Enterprise-Grade Security

Trust & Security

Your patients trust you with their health. You can trust us with their data. HIPAA-compliant infrastructure, end-to-end encryption, and continuous monitoring.

Zero

Data Breaches

Q1 2026

Last Security Audit

AES-256
Encryption
Military-grade
99.9%
Uptime SLA
Guaranteed
24/7
Monitoring
Real-time
Included
BAA
No extra cost
HIPAACompliant

Health Insurance Portability and Accountability Act compliant with signed BAAs

SOC 2In Progress

SOC 2 audit in progress. All data hosted on SOC 2 Type II certified infrastructure (GCP)

GDPRCompliant

General Data Protection Regulation compliant for EU data subjects

CCPACompliant

California Consumer Privacy Act compliant

Security Features

Multi-Layered Protection

Enterprise security protecting your practice and patients at every level

End-to-End Encryption

All patient data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. Client-side encryption ensures only you can decrypt sensitive PHI.

AES-256 at restTLS 1.3 in transitClient-side key generation

HIPAA Compliance

Full compliance with HIPAA Security Rule and Privacy Rule. We sign Business Associate Agreements (BAA) and maintain comprehensive audit trails.

Security Rule compliantPrivacy Rule compliantBAA included

Secure Infrastructure

Data stored in HIPAA-compliant data centers in the United States, hosted on SOC 2 Type II certified infrastructure (GCP), with automatic backups and disaster recovery.

US-based data centersSOC 2 certified providerAutomatic backups

Zero-Knowledge Architecture

We can't access your unencrypted patient data. Decryption keys are generated on your device and never transmitted to our servers.

No plaintext accessDevice-only decryptionPrivacy by design

Audit Trails

Complete audit logging of all data access and modifications. Immutable logs stored securely for compliance and forensic analysis.

Immutable loggingAccess trackingForensic-ready

Regular Security Audits

Annual penetration testing, quarterly vulnerability assessments, and continuous security monitoring by third-party experts.

Annual pen testingQuarterly assessments24/7 monitoring

Data Handling

How We Protect Your Data

Transparent data practices with patient privacy at the core

Data Storage

  • All data stored exclusively in US-based data centers
  • Google Cloud Platform (GCP) with SOC 2 Type II certification
  • Encrypted at rest using AES-256 encryption
  • Automatic daily backups with 30-day retention

Access Controls

  • Role-based access control (RBAC) for all team members
  • Multi-factor authentication (MFA) required
  • Principle of least privilege enforced
  • Session timeouts and automatic logout

Data Processing

  • Audio processed in real-time, never stored raw
  • Transcriptions encrypted immediately after generation
  • No third-party access to patient data
  • Data deletion upon request within 30 days

Documentation

Security & Legal Documents

Download our compliance documents and review our policies

Business Associate Agreement (BAA)

HIPAA-compliant BAA for covered entities

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Terms governing use of Scribeable

Security Whitepaper

Detailed technical security documentation

Downloads

Compliance Resources

Download detailed documentation for your compliance review

Security Whitepaper (PDF)

Complete technical security documentation

Download PDF

HIPAA Compliance Checklist

Verify our HIPAA compliance controls

Download PDF

SOC 2 Readiness Summary

SOC 2 readiness overview

Download PDF

Security FAQ

Common Questions

Answers to frequently asked security and compliance questions

Yes. Scribeable is fully HIPAA compliant. We implement all required administrative, physical, and technical safeguards. We sign Business Associate Agreements (BAA) with all covered entities at no additional cost.

All data is stored in the United States on Google Cloud Platform (GCP) infrastructure, which is SOC 2 Type II certified. All data is encrypted at rest and in transit.

No. We use zero-knowledge architecture. Decryption keys are generated on your device and never transmitted to our servers. Even our employees cannot access your unencrypted patient data.

We have comprehensive incident response procedures including immediate containment, forensic analysis, and affected party notification within 24 hours as required by HIPAA. To date, we have had zero data breaches.

Absolutely not. Your patient data is never used to train AI models. Our AI models are pre-trained and your data is processed only for generating your clinical notes.

You control your data retention. Notes and recordings can be deleted at any time from your account. Upon account deletion, all data is permanently removed within 30 days.

Security Incident Response

In the unlikely event of a security incident, we have a comprehensive incident response plan that includes immediate containment, forensic analysis, affected party notification (as required by law), and corrective measures. Our security team is available 24/7.

Report a security concern

Ready to Secure Your Practice?

Start your free trial with confidence. Enterprise-grade security included at every plan level.