Last updated 13/01/2023
At CareScribe we take the protection of customer data extremely seriously. We employ information security policies and there is a board-level commitment to implement and follow the policies throughout the organisation.
Information Security is led by the Chief Technology Officer @ CareScribe.
CareScribe is committed to protecting information assets and employs information security systems, policies, procedures and controls that meet the requirements of ISO 27001:2017.
CareScribe holds Cyber Essentials certification and copies of our certificate can be provided upon request.
CareScribe provides two products to our users:
Caption.Ed desktop (Windows and Mac) and browser extensions (Google Chrome and Microsoft Edge Chromium) applications allow the user to generate captions and a transcript for any live or pre-recorded media played on their computer (in the case of desktop) or through their browser (in the case of browser).
Caption.Ed stores the following customer data in its cloud services:
All data is stored in the UK.
TalkType provides Mac-based dictation and computer control dictation. When enabled, TalkType will transcribe all audio spoken into the Mac’s microphone.
TalkType stores the following data in its cloud services:
Data in transit is encrypted and protected through SSL certificates using SHA-256 and RSA signing.
All production databases and customer data are encrypted at rest with AES-256.
CareScribe support email verification-based sign-in with strong minimum password requirements of a minimum of six characters including one digit, one symbol and one uppercase letter.
Two-factor authentication is available on all accounts.
SAML-based Single-Sign-On is available for institutional clients.
Customer can delete all their data by sending an email to [email protected]
Once a user account is deleted, all associated data (account settings, transcripts etc) are removed from CareScribe systems. This action is irreversible.
CareScribe is a data processor and engaged certain onward sub-processors. Below are the sub-processors that CareScribe currently utilises and a description of their service:
| Sub-processor Entity | Description | Website |
| Amazon Web Services | Cloud services provider | https://aws.amazon.com |
| Google Cloud | Cloud services provider | https://cloud.google.com |
| Stripe | Payment processing | https://stripe.com |
| MailerSend | Email processing | https://mailersend.com |
| Hubspot | CRM & email processing | https://hubspot.com |
| Pendo | Product analytics | https://www.pendo.io/ |
By default, only our key engineering and support leads have access to customer data. This access is granted only for production releases, debugging and fixes. All other staff do not have access to customer data unless granted permission for debugging purposes.
TalkType desktop applications require a continuous connection to our servers (CareScribe Cloud Services).
Caption.Ed desktop and browser applications require a continuous connection to CareScribe Cloud Services.
Our backend infrastructure, CareScribe Cloud Services, is entirely hosted in AWS and Google Cloud, it’s fully automated and monitored by continuous functional tests to detect and sort of downtime.
CareScribe backend is hosted on AWS and Google Cloud and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS and Google provide. The IT infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.
All CareScribe personnel are screened to meet the UK Govenment Baseline Security Standard and training is provided to all members of staff covering their responsibilities in handling personal data.
We consider the security of our systems and your data a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. We ask that you please do the following:
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
If you have any questions about this document please don’t hesitate to contact us at [email protected]
