Sign inRequest access
Trust & Security

Security and privacy by default.

Corscribe is built for cardiology practices, so we treat PHI as something to minimize, not collect. Audio never lands on disk. Transcripts are scrubbed before they hit a model. Every encounter row is double-scoped to a clinician and an organization at the database layer.

We are in invite-only beta. The controls below are live in production today. Where a formal certification is still under audit, we say so plainly — we don't claim badges we haven't earned.

Contact securityRequest our security packet

0 bytes of PHI on disk

Audio is in-memory only and dropped the moment a recording WebSocket closes.

Dual-scoped at the database

RLS in Postgres pins every row to a clinician and an organization — not the app.

No training on customer PHI

Contractual ZDR with our LLM providers, plus explicit no-store headers on every call.

Compliance & frameworks

Where we stand on the frameworks that matter.

An honest read of which frameworks are live in production today, which are available on request, and which we are actively pursuing.

  • HIPAA Security & Privacy Rules

    Architected to the HIPAA Security and Privacy Rules: PHI is segregated by clinician and organization, access is logged, and administrative, physical, and technical safeguards are documented in our internal policy set.

    In place

  • Business Associate Agreement (BAA)

    We sign a BAA with every organization that uses Corscribe with PHI, and we operate under signed BAAs with every subprocessor that can touch PHI (Clerk, Supabase, Deepgram, Microsoft Azure / AWS).

    Available

  • SOC 2 Type II

    Type I readiness assessment underway with a Q4 2026 audit window. We are happy to share our security questionnaire (CAIQ-Lite + bespoke healthcare addendum) under NDA in the meantime.

    In progress

  • HITRUST

    Mapped against HITRUST CSF v11 controls as part of the SOC 2 program. Formal certification is on the post-GA roadmap.

    In progress

  • GDPR & UK GDPR

    Corscribe currently serves US-based practices and stores all data in US regions. EU/UK clinical data is not in scope today; SCC-based DPAs are available for non-PHI corporate use such as marketing or sales contacts.

    Available
Data protection

Encryption, residency, and the lifecycle of your data.

What happens to data from the moment it leaves a clinician's browser to the moment it ages out of our systems.

Encryption in transit

TLS 1.2+ on every public endpoint with HSTS preload eligibility, modern cipher suites only, and certificate rotation automated through our hosting providers.

Encryption at rest

AES-256 at rest for the primary Postgres database, object storage, and provider-managed backups. Keys are managed by the cloud provider's KMS — Corscribe operators never see raw key material.

Secret management

All API keys and signing secrets live in the hosting provider's encrypted secret store. No secret is ever committed to source control; rotation is supported by the platform without redeploys.

US data residency

All production workloads run in US regions (Vercel default US edge, Fly.io iad / Northern Virginia, Supabase US-East). Data does not leave the United States in the normal course of operation.

Backups & recovery

Continuous WAL-based backups of the primary database with point-in-time recovery. Backup integrity is exercised on a recurring cadence and restore runbooks live in our internal ops handbook.

Retention & deletion

Audio is never persisted — it is held only in memory while a recording WebSocket is open. Transcripts and SOAP notes are retained for the life of the customer relationship and are deleted within 30 days of a written customer request.

Access control

Authorization the database can enforce.

Authentication is the obvious half. The interesting half is making sure that even a buggy server route can't read another organization's encounters.

Identity via Clerk

Authentication is handled by Clerk with support for passwords + email verification, magic links, and SSO on enterprise plans. MFA is available to every user and required for Corscribe operators.

Organization-scoped data

Every encounter, transcript, audit row, and SOAP note carries an org_id. Switching active organizations in Clerk swaps the JWT claim and re-scopes the entire app — there is no app-level filtering to bypass.

Row-Level Security in Postgres

RLS policies in Supabase enforce a dual predicate on every PHI table: clinician_user_id = auth.jwt() ->> 'sub' AND org_id = coalesce(auth.jwt() ->> 'org_id', '__personal__'). The database, not the app, is the authorization boundary.

Audit logging

A separate audit_log table records every PHI-relevant action — access, edit, finalize, export — with a strict deny-list that prevents PHI from leaking into log metadata.

Least privilege internally

Production data access is restricted to a small on-call group, gated by SSO + MFA, and produces an audit trail. Engineers develop against synthetic data and ephemeral Supabase branches, not production.

Defense in depth at the edge

An optimistic Clerk session gate runs at the proxy layer, but every Server Component and route handler re-verifies the session before reading or writing data — the proxy is never the only check.

Infrastructure

Managed cloud, narrow blast radius.

A small surface area: a Next.js front-end on Vercel, a stateless FastAPI bridge on Fly.io in Northern Virginia, and a Supabase Postgres database with RLS — all in US regions.

Managed cloud foundation

We deliberately stand on top of HIPAA-eligible managed providers (Vercel, Fly.io, Supabase, Cloudflare DNS) so we inherit their physical security, hardware lifecycle, and 24/7 NOC posture rather than reinventing them.

Isolated environments

Production, staging, and preview environments are separate Supabase projects with separate Clerk instances and separate secrets. No production credential is reachable from a preview deployment.

Stateless audio bridge

The FastAPI audio bridge holds frames in memory only for the life of a recording WebSocket and proxies them straight to Deepgram Medical with Zero Data Retention headers. No PHI hits the bridge's disk.

Logging without PHI

Structured logs run through a redaction processor that hard-blocks transcript / audio / note / prompt keys. The primary completion event records only encounter_id, model id, latency, and redaction counts.

Application security

The boring controls, taken seriously.

No process protects you from a careless commit. We compensate with required review, automated checks, and small, reviewable diffs.

Code review on every change

All changes flow through pull requests with required review. The Next.js codebase is type-checked and linted (TypeScript + Biome) on every commit; the FastAPI service is type-checked, linted, and unit-tested with coverage gates.

Dependency hygiene

Dependencies are tracked via lockfiles (pnpm + uv) with automated scanning for known CVEs through GitHub's native security advisories. Critical advisories trigger an out-of-band patch.

Secret scanning

Push protection and secret scanning are enabled on the repository. Local pre-commit hooks block accidental commits of .env files and known credential shapes.

Continuous integration as a gate

Tests, type checks, lints, and the backend pytest suite all run on every PR. A red CI cannot merge — there is no override button for production branches.

Privacy

The least PHI we can possibly handle.

A scribe has to hear the visit. It does not have to remember it.

PHI minimization end-to-end

Audio frames live in memory for seconds and are dropped on disconnect. Transcripts are PHI-scrubbed (names following honorifics, MRNs, SSNs, phone numbers, emails redacted; DOBs reduced to year) before they leave the bridge process.

No training on customer PHI

We do not use customer PHI, transcripts, or SOAP notes to train, fine-tune, or improve any AI model — ours or our subprocessors'. Every LLM call ships with explicit Zero Data Retention headers as defense-in-depth on top of contractual ZDR with Microsoft and AWS.

Structured outputs only

The model is constrained to a typed cardiology SOAP schema. Free-form prose paths that could echo PHI back into logs or analytics are not exposed.

Patient rights & access

Customers control PHI created by their clinicians. We honor authenticated patient-rights requests — access, amendment, accounting of disclosures — that customers route to us under their BAA.

Subprocessors

Every vendor that can touch customer data.

We keep this list short on purpose. Material additions are announced to customers under their BAA before going live in production.

  • Clerk

    Yes

    User authentication, organizations, session management

    Data
    Account identifiers, email, sign-in metadata
    Region
    United States

  • Supabase

    Yes

    Postgres database, row-level security, audit storage

    Data
    Encounter metadata, redacted transcripts, SOAP notes, audit logs
    Region
    United States (US-East)

  • Deepgram

    Yes

    Real-time medical speech-to-text (Nova Medical)

    Data
    In-flight audio frames during a live encounter
    Region
    United States

  • Microsoft Azure (OpenAI)

    Yes

    LLM inference for SOAP note generation (when configured)

    Data
    PHI-scrubbed transcript prompts under Zero Data Retention
    Region
    United States

  • Amazon Web Services (Bedrock)

    Yes

    LLM inference via Anthropic models (when configured)

    Data
    PHI-scrubbed transcript prompts under enterprise ZDR terms
    Region
    United States

  • Vercel

    Yes (DPA)

    Frontend / BFF hosting and edge delivery

    Data
    Authenticated request metadata; no PHI in route or log payloads
    Region
    United States

  • Fly.io

    Yes

    Backend FastAPI service hosting (iad / Northern Virginia)

    Data
    In-flight transcript and SOAP request payloads (not persisted)
    Region
    United States (iad)

  • Cloudflare

    Yes (DPA)

    DNS, network protection

    Data
    Network-layer metadata only
    Region
    Global edge, US apex

  • GitHub

    Yes (DPA)

    Source code management, CI/CD

    Data
    Source code; no production PHI
    Region
    United States

Last updated June 2026. Subprocessor changes are announced to customers via their primary contact before they go live.

Incident response

We follow a written incident response runbook with named on-call roles, defined severity levels, and a customer-notification clock that begins at the moment we confirm a confirmed security incident affecting customer data — well within our HIPAA Breach Notification Rule obligations.

  • Named security on-call with paging integration, 24/7.
  • Customer notification within the timelines required by the Breach Notification Rule and our BAA.
  • Public post-incident reports for material outages affecting the platform.
View service status →

Responsible disclosure

If you believe you have found a vulnerability in Corscribe, please report it privately. We commit to acknowledge within one business day, work with you on a coordinated disclosure timeline, and credit you publicly when a fix ships (unless you prefer to remain anonymous).

Email
security@corscribe.app
Acknowledgement
Within 1 business day
Triage
Within 5 business days
Scope
corscribe.app and *.corscribe.app

Please do not perform testing that could degrade service for other customers, and do not access, modify, or exfiltrate data that is not your own. Good-faith research under these guidelines will not be the subject of legal action by Corscribe.

Need to dig deeper?

Compliance teams, IT reviewers, and security questionnaires are welcome — we'll send our security packet, recent penetration-test summary, and a draft BAA on request.

Email security@corscribe.appOpen the contact form