Where are the files saved: To Microsoft Azure's blob storage, a cloud-hosted secure storage service.
For Meetings: all files are securely encrypted at rest and only available for download by meeting attendees. Initiating the download authenticates the user and, if they have permission, begins the decryption process. Encryption keys are randomly generated on a per-file basis using AES-256 encryption (very strong encryption). The files are completely inaccessible otherwise (they have no public URL).
For Connect: files are not encrypted at rest, but are only available for download by users who have permission to view the conversation. Initiating the download requests a unique download URL from the API (the API first validates the user has permission). If the user is authorized, the returned URL contains a "shared access signature" that is valid for only a few minutes and then permanently expires. The shared access signature contains an encrypted token which prevents any part of the URL from being tampered with. The files are completely inaccessible otherwise (they have no public URL).