Capturing audio from a government employee’s workday touches five distinct legal frameworks at once: biometric privacy, public-records law, public-sector labor law, federal health privacy, and a 50-state patchwork of wiretap rules. Each one is its own legal universe. This brief is the plain-English version of how Tenure handles every one — before your counsel asks.
Most of the legal work in front of a government agency comes from one question: who’s holding the audio? We answered that once, in the architecture, and it solves the hardest parts of SHIELD, FOIL, and Taylor Law in a single decision. Audio stays with us. You get what comes out the other side.
Raw biometric data lives in one place under one team’s control. Limits exposure, simplifies the audit story, and keeps it out of your FOIL queue.
Everything you receive is human-reviewed, derivative content. No raw audio, no verbatim transcripts, no biometric data sits inside any of it.
Eight steps. Every one is documented, audit-logged, and bounded by a written retention schedule. The maximum lifespan of any raw audio file in our system is 14 days from the end of the engagement.
The retiring employee signs a consent form their union has had five business days to review. They can withdraw consent any time during the week. No reason needed, no penalty.
Side Letter · Consent FormA small wearable lapel mic, encrypted at the device level, handled only by the Tenure specialist. Signage at every department entrance during the engagement. Off in restrooms, locker rooms, HR rooms — without exception.
Tascam DR-10L Pro · Device encryption · Tally lightEnd of day, the audio uploads over TLS 1.3 to a private storage bucket in AWS us-east-1 or us-west-2. Never crosses an international border. Never lands in a public URL.
TLS 1.3 · AWS US region · Private bucketFiles are reachable only by short-lived signed URLs that expire in 15 minutes. Every access is logged with user ID, timestamp, IP and action. Audit retention is three years.
AES-256 · 15-min signed URLs · Audit logBefore any model sees the audio, segments in which the consented employee isn’t an active conversational participant are excluded from processing. Non-consenting colleagues, visitors and constituents get filtered out automatically.
Speaker diarization · Active-participant gatingNames, SSNs, phone numbers, addresses, dates of birth are automatically redacted from transcripts before any analysis runs. Raw audio is transcribed by a single US-region subprocessor. No raw audio ever leaves our pipeline for an LLM.
Automated PII redaction · US-region transcriptionNothing publishes to your wiki unreviewed. Human-in-the-loop is the product promise, not a compliance checkbox. The Tenure specialist edits, approves, and signs off on each SOP and knowledge node before the agency administrator ever sees it.
Human review · Specialist sign-offRaw audio and raw transcripts are permanently and irreversibly deleted within 14 days of engagement end. The redacted derivative is gone by day 30. A signed Certificate of Destruction goes to your administrator and your union representative.
Secure deletion · Certificate of DestructionA competitor adding voice capture to their product roadmap is signing up for at least a year of legal work on each one of these — separately. We did that year before our first engagement. Your counsel gets the finished work, not the discovery process.
New York treats a recording of your voice the same way it treats a Social Security number — top-tier private information that the people storing it have to actively defend with administrative, technical and physical safeguards.
New York’s public-records law says anything an agency holds is requestable by anyone. Without the right architecture, that includes the raw audio of an employee’s entire workday — which would be a privacy disaster.
New York’s public-employee labor law. Among other things, it says you can’t introduce workplace monitoring without negotiating with the union first — and if you do it wrong, it’s an Improper Practice Charge at PERB.
If the retiring employee’s job touches anyone’s health information — Health Department staff, Social Services, benefits coordinators — federal health-privacy rules apply to anything our microphone picks up near them.
Some states need just the consenting employee’s permission to record (“one-party”). A dozen states need every voice in the conversation to consent (“all-party”) — and getting it wrong is a felony. A few states are ambiguous enough that we don’t deploy there until counsel reviews. Our platform tells the specialist what to do every time, state by state, before they even press record. The map below shows where we stand.
This is the part most vendors haven’t finished. We’ve mapped every state to one of four recording modes, with verbal-disclosure scripts and pre-record checklists baked into the platform. Counsel-reviewed; refreshed annually.
Every one of these was written before our first engagement, reviewed by counsel, and is available to your legal team before procurement closes. They’re live links in the platform, not slide-deck promises.
The points your IT director, agency counsel and procurement officer ask first. The full controls live in the DPA — this is the version that fits in one column of a board memo.
Four. That’s it. Every one bound by a data processing agreement equivalent to ours. Every one operating exclusively in US regions. You get 30 days written notice before this list changes, and the right to object before any new subprocessor is added.
Tenure has a designated Security Officer. Not a ticket queue, not a security@ alias. If your agency counsel needs a Data Processing Agreement reviewed, a subprocessor question answered, or a breach posture confirmed, they email Jason and get a written reply within one business day.