At scribeMD, safeguarding clinical and patient data is our top priority. Our comprehensive security program combines best-in-class technology, rigorous processes, and regular independent assessments to ensure confidentiality, integrity, and availability.
1. Infrastructure & Network Security
Deployed across AWS in multiple Availability Zones and regions for resilience and fault tolerance.
All services run within private VPCs; strict Security Groups and Network ACLs limit access to only required endpoints.
End-to-end TLS 1.2+ encryption ensures secure communication for all inbound and outbound traffic.
2. Data Protection & Deletion
Encryption at Rest: All databases, object storage (S3), and backups are encrypted using AWS KMS-managed keys.
Encryption in Transit: HTTPS/TLS encrypts every client-to-server and service-to-service connection.
Automatic Data Deletion: We enforce retention policies that automatically purge all stored data (including PHI and recordings) once it's no longer needed, minimizing exposure risk.
3. Identity & Access Control
Centralized authentication via Devise with optional Google SSO; single sign-on reduces credential sprawl.
Fine-grained IAM roles and least-privilege policies ensure each microservice and user account has only the permissions necessary to perform its function.
Regular reviews of access rights and automated compliance checks detect and revoke overly broad permissions.
4. Monitoring, Logging & Auditing
Real-time error and anomaly alerts via BetterStack; all application logs are retained for forensic analysis.
AWS CloudTrail captures every API call; VPC Flow Logs record network traffic patterns.
Immutable audit trails with configurable retention ensure we can reconstruct events for compliance or investigation.
5. Compliance & Governance
Annual Security Review: Each year we conduct a full security program audit—covering architecture, policies, and controls—engaging independent auditors to validate our posture.
Regular Penetration Testing: We commission frequent third-party penetration tests to identify and remediate vulnerabilities before they can be exploited.
Business Associate Agreements (BAAs) in place for HIPAA; we also adhere to PIPEDA/PHIPA in Canada and POPIA in South Africa.
6. Device & Edge Security (Jarvis)
On-device encryption ensures recordings are protected at rest; keys are managed so that only back-end services can decrypt.
Hardened OS images and minimal service footprints reduce attack surface; offline functionality retains security even without connectivity.