Information Security Overview
At CareScribe we take the protection of customer data extremely seriously. We employ information security policies and there is a board-level commitment to implement and follow the policies throughout the organisation.
Information Security is led by the Chief Technology Officer @ CareScribe.
CareScribe is committed to protecting information assets and employs information security systems, policies, procedures and controls that meet the requirements of ISO 27001:2017. We are currently undergoing an audit to achieve certification during 2022.
CareScribe holds Cyber Essentials certification and copies of our certificate can be provided upon request.
CareScribe provides two products to our users:
Caption.Ed desktop (Windows and Mac) and browser extensions (Google Chrome and Microsoft Edge Chromium) applications allow the user to generate captions and a transcript for any live or pre-recorded media played on their computer (in the case of desktop) or through their browser (in the case of browser).
Caption.Ed stores the following customer data in its cloud services:
- Email address (if the customer is using email-based sign up).
- Payment history and invoices (credit card numbers are stored at Stripe)
- Software usage data
- Time and duration of when Caption.Ed has been used.
- URL where Caption.Ed has been used (browser extensions only).
- Transcription data and recordings (which the user can delete at any time).
All data is stored in the UK.
TalkType provides Mac-based dictation and computer control dictation. When enabled, TalkType will transcribe all audio spoken into the Mac’s microphone.
TalkType stores the following data in its cloud services:
- Emails (if the customer is using email-based sign up).
Data in transit is encrypted and protected through SSL certificates using SHA-256 and RSA signing.
All production databases and customer data are encrypted at rest with AES-256.
CareScribe support email verification-based sign-in with strong minimum password requirements of a minimum of six characters including one digit, one symbol and one uppercase letter.
Two-factor authentication is available on all accounts.
SAML-based Single-Sign-On is available for institutional clients.
GDPR and Data Retention
Customer can delete all their data by sending an email to [email protected]
Once a user account is deleted, all associated data (account settings, transcripts etc) are removed from CareScribe systems. This action is irreversible.
3rd Party Sub-processors
CareScribe is a data processor and engaged certain onward sub-processors. Below are the sub-processors that CareScribe currently utilises and a description of their service:
|Amazon Web Services||Cloud services provider||https://aws.amazon.com|
|Google Cloud||Cloud services provider||https://cloud.google.com|
|Hubspot||CRM and Email Processing||https://hubspot.com|
Last updated 14th July 2022
Internal CareScribe Team Data Access
By default, only our key engineering and support leads have access to customer data. This access is granted only for production releases, debugging and fixes. All other staff do not have access to customer data unless granted permission for debugging purposes.
TalkType desktop applications require a continuous connection to our servers (CareScribe Cloud Services).
Caption.Ed desktop and browser applications require a continuous connection to CareScribe Cloud Services.
Our backend infrastructure, CareScribe Cloud Services, is entirely hosted in AWS and Google Cloud, it’s fully automated and monitored by continuous functional tests to detect and sort of downtime.
Product and Datacenter Security
CareScribe backend is hosted on AWS and Google Cloud and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS and Google provide. The IT infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.
All CareScribe personnel are screened to meet the UK Govenment Baseline Security Standard and training is provided to all members of staff covering their responsibilities in handling personal data.
We consider the security of our systems and your data a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. We ask that you please do the following:
- Email your findings to [email protected]
- Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
- Do not reveal the problem to others until it has been resolved,
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
If you have any questions about this document please don’t hesitate to contact us at [email protected]