r/PLAUDAI

Today my PLAUD Note Pro suddenly disappeared from my account.

When I tried reconnecting it, the app said the device was blocked. I contacted support and received a “final decision” response saying they cannot restore access or re-enable the device, but they refuse to explain WHY.

Important details:

• the hardware is still alive;
• Apple Find My still works;
• the device pairs successfully for ~10 seconds;
• then PLAUD servers remotely revoke/block it again.

I paid for this device legally and used it for normal business/personal recordings.

The worst part:
I had an extremely important recording today and currently cannot access my own data.

Has this happened to anyone else?
Did anyone manage to recover recordings or get unblocked?

Quick context. I have spent 25 years in cybersecurity, mostly in enterprise security leadership and intelligence. I bought a Plaud Pro recently. Genuinely nice bit of hardware, useful product, no complaints there. Marketing though on security and privacy is a tad overkill and I wondered why.

Before I started using it for anything that mattered, I did what most of us in this line of work do. I sent their support two simple questions.

1.) Where do I turn on multi factor authentication on my account.

2.) Do you support bring your own key, so that I control the encryption of my own data.

Their reply pointed me at their Trust Centre, their Privacy Policy and a list of certifications. ISO 27001, ISO 27701, SOC 2 Type II, GDPR, HIPAA and EN 18031. Solid list. It did not answer either of my questions.

So I went and read their own public documentation. Here is what I found.

MFA does not appear to be a user enabled feature

Plaud’s own help article called Manage Account Security lists every action a user can take on account security. Change your password, add a login method, delete a login method. There is no 2FA toggle. No TOTP. No passkey. No WebAuthn.

Think of MFA as the second lock on your front door. The password is the latch. MFA is the deadbolt. Plaud ships you a house with no deadbolt, no option to fit one, and a note saying the neighbourhood is nice.

ISO 27001:2022. Annex A.8.5 “Secure authentication” is the relevant control. It is risk based, not prescriptive. The implementation guidance in ISO/IEC 27002:2022 explicitly names MFA as an example of secure authentication and ties the choice to the sensitivity of the information being accessed. So an organisation processing voice recordings that may contain personal or special category data, with only single factor password auth on consumer accounts, has a control gap that an honest auditor should challenge. But ISO 27001 lets the organisation document risk acceptance and still pass audit. The standard requires a judgement, not the right judgement. That is why Plaud can hold the cert without offering MFA.

BYOK does not appear to exist at any tier

Plaud’s data protection FAQ is explicit. Application level encryption uses unique keys generated and managed by Plaud inside their AWS environment. I could not find any tier, consumer or business, where a customer can supply or manage their own encryption key.

Think of it like a hotel safe. The safe in your room is locked. Lovely. But the hotel keeps a master key behind the front desk. With BYOK you would bring your own padlock and the hotel could not open the safe at all. Without it, every Plaud employee with production access, every contractor and every upstream provider with the right credentials can technically open the safe.

Now here is the part I really want people to take away

Certifications are great. They show a vendor has built an internal control programme that an auditor signed off on. They are a baseline. They are not the same as user facing controls.

ISO 27001, SOC 2 Type II, ISO 27701 and the rest do not require a vendor to offer customer enabled MFA or customer managed keys. A vendor can hold every certification under the sun and still ship a product where the only thing between an attacker and your data is a password you also used on three other sites.

I have worked on more breaches than I care to count where the post incident review showed a wall of certifications on one side and a compromised single factor account on the other. Compliance is the floor, not the ceiling. The proof is in the pudding.

A few other things I noticed in the same pass

Audits are point in time. A SOC 2 Type II report covers a defined period in the past. Think of it as an MOT certificate from six months ago. It tells you the brakes worked then. It does not tell you they work today.

The clouds underneath also get breached. Every major cloud provider has had incidents. The vendor sits between you and the cloud. Either layer can fail. Without customer managed keys, a compromise at either layer is a compromise of your data.

Your audio does not stay inside Plaud. Recordings get sent to upstream AI providers for transcription and summarisation. Plaud’s own AI transparency policy refers to these as “LLM service providers” without naming them in the policy itself. Think of it like sending a letter to your accountant who then forwards it to a translator and a printer. You trust your accountant. You have no relationship with the other two and no agreement with them about what they do with your letter.

Listing sub processors in a Trust Centre is disclosure, not consent. Under GDPR you would normally expect a published sub processor list, advance notification of changes and a documented lawful basis for each transfer. I could not find that level of detail.

No public vulnerability disclosure programme. I could not find a security.txt file, a published vulnerability disclosure policy, a PSIRT contact or a bug bounty. A community researcher reverse engineered Plaud’s web API and posted about it on Hacker News, with no visible Plaud response. Think of a coordinated disclosure programme as a doorbell for ethical hackers. Without one, researchers either go away, sell what they find on a private market or post it publicly. None of those outcomes are good for the user.

No maximum retention period.

IPlaud’s own policy says cloud data is retained continuously until the user deletes it or disables sync. Imagine a voicemail service that keeps every message anyone has ever left you, forever, until you manually delete each one. Your blast radius compounds with every recording. A breach in 2029 still exposes your 2026 voice memos.

Single AWS region. Plaud’s data sits in AWS US West. One warehouse, no backup warehouse. That is a single point of failure for availability and a data residency consideration if you are outside the US and reasonably expected your data to sit closer to home.

The Article 32 angle

GDPR Article 32 is the interesting one to read alongside all of this. It requires technical measures appropriate to the risk and explicitly references the state of the art. In 2026, user enabled MFA on consumer accounts holding personal data is state of the art baseline. Voice recordings frequently capture special category data under Article 9. In my professional view, single factor authentication on a service handling that category of data sits awkwardly next to the spirit of Article 32, regardless of how many badges sit on the Trust Centre.

Also the term HIPAA certified appears in Plaud’s own blog and knowledge base. HHS does not issue HIPAA certifications.

Corporate context worth a glance

Plaud is a Delaware C corp with a San Francisco HQ. Hardware is built in Shenzhen by a contract manufacturer. Engineering and operations staff sit across SF, Seattle, Tokyo, Singapore, Shenzhen and Beijing. Their own help article on customer service contact directs users to WeChat as a primary support channel, which is unusual for a vendor positioning itself as US enterprise grade. None of this is sinister on its own. All of it is worth weighing.

I could not find a single serious independent security teardown of Plaud anywhere. Nothing from Mozilla Privacy Not Included, Common Sense Privacy, Exodus Privacy or any of the major tech press security desks. For a product with over a million users two years into the market, that absence is itself worth noticing.

Plaud was forced to issue a 6 point public statement after security concerns were raised about the founder’s China connections and Shenzhen manufacturing. Plaud’s response was to clarify that hardware is built in Shenzhen by Shenzhen Jizhi Connect Technology but that customer data is stored in AWS US. Notably, Plaud responded in PR mode, not by publishing technical evidence.

My honest take from reading their public documents.

The hardware is good. The product is genuinely useful. For personal voice memos, journalling, reading aloud, single speaker note taking, I think the risk is acceptable for most people. I would not record client meetings, calls involving third parties or anything court adjacent on it without explicit consent from everyone involved and a serious think about lawful basis under whichever data protection law applies to you.

Two practical asks for the community.

If anyone has actually found a working MFA or 2FA option in the Plaud app or web interface, please screenshot and share. I will happily eat my words.

If anyone from Plaud reads this, the easiest way to make this post obsolete is to ship a 2FA toggle, publish a clear answer on customer key management, stand up a coordinated vulnerability disclosure programme and document a maximum retention period. Until then, push back when vendors answer compliance questions in response to product questions. They are different things, and conflating them is how good security teams end up with surprising findings in their post mortem reports. Trust centre needs to show who accessed my data and when. Including internal.

UPDATE: Returned my device after waiting a week for privacy teams to respond. No acknowledgement. Take that as you would.

I am having issues with transcriptions today. Anyone else?

I've just got the Note Pro and I'm a bit confused. While doing the voice recognition it had me read a short paragraph. Then it responded by showing me a paragraph about 'Design Flaw' in Note Pro call recording feature renders it unusable? I must be misunderstanding something. Or did it seriously just tell me that the main feature I bought it for, call recording, would not work?

Have had my Plaud for a couple of months, and so far it’s been flawless. But today I recorded an important meeting for which I could have used points from the summary right after. Yet it is stuck and not generating any summaries.
I first tried it on my phone, as I usually do. Then desktop. And it’s just stuck “generating” but never putting out a summary.

The transcript is there.

Anyone know what may be going on?

Currently I have a Plaud Pin, which I like very much, but I'm thinking of upgrading to a Plaud Note Pro. Is it possible to run the 2 devices off 1 account - i.e. use them interchangeably? I think I can see a use for having both devices

We were discussing this in our Discord healthcare channel and it raised an interesting question:

For doctor visits, a full transcript doesn’t actually seem that useful. No one wants to carry a wall of text into their next appointment.

What would be useful is something more focused, like a summary that captures:

- what changed

- what needs follow-up

- what to ask next time

- anything another doctor would need to quickly get context

For those of you who’ve used Plaud around appointments or healthcare notes, what would make a summary like this genuinely helpful?

And just as important: what would make it completely useless?

u/Plaud_AI:

Are you going to respond to this like you said you would??

https://www.reddit.com/r/PLAUDAI/s/26AkJrpDc5

Is anyone using the device for a quick ideas? I have about a 30 minute drive to work but I don’t wanna keep it running for 30 minutes.

Hi everyone, absolutely loving my Plaud Note Pro, I have many meetings every day so keeping track of actions etc. is tricky. Now I feel like I want to experiment with custom templates. Are there any resources out there that show how templates work with examples. I created this first test below and it actually works quite well but I would love to see how simple or complex these prompts can get and of course get some ideas on how to build my perfect one.

Prompt :

"This is a business meeting. Create a list of attendees. Briefly summarise the discussion highlighting all key and important points. Produce a bulleted action list at the end. List any further follow up required."

Keep Plauding,

Mark