Legal

Security and Data Handling

Last updated: April 2025

Security is central to how we design TScribe. Clinical information is sensitive by nature, and our architecture reflects that from first principles. This page describes the technical and organisational measures we use to protect your data and your patients' privacy.

1. Encryption in transit

All communication between the TScribe application and our servers uses TLS 1.2 or higher. This applies to audio uploads, report retrieval, and all account management operations. We do not accept unencrypted connections.

2. Audio data handling

When you submit audio for transcription, the audio is transmitted over an encrypted connection to our processing service. Once the transcription is complete and the report draft is returned to your device, the audio is deleted from our systems. We do not cache, archive, or store raw audio recordings.

3. Patient data

TScribe's architecture is built so that patient-identifiable information does not persist on our servers. Reports are generated, returned to the user's device, and not stored by us. If you include patient names or identifiers in your dictation, those are present only in the transient processing pipeline and are not retained after the session completes.

4. Account data

Account details (name, email, professional role) are stored in encrypted databases hosted in secured environments. Passwords are hashed using modern one-way algorithms and never stored in plaintext. We implement rate limiting on login endpoints to prevent brute-force attacks.

5. Access controls

Access to production systems is restricted to authorised personnel on a need-to-know basis. We use multi-factor authentication for all internal system access. Audit logs are maintained for administrative operations.

6. AI model training

We do not use patient dictation content or clinical reports to train AI models. The AI pipeline processes your audio to generate a report and then discards the input. Model improvements are based on aggregated, anonymised usage signals unconnected to any patient data.

7. Incident response

We maintain an incident response plan for security events. In the event of a confirmed data breach affecting user account data, we will notify affected users within the timeframe required by applicable law, including the NDPR (72 hours for notifiable breaches where applicable).

8. Reporting vulnerabilities

If you discover a security vulnerability in TScribe, please contact us responsibly at security@tscribe.app. We will acknowledge your report within two business days and work with you to address the issue before any public disclosure.