Information Security Centre

At CareScribe we take the protection of customer data extremely seriously. We employ information security policies and there is board-level commitment to implement and following the policies throughout the organisation.

Information Security is led by the Managing Director @ CareScribe.

CareScribe is ISO 27001:2022 certified. This standard provides a framework for an Information Security Management System (ISMS) that enables the continued accessibility, confidentiality and integrity of information, as well as legal compliance. This certification demonstrates our commitment to the protection of our client’s information and shows that we meet the systems, policies, procedures, and controls that meet the expectations of both ISO and our customers. The ISO 27001:2022 certificate is available upon request.

CareScribe provides two products to our users:

Data in transit is encrypted and protected through SSL certificates using SHA-256 and RSA signing.

All production databases and customer data are encrypted at rest with AES-256.

CareScribe support email verification-based sign-in with strong minimum password requirements of a minimum of six characters including one digit, one symbol and one uppercase letter.

Two-factor authentication is available on all accounts.

SAML-based Single-Sign-On is available for institutional clients.

Customer can delete all their data by sending an email to [email protected]

Once a user account is deleted, all associated data (account settings, transcripts etc) are removed from CareScribe systems. This action is irreversible.

Caption.Ed supports the setting of specific record retention periods on an individual or organisational level. This allows Caption.Ed sessions to be automatically deleted after a defined period of time eg. 30 days. Please speak to a member of the team for more information.

CareScribe is a data processor and engaged certain onward sub-processors. Below are the sub-processors that CareScribe currently utilises and a description of their service:

CareScribe’s products use AI in 2 ways

1. Speech to text recognition
   • For Caption.Ed to create live captions and transcripts
   • For TalkType to convert your user voice to text
2. Generative AI to create summarised or reformatted content

AI generated content is handled in the same way as other confidential user data.

• All AI tools are hosted in the EU/UK
• Data is managed securely
• Data is not stored or accessible by other organisations
• Data is not used to train generative AI models

As an organisation, you have the option to turn off any generative AI-driven features for your users.

By default, only our key engineering and support leads have access to customer data. This access is granted only for production releases, debugging and fixes. All other staff do not have access to customer data unless granted permission for debugging purposes.

TalkType desktop applications require a continuous connection to our servers (CareScribe Cloud Services).

Caption.Ed desktop and browser applications require a continuous connection to CareScribe Cloud Services.

Our backend infrastructure, CareScribe Cloud Services, is entirely hosted in AWS and Google Cloud, it’s fully automated and monitored by continuous functional tests to detect and sort of downtime.

CareScribe backend is hosted on AWS and Google Cloud and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS and Google provide. The IT infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.

All CareScribe personnel are screened to meet the UK Govenment Baseline Security Standard and training is provided to all members of staff covering their responsibilities in handling personal data.

We consider the security of our systems and your data a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. We ask that you please do the following:

• Email your findings to [email protected]
• Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
• Do not reveal the problem to others until it has been resolved,
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
• Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

If you have any questions about this document please don’t hesitate to contact us at [email protected]

Please only use our ticketing system (through [email protected]) to submit questions and reports related to the use of service. Sending sensitive information such as names, e-mail addresses, IP address or other technical details via email is considered unsafe and CareScribe Ltd can not take responsibility for the protection of data sent via unencrypted channels.