Security
Enterprise-grade security,
zero compromises
HIPAA & PIPEDA compliant. SOC 2 Type 2 certified. Compliant across all Canadian provinces. Your patient data encrypted, protected, and never used for AI training.
Where is data stored?
Scribeberry does not see any stored PHI. We utilize Microsoft Azure and Google Cloud as our cloud providers. We have signed data protection agreements/BAAs with Microsoft Azure, Google Cloud, OpenAI, Anthropic, and any other utilized third-party vendors to safeguard any PHI transmitted through the application. This PHI is transmitted from the user and back securely via end-to-end encryption. The data is only temporarily stored on Scribeberry in an encrypted fashion. The only purpose of this storage is to synchronize notes across user devices. Once the notes are deleted by the user, no encrypted data is stored
Azure/GCP servers are region specific. When a Canadian user logs-in, that data stays in Canada. When a user from the USA logs in, data is able to be routed to USA based servers
How do you use data?
Scribeberry does not permanently store PHI. We can not see the PHI nor do we train any AI systems on any PHI. Data inputs remains private and confidential.
When text is created, the text is submitted through an encrypted channel and back to the user device. We can never see this data.
Is data encrypted?
Yes – we utilize state-of-the-art encryption methods to ensure secure transit of sensitive data to and from the AI service
Are there stored audio recordings?
We do not store nor create audio recordings of any kind. Transcription occurs using our own self-hosted encrypted transcription service. Transcription occurs in real-time. The transcribed text is then utilized to generate notes across various use cases. No distinct audio files are created or stored. This ensures compliance and removal of any identifying characteristics (accents, language etc.)
Are you compliant across Canada (ie. Provincially)
Yes, Scribeberry is compliant across all Canadian Provinces. We have submitted a PIA (Privacy Impact Assessment) and have completed an audit on our security risk and data management policies.
We also make public a third-party live continuous monitoring platform so you can see the security of our platform in real time: https://app.getdelve.com/scribeberry
Who are your third-party providers?
We utilize a number of third-parties. We utilize Microsoft, Anthropic, and Google as main infrastructure providers. We have a healthcare data agreement with all three providers.
Can we Access Further Documentation?
Documentation is provided on the left hand side. For any other documentation, please email hello@scribeberry.com.
You can also request documentation through https://app.getdelve.com/scribeberry – Some documents will require signing of an NDA as some of our agreements with third-party providers necessitate this for disclosure
Compliance
- HIPAA Compliance (Federal USA)
- PIPEDA Compliance (Federal Canadian)
- HIA/PIPA (Alberta), PIPA (BC), PHIPA (Ontario), PHIA (Manitoba), HIPA (SK), PHIA (NS), PHIPAA (NB), PHIA (NL)
- We are compliant with Quebec's modernized privacy framework as per Law 25
- SOC 2 Type 2 Compliant – Request access by emailing hello@scribeberry.com
Access our continuous real-time privacy monitoring dashboard:
Security at every layer
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Canadian data residency for Canadian customers
- No patient data used for model training
- Automatic data deletion policies
- Role-based access controls
- Audit logging for all data access
- Regular third-party penetration testing
- 99.9% uptime SLA
- Dedicated security team monitoring 24/7
Our data practices
Zero-Retention Audio
Audio recordings are processed in real-time and immediately discarded. We never store raw audio data.
Regional Data Storage
Canadian patient data stays in Canada. US data stays in the US. Choose your data residency region.
No AI Training on Your Data
Your clinical data is never used to train AI models. Your patients' information remains private, always.
Configurable Retention
Set your own data retention policies. Auto-delete transcripts after 24 hours, 30 days, or keep them as long as you need.
Audited Document List
- Anthropic BAA
- Azure Canada Privacy Laws
- Azure Foundational PIA
- Microsoft Data Processing
- HIPAA Questionnaire – Dashboard Summary
- Azure Compliance Offerings
- Azure BAA
- Privacy Policy Scribeberry
- Scribeberry Notice of Privacy Policies
- Comprehensive Scribeberry Guide (PIA)
- Scribeberry PIA Amendment
- Scribeberry Contingency Plan
- Scribeberry HIPAA Sanctions Plan
- HIPAA Compliance Program for Scribeberry
- Terms and Conditions for Scribeberry
Some documents will require signing of an NDA as some of our agreements with third-party providers necessitate this for disclosure. For access, please email hello@scribeberry.com or request through https://app.getdelve.com/scribeberry
About the Auditor
The audit was conducted by Ingrid Ruys, a seasoned professional with extensive experience spanning multiple decades in the privacy and regulatory sector. Ingrid Ruys is renowned for her proficiency in conducting a multitude of privacy impact assessments. Her notable expertise is drawn from her distinguished work in privacy-related roles at esteemed organizations such as the Alberta Medical Association, Brightsquid, and the City of Edmonton, among others.
