How we protect your data.

Overview

vScription is an AI-assisted medical transcription platform built for Canadian and US healthcare teams. Security, data residency, and auditability are core design constraints — not afterthoughts — because our customers work with protected health information under HIPAA, PIPEDA, and provincial health-information legislation.

This page summarizes how we protect, segregate, and log your data. If you're running a Privacy Impact Assessment, vendor review, or procurement workflow, request our full security whitepaper using the button above — it expands each of these sections with the additional detail your privacy officer needs.

Canadian data residency

vScription offers two pipelines. The Canadian Pipeline is fully Canadian-resident — every byte of audio, every transcript, every summary, and every backup stays within Canadian data centers. The US Pipeline is available for organizations without strict residency requirements.

Canadian pipeline guarantees

• Speech-to-text inference runs on dedicated Canadian cloud infrastructure — no US-hosted speech services.
• Summarization and LLM inference run within Canadian data centers — no cross-border model calls.
• Object storage, database, and backups are encrypted at rest and stored exclusively in Canada.
• No cross-border processing of customer data at any stage of the pipeline.

Per-organization election

Data residency is elected per organization and can be refined per work type. A Canadian clinic can route all clinical dictations through the Canadian Pipeline, while a hybrid bureau may route some outsourced work through the Standard Pipeline for speed. Choice persists in the organization's configuration and is enforced at the work-type level.

Encryption

All data in vScription is encrypted in transit and at rest.

• In transit: TLS 1.2+ for all HTTP traffic, including uploads, API calls, and inbound webhook integrations.
• At rest: platform-level filesystem encryption for audio files, transcripts, and summaries. Database-level encryption for structured data and backups.
• Passwords: securely hashed using industry-standard cryptography. Plain-text passwords are never stored.
• Secrets & tokens: API tokens, integration secrets, and service-account credentials are hashed and scoped per integration. Tokens can be revoked at any time.

Access & auditing

vScription enforces role-based access controls throughout the platform and logs user and pipeline activity for compliance review.

Role-based access

• Organization-scoped visibility — users only see data from organizations they're assigned to.
• Typist groups route jobs to the right typists, with reviewer separation for review workflows.
• Account Admins manage their own organization; Super Admins are restricted to vScription staff for platform-level support.
• Session timeout is configurable per organization.

User audit trail

Every login, role change, job state transition, and settings update is captured with user identity, IP address, session, and severity. Audit logs are stored alongside customer data (not in a third-party logging service), retained per organization configuration, and exportable for compliance review.

Pipeline activity audit

Every stage of AI processing — upload, speech-to-text, summarization, and storage — is logged with the specific server that handled it. For Canadian Pipeline customers, this means residency is verifiable after the fact: your privacy officer can pull the audit trail for any job and confirm that every byte of processing happened on a Canadian server. This is the operational backbone of our PIPEDA story.

HIPAA & PIPEDA posture

vScription is designed with both US HIPAA and Canadian PIPEDA obligations in mind. We describe our posture as HIPAA-aware and PIPEDA-friendly — terminology we use deliberately:

HIPAA posture

The platform implements the technical safeguards expected under the HIPAA Security Rule: access controls, audit controls, integrity controls, transmission security, and encryption. We can discuss specific BAA requirements with customers during procurement.

PIPEDA posture

Canadian Pipeline customers benefit from full in-country processing and the pipeline activity audit described above. For provincial requirements (PHIPA in Ontario, HIA in Alberta, PHIA in Manitoba/Nova Scotia/Newfoundland), our data residency and audit posture give privacy officers the evidence they need for a Privacy Impact Assessment.

PHI-safe analytics

Our product analytics are configured to be PHI-safe — no patient data, transcript content, or audio is sent to third-party analytics services.

Incident response

Security incidents are rare but inevitable in any online service. We maintain an internal incident response process covering detection, triage, customer notification, containment, and post-incident review. Customer notification happens without undue delay following any incident affecting customer data. The full whitepaper covers the detailed playbook, notification timelines, and post-incident artifact commitments.

Data retention & portability

Customers control their data retention within the platform.

• Organization administrators configure retention periods for audio files, transcripts, and audit logs within application settings.
• Data export is available in standard formats (CSV, PDF) for both transcription and reporting data.
• Account closure triggers a configurable retention period followed by secure deletion.
• Backup data follows the same residency commitments as production data and is retained on a rolling schedule.

Talk to us

If your organization is running a Privacy Impact Assessment, a vendor review, or a procurement security questionnaire, our team will walk through our security and Canadian residency posture on a call — and can share our full security whitepaper tailored to your review.