SECURITY ARCHITECTURE

Built for clinical data. No shortcuts.

Encryption, zero-trust access, audit logging, and three distinct AI privacy modes so you choose where your data goes.

256-bit
AES-GCM KEYS
24h
AUDIO RETENTION
5yr
AUDIT RETENTION
MediScribe VaultENCKEY EPOCH K-2026-Q312:04
Signed Note · In SessionPLAINTEXT
CONSULT #4211 · M.G., 54FSEALED06 JUL 2026
SRecurrent morning headaches for the past three weeks. Reports inconsistent metformin adherence (2–3 missed doses/week).
OBP 148/92 mmHg · HR 76 · BMI 31.2. No focal neurological deficits.
AEssential hypertension, uncontrolled; type 2 diabetes, suboptimal control.I10E11.9
PStart losartan 50 mg once daily · reinforce adherence · home BP log · follow-up in 2 weeks.
Signed
DR. M. REYES · LIC. 8841302
At Rest · Sealed RecordAES-256-GCM
✓ SEALED IN 0.09s · ZERO PLAINTEXT AT REST
KEY FP SHA-256 7c41…d09a · RECORD SHA-256 a3f91c…8b2e
AES-256-GCMAudio auto-delete · 24hHIPAA · NOM-004

Nothing is kept longer than it must be. Audio is deleted 24 hours after the consultation. Retention for transcripts and notes follows your policy — configurable per clinic, per record type.

Audio · 24h auto-deleteTranscripts · your policyNotes · your policyAudit log · 5 yearsKeys · rotated 90dBackups · encryptedExports · signed
AI PRIVACY TIERS

Three tiers. Honest wording.

01SaaS · DPA

Cloud AI

Records on MediScribe infrastructure. AI via enterprise LLM provider under DPA (no training use). Audio auto-deleted after 24 hours.

Audio purged · 24h
02Data Sovereign

Local AI

Records on MediScribe servers. AI inference runs entirely on your device. No third-party AI ever processes your audio.

Works with the network off
03Your Infra

Self-Hosted

Entire MediScribe stack on your infrastructure. Your servers, database, AI runtime. We ship the software.

You own the stack
ENCRYPTION ARCHITECTURE

Three layers, zero plaintext.

Records are encrypted on the device, in transit, and at rest — with keys that rotate on schedule and retire on schedule.

E · 01

AES-256 Encryption

All data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). BYOK supported on enterprise tier.

E · 02

Encrypted in transit

All connections use TLS 1.3 with modern cipher suites only. There is no plaintext hop — not between the app and the API, not between internal services.

E · 03

Key lifecycle, enforced

Envelope encryption with a hardware-backed root key. Data keys rotate every 90 days; retired epochs are destroyed, not archived.

Key Lifecycle · Envelope EncryptionHSM-BACKED ROOT
AES-256-GCM Active
Rotated 04 JUL 2026 · ciphertext verified
K-2026-Q1 · destroyedK-2026-Q2 · destroyedK-2026-Q3 · active · fp 7c41…d09a
ACCESS CONTROL

Every access, on the record.

Least-privilege roles, authenticated calls, and an append-only audit log that even administrators can't rewrite.

Audit Log · Append-OnlyHASH-CHAINED
10:41:07dr.reyes@sanmiguelrecord.view#4211ALLOW
10:41:22dr.reyes@sanmiguelnote.sign#4211ALLOW
10:47:50dra.olmos@norterecord.view#4198ALLOW
10:52:36intake.deskrecord.export#4187DENY
11:03:59systemkey.rotateepochOK
11:15:02admin.ortegaaudit.readlogALLOW
✓ CHAIN VERIFIEDHEAD SHA-256 4e9d…77b1RETAINED 5 YEARS
S · 01

Zero-Trust Access

Every API call and every database query is authenticated and authorized. Role-based access control. No trust by network location.

S · 02

Multi-Factor Authentication

TOTP and hardware-key MFA for all clinical users. Biometric unlock on mobile. Configurable session timeouts.

S · 03

Audit Logging

Forensic-level logging of every interaction with a patient record. 5-year retention. Tamper-evident.

COMPLIANCE

Standards, as configuration.

The controls above map directly onto the frameworks your regulators ask about — not as an afterthought, as architecture.

C · 01US

HIPAA ready

Administrative, physical, and technical safeguards mapped to the HIPAA Security Rule. Encryption, access control, and audit are defaults, not add-ons.

BAA available on request
C · 02MX

NOM-004-SSA3-2012

Support for regional clinical-record standards like Mexico's NOM-004: required note structure, clinician identification, and signature fields are native to every generated note.

Field-mapped note schema
C · 03FIPS 197

Encryption standards

AES-256-GCM at rest, TLS 1.3 in transit, SHA-256 for integrity chains, and BYOK on the enterprise tier. Cipher suites are pinned — downgrades are refused, not negotiated.

Suite pinned · no downgrade
Aligned with ISO 27001 and ISO 42001 controls · PDPA supported (Singapore / Thailand) · control mapping available under NDA, sample doc ID MS-SEC-2026-018 (illustrative)
Security Review

Need more detail?

We produce security briefs on request, tailored to your regulator and your architecture questions.