# vScription — Security & Privacy Whitepaper

**Document Version:** 1.1
**Last Updated:** April 2026
**Classification:** Client-Facing
**Contact:** security@vscription.cloud

---

## Executive Summary

vScription is a cloud-based medical transcription and clinical documentation platform built for healthcare organizations that handle sensitive patient information. This document provides an overview of the security architecture, data protection practices, and privacy commitments that underpin the vScription platform.

We understand that our clients entrust us with Protected Health Information (PHI) and Personal Health Information (PHI/PHIA). Security and privacy are foundational to how vScription is designed, built, and operated — not afterthoughts. This whitepaper is intended to help prospective clients, privacy officers, and compliance teams evaluate the platform against their own requirements, and to document the controls currently in place.

---

## 1. Data Protection

### 1.1 Encryption in Transit

All data transmitted to and from the vScription platform is protected using industry-standard encryption:

- **TLS 1.2 / 1.3** enforced on all web traffic (HTTPS only)
- **API communications** secured via TLS with token-based authentication
- **Audio file uploads** encrypted during transfer from all clients (web portal, desktop uploader, mobile app)
- **Telephone dictation** — audio captured on Canadian infrastructure and never transits unencrypted public networks
- **Internal service communication** between application components uses encrypted channels
- **Third-party integrations** (e.g., Philips SpeechLive) authenticate using per-organization secrets over TLS

### 1.2 Encryption at Rest

All data stored within the vScription platform is encrypted at rest:

- **Database storage** on encrypted volumes (AES-256)
- **Audio files** stored on encrypted cloud storage
- **Backups** encrypted to the same standard as primary storage
- **User credentials** protected using bcrypt one-way hashing — passwords are never stored in plaintext
- **Integration secrets** (API keys, webhook secrets) encrypted in the application configuration store

### 1.3 Data Residency — Canada

For Canadian healthcare organizations, vScription provides a fully Canadian data residency option:

- **Speech-to-text processing:** Performed on dedicated infrastructure in AWS Canada (ca-central-1, Montreal)
- **AI summarization:** Processed via AWS Bedrock in the ca-central-1 region — data does not leave Canada
- **Application hosting:** Canadian cloud infrastructure
- **Telephone dictation recording:** Audio captured and stored directly on the Canadian vScription server; third-party voice providers are used only as signaling transit and do not retain the recording
- **Audio format conversion** (e.g., Philips DS2 → MP3) is performed on platform-operated infrastructure, not third-party conversion services
- **No cross-border data transfer:** When the Canadian pipeline is selected, all audio, transcripts, and AI-generated content remain within Canadian borders throughout the entire processing lifecycle
- **No cross-region AI inference profiles** — the platform enforces that Canadian-region models are used exclusively; routing that could send PHI to US or global regions is blocked

This is particularly relevant for organizations subject to **PIPEDA**, **PHIA (Manitoba)**, and other provincial health privacy legislation that may restrict cross-border transfer of personal health information.

---

## 2. Access Control & Authentication

### 2.1 User Authentication

- **Secure login** with case-insensitive username or email authentication
- **Password security:** bcrypt hashing with configurable complexity requirements
- **Email verification** required for public self-signup before an account becomes active
- **Session management:** Secure, server-side sessions with configurable automatic timeout
- **CSRF protection:** All forms and state-changing requests protected against cross-site request forgery
- **Rate limiting:** Login attempts are rate-limited to mitigate brute-force attacks
- **Password reset:** Tokenized, single-use, time-limited email flow
- **Emergency access:** Dedicated emergency logout endpoint for administrative session recovery

### 2.2 Role-Based Access Control (RBAC)

vScription implements granular role-based access control. Organizational roles are enforced at the application layer through policy-based authorization — users can only access data and perform actions permitted by their assigned role.

| Role | Access Level |
|------|-------------|
| **Account Administrator** | Full organizational management — users, billing, configuration, all jobs |
| **Typist Administrator** | Queue management, job assignment, transcription, and team oversight |
| **Typist** | Transcription and editing of assigned and available jobs |
| **Reviewer** | Quality assurance review and approval of completed transcriptions |
| **Author** | Audio upload, dictation monitoring, and prompt management |
| **Service Account** | Automated upload only (desktop uploader integration) — no interactive access |

A separate **System Administrator** role is reserved for vScription platform staff and is used only for platform operations, client support (with client authorization), and incident response. All System Administrator actions are recorded in the audit log.

### 2.3 Organization Isolation

- Each organization's data is **logically isolated** at the database level
- Users can only access jobs, reports, and configuration within their own organization
- **Typist Groups** provide additional intra-organization isolation, routing specific job types to designated teams on a need-to-know basis
- **Multi-organization assignments** — when a transcription-services provider works across multiple client organizations, each engagement is explicitly authorized and tracked; the provider only sees data from organizations they have been assigned to
- Cross-organization data access is not possible through the user interface or API

### 2.4 API Security

- **Token-based authentication** via Laravel Sanctum for service account integrations
- **Scoped permissions** — API tokens are limited to upload and read operations
- **Device registration** — each desktop uploader workstation is registered and tracked
- **Token expiry** — refresh tokens expire after 90 days of inactivity
- **Webhook security** — inbound integration webhooks (e.g., SpeechLive) are validated against per-organization shared secrets
- **Server-to-server APIs** (e.g., the FreeSwitch telephone-dictation gateway) authenticate using shared secrets transmitted over TLS

---

## 3. AI Pipeline Security

### 3.1 Speech-to-Text (STT)

vScription offers two STT pipeline options to accommodate different data residency requirements:

| Pipeline | Processing Location | Data Residency |
|----------|-------------------|---------------|
| **WXDC (Canadian)** | AWS Canada (ca-central-1) — dedicated EC2 instance | Canada only |
| **AACGPT (US)** | AssemblyAI cloud infrastructure | United States |

Organizations select their pipeline based on data residency requirements. The **WXDC pipeline is recommended for Canadian healthcare organizations**.

Key safeguards:

- STT processing instances are **dedicated** (not shared multi-tenant infrastructure)
- Audio data is processed in memory and **not retained** after transcription is complete
- Processing instances auto-shutdown after idle periods to minimize exposure surface and reduce unnecessary compute state
- No audio or transcript data is used to train AI models

### 3.2 AI Summarization

- Summarization is performed via **AWS Bedrock** (managed AI service)
- When using the WXDC pipeline, summarization runs in **ca-central-1** — data stays in Canada
- **No customer data is used to train AI models** — AWS Bedrock does not use customer inputs for model improvement
- Summarization output is clearly labeled as AI-generated and requires human review before finalization

### 3.3 Model Tiers

vScription offers multiple summarization model tiers to match the complexity of the case:

| Tier | Engine | Typical Use Case |
|------|--------|-----------------|
| **vScription Standard** | Optimized for speed and efficiency | Routine clinical notes, follow-ups |
| **vScription Advanced** | Enhanced clinical reasoning | Complex multi-system cases, specialist dictations |

Both tiers process data within the same security boundary. The choice of tier does not affect data residency or security controls.

### 3.4 AI-Generated Content Disclaimer

All AI-generated transcriptions and summaries are provided as **drafts for human review**. vScription does not warrant the accuracy or completeness of AI-generated content. Organizations are responsible for verifying AI output before incorporating it into clinical records.

---

## 4. Audit & Monitoring

### 4.1 Audit Trail

Every significant action within vScription is recorded in a centralized audit log:

- **Authentication events** — login, logout, failed attempts (with IP address and device information)
- **Job lifecycle events** — upload, assignment, status changes, completion, deletion, discard/restore
- **Administrative actions** — user creation/modification, role changes, configuration updates, organization switches by platform staff
- **Data access events** — transcript views, downloads, and exports
- **Integration events** — inbound webhook acceptance/rejection, external-source imports

Audit logs capture the user, timestamp, action performed, and relevant metadata. Logs are retained and available for compliance review upon request.

### 4.2 Operational Monitoring

- **Queue monitoring** — background job failures are detected automatically; failed jobs are surfaced to platform operators for investigation
- **Infrastructure monitoring** — system health, resource utilization, and error rates are monitored continuously
- **Integration health checks** — external service availability (STT, summarization, telephony, conversion microservices) is monitored and alerted on

### 4.3 Analytics

vScription uses a **privacy-safe analytics system** configured to exclude Protected Health Information from all telemetry. The analytics layer is run in PHI-safe mode, meaning no audio content, no transcript content, and no patient identifiers are captured in usage telemetry. Analytics data is used solely for platform performance monitoring and product improvement.

---

## 5. Application Security

### 5.1 Secure Development Practices

vScription is built on the Laravel framework, which provides robust built-in security protections:

- **SQL injection prevention** — all database queries use parameterized queries via the Eloquent ORM
- **Cross-Site Scripting (XSS) prevention** — output encoding applied by default in all templates
- **Cross-Site Request Forgery (CSRF)** — token-based protection on all form submissions and state-changing requests
- **Input validation** — all user input is validated and sanitized before processing
- **Mass assignment protection** — database models use explicit allowlists for modifiable fields
- **Dependency review** — third-party packages are tracked and reviewed for known vulnerabilities

### 5.2 Infrastructure Security

- **Cloud hosting** on AWS with enterprise-grade physical and network security
- **Ubuntu Linux** operating system with regular security patching
- **Firewall rules** restrict inbound access to essential services only (HTTPS, SSH, and designated voice-service ports where telephone dictation is in use)
- **SSL/TLS certificates** managed and auto-renewed
- **Automated database backups** are taken on a schedule designed to minimize data loss in the event of a catastrophic failure, retained on encrypted storage; longer-term retention available on request
- **Separate environments** — production, development, and test environments are isolated, and production data is never copied into lower environments without anonymization

### 5.3 File Handling

- Uploaded audio files are stored with **randomized UUIDs** — original filenames are recorded but not used for storage paths
- **Direct file access is prevented** — all file serving goes through authenticated application endpoints
- Supported file formats are **strictly validated** before acceptance
- File size limits are enforced to prevent abuse
- Platform-distributed desktop and mobile applications are served from authenticated download endpoints

### 5.4 Integration & Interoperability Security

vScription integrates with a number of external systems to support client workflows. Each integration follows a consistent security model:

- **Per-organization secrets** — each client organization provisions its own credentials for third-party integrations; secrets are never shared across organizations
- **Bearer / header-based authentication** — outbound calls to integrated services (e.g., Philips SpeechLive) use the service's native token model
- **Inbound webhook validation** — webhook payloads are authenticated using shared secrets before any data is accepted into the system
- **Microservice isolation** — specialized processing components (e.g., audio format conversion for Philips DS2) run as standalone services with their own authentication tokens, accessible only to the vScription application
- **Duplicate-submission protection** — inbound integration payloads are de-duplicated to prevent replay or accidental re-import

### 5.5 Security Testing

- Regular security assessments are conducted using internal tools
- Vulnerability scanning performed on a recurring basis
- Third-party dependencies are reviewed for known vulnerabilities
- Third-party penetration testing planned for 2026

---

## 6. Privacy

### 6.1 Privacy Principles

vScription is designed around the following core privacy principles:

| Principle | Implementation |
|-----------|---------------|
| **Purpose Limitation** | Health information is processed solely for transcription and clinical documentation |
| **Data Minimization** | Only information necessary for the service is collected and processed |
| **Access Control** | Role-based access ensures users only see information relevant to their function |
| **Accountability** | Comprehensive audit logging provides a complete record of all data access |
| **Safeguards** | Technical, administrative, and physical safeguards protect information at all stages |
| **Retention** | Organizations control their own data retention; completed jobs are managed per organizational policy |
| **Transparency** | Privacy Policy and this document describe how information is handled |

### 6.2 What We Collect

- **Account information** — name, email, phone, username, organization details
- **Audio files** — recordings uploaded or captured for transcription
- **Transcription content** — transcripts, summaries, and related documents
- **Usage data** — pages visited, features used, actions taken (no PHI in analytics)
- **Device and log data** — device type, browser, IP address, access times

### 6.3 What We Do NOT Do

- We do **not** sell, rent, or share personal information or health data with third parties for marketing purposes
- We do **not** use audio, transcripts, or any client data to train AI models
- We do **not** access client transcription content except as required for technical support (with client authorization) or as required by law
- We do **not** retain audio data beyond the period necessary to complete processing, unless the client's retention settings specify otherwise
- We do **not** route PHI through AI inference regions outside of the client's selected data residency

### 6.4 Data Retention & Deletion

- Organizations control their own data retention policies within the platform
- Upon termination of service, clients may request a data export within thirty (30) days
- After the export period, all client data is permanently deleted
- Backup data follows the same deletion schedule, subject to the rolling backup retention window

### 6.5 Client Data Control

- Clients own their data — vScription acts as a processor / service provider, not a data owner
- Clients can export transcripts, summaries, and reports at any time
- Clients can disable, restrict, or delete user accounts within their organization
- Clients can configure which AI features are available to which roles within their organization

---

## 7. Compliance

### 7.1 Current Status

| Framework | Status |
|-----------|--------|
| **PIPEDA** (Federal, Canada) | Platform designed with PIPEDA principles — purpose limitation, consent, data minimization, Canadian data residency option |
| **PHIA** (Manitoba) | Canadian data residency pipeline ensures PHI remains within Canada; access controls and audit logging support PHIA trustee requirements |
| **SOC 2** | On compliance roadmap (2026–2027) |
| **HIPAA** (US) | Platform incorporates HIPAA-aligned technical safeguards; formal Business Associate Agreement (BAA) process in development |

### 7.2 PHIA (Manitoba) Alignment

For Manitoba-based healthcare organizations, vScription supports PHIA compliance through:

- **Canadian data residency** — PHI processed and stored within Canada (ca-central-1)
- **Access controls** — role-based access ensures only authorized individuals can access PHI
- **Audit trail** — comprehensive logging of all access to and use of PHI
- **Need-to-know access** — Typist Groups enable routing of patient records to only the authorized care team
- **Breach notification readiness** — audit logs and monitoring support incident investigation and notification obligations

### 7.3 Compliance Roadmap

- **SOC 2 Type II** — planned for 2026–2027
- **HIPAA Business Associate Agreements** — in development
- **Third-party penetration testing** — planned for 2026
- **Privacy Impact Assessment (PIA)** — available upon request for Manitoba PHIA requirements

---

## 8. Incident Response

### 8.1 Response Process

vScription maintains an incident response process covering identification, containment, eradication, recovery, and post-incident review. All suspected security incidents are logged, investigated, and tracked to resolution.

### 8.2 Breach Notification

In the event of a security incident involving personal information or PHI:

- Affected organizations will be **notified promptly** in accordance with applicable privacy legislation
- Manitoba **PHIA** requires notification within **72 hours** where applicable
- **PIPEDA** breach-of-security-safeguards reporting obligations will be met where applicable
- Audit logs provide forensic evidence for investigation and reporting
- A post-incident report will be made available to affected clients summarizing root cause, impact, and remediation
- Contact: **security@vscription.cloud**

---

## 9. Business Continuity

- **Automated database backups** run on a schedule designed to minimize data loss in the event of a catastrophic failure, with encrypted retention
- **Infrastructure as Code** — environment can be reproduced and restored
- **Queue-based processing** — job processing is resilient to temporary service interruptions; jobs are automatically retried on failure
- **Graceful degradation** — if AI services are unavailable, jobs queue for manual transcription without data loss; if telephony or integration services are unavailable, other upload paths (web portal, desktop uploader, mobile app) remain available
- **Monitoring and alerting** — operational issues are detected and surfaced to platform operators in real time

---

## 10. Client Responsibilities

Security is a shared responsibility. We recommend that clients:

- Use strong, unique passwords for all user accounts
- Promptly disable accounts for departed staff
- Review user access and roles on a regular basis
- Report any suspected security issues to **security@vscription.cloud**
- Ensure workstations meet minimum security standards (current OS, up-to-date antivirus, screen lock enabled)
- Implement appropriate physical safeguards for workstations where PHI may be displayed or audio may be played
- Configure per-role AI feature availability in alignment with the organization's risk posture
- Safeguard organization-level integration secrets (API keys, webhook secrets) and rotate them if compromise is suspected

---

## 11. Contact

For security inquiries, compliance documentation requests, or to report a security concern:

| | |
|---|---|
| **Security** | security@vscription.cloud |
| **Privacy** | privacy@vscription.cloud |
| **Support** | support@vscription.cloud |
| **Website** | www.vscription.cloud |

---

*This document is provided for informational purposes and represents vScription's security and privacy practices as of the date indicated. Security measures are continuously reviewed and improved. This document does not constitute a warranty or contractual commitment. Organizations with specific compliance requirements should contact us to discuss their needs and, where appropriate, enter into a supplementary agreement.*