Security & Compliance

Your patients' data, protected.

ChiroScribe is built from the ground up with HIPAA compliance, field-level encryption, and comprehensive audit logging.

HIPAA Compliant

Full compliance

AES-256 Encryption

Field-level

PHI Audit Logging

Full access history

BAA Available

Enterprise ready

Encryption at Rest

Field-level PHI encryption

Every piece of Protected Health Information is individually encrypted using AES-256 before it reaches our database. Patient names, dates of birth, contact information, SOAP notes, transcriptions, and clinical assessments are all encrypted at the field level — not just at the disk level.

Encrypted PHI Fields
Patient NameaGVsbG8gd29ybGQ...
Date of BirthZW5jcnlwdGVk...
SOAP NoteY2xpbmljYWwgbm90ZQ...
TranscriptiondHJhbnNjcmlwdA...
Encryption in Transit

TLS 1.3 everywhere

All data transmitted between your devices and ChiroScribe is encrypted using TLS 1.3. This includes voice recordings uploaded from your iPhone or Apple Watch, API requests from the web dashboard, and all data synchronization between devices.

Protected Connections
iPhone / WatchChiroScribe APITLS 1.3
Web BrowserChiroScribe APITLS 1.3
ChiroScribeDatabaseTLS 1.3
ChiroScribeAI ProcessingTLS 1.3
Access Controls

Audit logging & multi-tenancy

Every access to patient data is logged in our PHI audit system with timestamps, user identity, and action type. Multi-tenant architecture ensures practices can never access another practice's data — all queries are scoped by practice ID at the database level.

  • PHI access logging with user, timestamp, and action
  • Practice-scoped data isolation (multi-tenancy)
  • Role-based access control (provider, admin, staff)
  • Session management with secure JWT tokens
Sample Audit Log
2026-02-17 09:14:22 VIEW patient:p_8x2k Dr. Smith
2026-02-17 09:14:25 VIEW visit:v_3m9n Dr. Smith
2026-02-17 09:15:01 EDIT visit:v_3m9n Dr. Smith
2026-02-17 09:22:18 EXPORT patient:p_8x2k Dr. Smith
Audio Processing

Secure voice pipeline

Voice recordings are uploaded via encrypted presigned URLs directly to secure storage. Audio is processed through our transcription pipeline and the original recording can be deleted after processing. Only the encrypted transcription text is retained long-term.

Audio Pipeline
1
Record
Audio captured on device
2
Upload
Encrypted presigned URL
3
Transcribe
OpenAI Whisper processing
4
Generate
AI creates SOAP note
5
Encrypt
PHI fields encrypted at rest
Infrastructure

Enterprise-grade infrastructure

ChiroScribe runs on industry-leading cloud infrastructure with built-in redundancy, monitoring, and security controls.

Vercel Edge Network

Global CDN with automatic DDoS protection and SSL termination.

Neon PostgreSQL

SOC 2 compliant managed database with encryption at rest and point-in-time recovery.

Cloudflare R2

Server-side encrypted object storage for audio files and document exports.

Need a BAA?

Business Associate Agreements are included with Enterprise plans and available upon request for all plans. Contact our team to get your BAA set up.

Contact Sales
Related compliance resources

Review the adjacent policy pages and enterprise contact path if you need formal procurement, policy review, or a signed BAA before rollout.

Privacy policyTerms of serviceEnterprise contactPlan options
FAQ

Security & compliance questions

Is ChiroScribe HIPAA compliant?
Yes. ChiroScribe is designed with HIPAA compliance at its core. All Protected Health Information (PHI) is encrypted at rest using AES-256 field-level encryption, encrypted in transit via TLS 1.3, and all access is logged in our PHI audit system. We offer Business Associate Agreements (BAA) for all Enterprise customers.
Do you offer a Business Associate Agreement (BAA)?
Yes. BAA agreements are included with all Enterprise plans. If you need a BAA on a Solo or Practice plan, contact our sales team and we can accommodate your compliance requirements.
How is my patient data encrypted?
We use AES-256 field-level encryption for all PHI fields including patient names, dates of birth, contact information, SOAP notes, transcriptions, and clinical assessments. Each field is individually encrypted before being stored in our database. Data is also encrypted in transit using TLS 1.3.
What happens to audio recordings after processing?
Audio files are processed in a secure pipeline using OpenAI Whisper for transcription. The audio is streamed directly to the transcription service and is not stored on our servers. Only the resulting text transcription is retained (encrypted) for note generation.
Where is my data stored?
All data is stored in SOC 2 compliant data centers in the United States. Our database is hosted on Neon (PostgreSQL) with encryption at rest, and file storage uses Cloudflare R2 with server-side encryption.
Can I export or delete my patient data?
Yes. You can export all patient data and SOAP notes at any time via the Word document export feature or through our API. For data deletion requests, contact support and we will permanently remove all associated data within 30 days per our data retention policy.

Secure documentation you can trust

Start your free trial with confidence. Your patients' data is protected from day one.

Start Your 21-Day Free Trial

No credit card required