🇨🇦 New: Offering Data Hosting in Canada! 🇨🇦

Register now

scribeMD Security Overview

At scribeMD, safeguarding clinical and patient data is our top priority. Our comprehensive security program combines best-in-class technology, rigorous processes, and regular independent assessments to ensure confidentiality, integrity, and availability.

SOC 2 Certified HIPAA Compliant TX-RAMP Certified

1. Infrastructure & Network Security

  • Deployed across AWS in multiple Availability Zones and regions for resilience and fault tolerance.
  • All services run within private VPCs; strict Security Groups and Network ACLs limit access to only required endpoints.
  • End-to-end TLS 1.2+ encryption ensures secure communication for all inbound and outbound traffic.

2. Data Protection & Deletion

  • Encryption at Rest: All databases, object storage (S3), and backups are encrypted using AWS KMS-managed keys.
  • Encryption in Transit: HTTPS/TLS encrypts every client-to-server and service-to-service connection.
  • Automatic Data Deletion: We enforce retention policies that automatically purge all stored data (including PHI and recordings) once it's no longer needed, minimizing exposure risk.

3. Identity & Access Control

  • Centralized authentication via Devise with optional Google SSO; single sign-on reduces credential sprawl.
  • Fine-grained IAM roles and least-privilege policies ensure each microservice and user account has only the permissions necessary to perform its function.
  • Regular reviews of access rights and automated compliance checks detect and revoke overly broad permissions.

4. Monitoring, Logging & Auditing

  • Real-time error and anomaly alerts via BetterStack; all application logs are retained for forensic analysis.
  • AWS CloudTrail captures every API call; VPC Flow Logs record network traffic patterns.
  • Immutable audit trails with configurable retention ensure we can reconstruct events for compliance or investigation.

5. Compliance & Governance

  • Annual Security Review: Each year we conduct a full security program audit—covering architecture, policies, and controls—engaging independent auditors to validate our posture.
  • Regular Penetration Testing: We commission frequent third-party penetration tests to identify and remediate vulnerabilities before they can be exploited.
  • Business Associate Agreements (BAAs) in place for HIPAA; we also adhere to PIPEDA/PHIPA in Canada and POPIA in South Africa.

6. Device & Edge Security (Jarvis)

  • On-device encryption ensures recordings are protected at rest; keys are managed so that only back-end services can decrypt.
  • Hardened OS images and minimal service footprints reduce attack surface; offline functionality retains security even without connectivity.