen people outside my line of work and learn from instead of having transactional relationships. beers, walks, whatever. Not a formal mastermind, just humans doing similar things.

Anyone in YT or the broader West side in a similar spot? Open to suggestions on communities, low key meetups, anything. Not looking for sympathy, just genuinely trying to rebuild a social layer.

Quick context. I have spent 25 years in cybersecurity, mostly in enterprise security leadership and intelligence. I bought a Plaud Pro recently. Genuinely nice bit of hardware, useful product, no complaints there. Marketing though on security and privacy is a tad overkill and I wondered why.

Before I started using it for anything that mattered, I did what most of us in this line of work do. I sent their support two simple questions.

1.) Where do I turn on multi factor authentication on my account.

2.) Do you support bring your own key, so that I control the encryption of my own data.

Their reply pointed me at their Trust Centre, their Privacy Policy and a list of certifications. ISO 27001, ISO 27701, SOC 2 Type II, GDPR, HIPAA and EN 18031. Solid list. It did not answer either of my questions.

So I went and read their own public documentation. Here is what I found.

MFA does not appear to be a user enabled feature

Plaud’s own help article called Manage Account Security lists every action a user can take on account security. Change your password, add a login method, delete a login method. There is no 2FA toggle. No TOTP. No passkey. No WebAuthn.

Think of MFA as the second lock on your front door. The password is the latch. MFA is the deadbolt. Plaud ships you a house with no deadbolt, no option to fit one, and a note saying the neighbourhood is nice.

ISO 27001:2022. Annex A.8.5 “Secure authentication” is the relevant control. It is risk based, not prescriptive. The implementation guidance in ISO/IEC 27002:2022 explicitly names MFA as an example of secure authentication and ties the choice to the sensitivity of the information being accessed. So an organisation processing voice recordings that may contain personal or special category data, with only single factor password auth on consumer accounts, has a control gap that an honest auditor should challenge. But ISO 27001 lets the organisation document risk acceptance and still pass audit. The standard requires a judgement, not the right judgement. That is why Plaud can hold the cert without offering MFA.

BYOK does not appear to exist at any tier

Plaud’s data protection FAQ is explicit. Application level encryption uses unique keys generated and managed by Plaud inside their AWS environment. I could not find any tier, consumer or business, where a customer can supply or manage their own encryption key.

Think of it like a hotel safe. The safe in your room is locked. Lovely. But the hotel keeps a master key behind the front desk. With BYOK you would bring your own padlock and the hotel could not open the safe at all. Without it, every Plaud employee with production access, every contractor and every upstream provider with the right credentials can technically open the safe.

Now here is the part I really want people to take away

Certifications are great. They show a vendor has built an internal control programme that an auditor signed off on. They are a baseline. They are not the same as user facing controls.

ISO 27001, SOC 2 Type II, ISO 27701 and the rest do not require a vendor to offer customer enabled MFA or customer managed keys. A vendor can hold every certification under the sun and still ship a product where the only thing between an attacker and your data is a password you also used on three other sites.

I have worked on more breaches than I care to count where the post incident review showed a wall of certifications on one side and a compromised single factor account on the other. Compliance is the floor, not the ceiling. The proof is in the pudding.

A few other things I noticed in the same pass

Audits are point in time. A SOC 2 Type II report covers a defined period in the past. Think of it as an MOT certificate from six months ago. It tells you the brakes worked then. It does not tell you they work today.

The clouds underneath also get breached. Every major cloud provider has had incidents. The vendor sits between you and the cloud. Either layer can fail. Without customer managed keys, a compromise at either layer is a compromise of your data.

Your audio does not stay inside Plaud. Recordings get sent to upstream AI providers for transcription and summarisation. Plaud’s own AI transparency policy refers to these as “LLM service providers” without naming them in the policy itself. Think of it like sending a letter to your accountant who then forwards it to a translator and a printer. You trust your accountant. You have no relationship with the other two and no agreement with them about what they do with your letter.

Listing sub processors in a Trust Centre is disclosure, not consent. Under GDPR you would normally expect a published sub processor list, advance notification of changes and a documented lawful basis for each transfer. I could not find that level of detail.

No public vulnerability disclosure programme. I could not find a security.txt file, a published vulnerability disclosure policy, a PSIRT contact or a bug bounty. A community researcher reverse engineered Plaud’s web API and posted about it on Hacker News, with no visible Plaud response. Think of a coordinated disclosure programme as a doorbell for ethical hackers. Without one, researchers either go away, sell what they find on a private market or post it publicly. None of those outcomes are good for the user.

No maximum retention period.

IPlaud’s own policy says cloud data is retained continuously until the user deletes it or disables sync. Imagine a voicemail service that keeps every message anyone has ever left you, forever, until you manually delete each one. Your blast radius compounds with every recording. A breach in 2029 still exposes your 2026 voice memos.

Single AWS region. Plaud’s data sits in AWS US West. One warehouse, no backup warehouse. That is a single point of failure for availability and a data residency consideration if you are outside the US and reasonably expected your data to sit closer to home.

The Article 32 angle

GDPR Article 32 is the interesting one to read alongside all of this. It requires technical measures appropriate to the risk and explicitly references the state of the art. In 2026, user enabled MFA on consumer accounts holding personal data is state of the art baseline. Voice recordings frequently capture special category data under Article 9. In my professional view, single factor authentication on a service handling that category of data sits awkwardly next to the spirit of Article 32, regardless of how many badges sit on the Trust Centre.

Also the term HIPAA certified appears in Plaud’s own blog and knowledge base. HHS does not issue HIPAA certifications.

Corporate context worth a glance

Plaud is a Delaware C corp with a San Francisco HQ. Hardware is built in Shenzhen by a contract manufacturer. Engineering and operations staff sit across SF, Seattle, Tokyo, Singapore, Shenzhen and Beijing. Their own help article on customer service contact directs users to WeChat as a primary support channel, which is unusual for a vendor positioning itself as US enterprise grade. None of this is sinister on its own. All of it is worth weighing.

I could not find a single serious independent security teardown of Plaud anywhere. Nothing from Mozilla Privacy Not Included, Common Sense Privacy, Exodus Privacy or any of the major tech press security desks. For a product with over a million users two years into the market, that absence is itself worth noticing.

Plaud was forced to issue a 6 point public statement after security concerns were raised about the founder’s China connections and Shenzhen manufacturing. Plaud’s response was to clarify that hardware is built in Shenzhen by Shenzhen Jizhi Connect Technology but that customer data is stored in AWS US. Notably, Plaud responded in PR mode, not by publishing technical evidence.

My honest take from reading their public documents.

The hardware is good. The product is genuinely useful. For personal voice memos, journalling, reading aloud, single speaker note taking, I think the risk is acceptable for most people. I would not record client meetings, calls involving third parties or anything court adjacent on it without explicit consent from everyone involved and a serious think about lawful basis under whichever data protection law applies to you.

Two practical asks for the community.

If anyone has actually found a working MFA or 2FA option in the Plaud app or web interface, please screenshot and share. I will happily eat my words.

If anyone from Plaud reads this, the easiest way to make this post obsolete is to ship a 2FA toggle, publish a clear answer on customer key management, stand up a coordinated vulnerability disclosure programme and document a maximum retention period. Until then, push back when vendors answer compliance questions in response to product questions. They are different things, and conflating them is how good security teams end up with surprising findings in their post mortem reports. Trust centre needs to show who accessed my data and when. Including internal.

UPDATE: Returned my device after waiting a week for privacy teams to respond. No acknowledgement. Take that as you would.