1.0 Information Security Overview

At CareScribe we take the protection of customer data extremely seriously. We employ information security policies and there is board-level commitment to implement and following the policies throughout the organisation.

Information Security is led by the Managing Director @ CareScribe.

2.0 ISO-27001

CareScribe is committed to protecting information assets and employs information security systems, policies, procedures and controls that meet the requirements of ISO 27001. We have now implemented ISO 27001:2022 and have undergone our Stage 1 and Stage 2 audits. We’re awaiting the QA of the final report by the certification body. There were no Major or Minor NCs in the auditors report. We will update this section in the next few days once we have the final outcome.

3.0 Cyber Essentials

CareScribe holds Cyber Essentials certification and copies of our certificate can be provided upon request.

4.0 Customer Data

CareScribe provides two products to our users:

4.1 captioned

Caption.Ed desktop (Windows and Mac) and browser extensions (Google Chrome and Microsoft Edge Chromium) applications allow the user to generate captions and a transcript for any live or pre-recorded media played on their computer (in the case of desktop) or through their browser (in the case of browser).

Caption.Ed stores the following customer data in its cloud services:

  • Email address (if the customer is using email-based sign up).
  • Name
  • Payment history and invoices (credit card numbers are stored at Stripe)
  • Software usage data
  • Time and duration of when Caption.Ed has been used.
  • URL where Caption.Ed has been used (browser extensions only).
  • Transcription data and recordings (which the user can delete at any time).

All data is stored in the UK.

4.2 TalkType

TalkType provides Mac-based dictation and computer control dictation. When enabled, TalkType will transcribe all audio spoken into the Mac’s microphone.

TalkType stores the following data in its cloud services:

  • Emails (if the customer is using email-based sign up).
  • Name

5.0 Encryption

Data in transit is encrypted and protected through SSL certificates using SHA-256 and RSA signing.

All production databases and customer data are encrypted at rest with AES-256.

6.0 Authentication

CareScribe support email verification-based sign-in with strong minimum password requirements of a minimum of six characters including one digit, one symbol and one uppercase letter.

Two-factor authentication is available on all accounts.

SAML-based Single-Sign-On is available for institutional clients.

7.0 GDPR and Data Retention

Customer can delete all their data by sending an email to [email protected]

Once a user account is deleted, all associated data (account settings, transcripts etc) are removed from CareScribe systems. This action is irreversible.

Caption.Ed supports the setting of specific record retention periods on an individual or organisational level. This allows Caption.Ed sessions to be automatically deleted after a defined period of time eg. 30 days. Please speak to a member of the team for more information.

8.0 3rd Party Sub-processors

CareScribe is a data processor and engaged certain onward sub-processors. Below are the sub-processors that CareScribe currently utilises and a description of their service:

Sub-processor Entity Description Website
Amazon Web Services Cloud services provider https://aws.amazon.com
Customer.io Customer communications platform https://customer.io
Google Cloud Cloud services provider https://cloud.google.com
Hubspot CRM & email processing https://hubspot.com
MailerSend Email processing https://mailersend.com
Pendo Product analytics https://www.pendo.io
Speechmatics AI speech processing provider https://www.speechmatics.com
Stripe Payment processing https://stripe.com

 

9.0 Internal CareScribe Team Data Access

By default, only our key engineering and support leads have access to customer data. This access is granted only for production releases, debugging and fixes. All other staff do not have access to customer data unless granted permission for debugging purposes.

10.0 Infrastructure Availability

TalkType desktop applications require a continuous connection to our servers (CareScribe Cloud Services).

Caption.Ed desktop and browser applications require a continuous connection to CareScribe Cloud Services.

Our backend infrastructure, CareScribe Cloud Services, is entirely hosted in AWS and Google Cloud, it’s fully automated and monitored by continuous functional tests to detect and sort of downtime.

11.0 Product and Datacenter Security

CareScribe backend is hosted on AWS and Google Cloud and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS and Google provide. The IT infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.

12.0 Personnel Security

All CareScribe personnel are screened to meet the UK Govenment Baseline Security Standard and training is provided to all members of staff covering their responsibilities in handling personal data.

13.0 Responsible Disclosure

We consider the security of our systems and your data a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. We ask that you please do the following:

  • Email your findings to [email protected]
  • Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
  • Do not reveal the problem to others until it has been resolved,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
    We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

14.0 Contact

If you have any questions about this document please don’t hesitate to contact us at [email protected]

15.0 Information Transfer Policy

Please only use our ticketing system (through [email protected]) to submit questions and reports related to the use of service. Sending sensitive information such as names, e-mail addresses, IP address or other technical details via email is considered unsafe and CareScribe Ltd can not take responsibility for the protection of data sent via unencrypted channels.