Information Security Overview

At CareScribe we take the protection of customer data extremely seriously. We employ information security policies and there is a board-level commitment to implement and follow the policies throughout the organisation.

Information Security is lead by the Chief Technology Officer @ CareScribe.

ISO-27001

CareScribe is committed to protecting information assets and employs information security systems, policies, procedures and controls that meet the requirements of ISO 27001:2017.  We are currently undergoing audit to achieve certification during H1 2021.

Customer Data

CareScribe provide two products to our users:

Caption.Ed

Caption.Ed desktop (Windows and Mac) and browser extensions (Google Chrome and Microsoft Edge Chromium) applications allow the user to generate captions and a transcript for any live or pre-recorded media played on their computer (in the case od desktop) or through their browser (in the case of browser).

Caption.Ed stores the following customer data in its cloud services:

  • Emails (if the customer is using email-based sign up).
  • Name
  • Payment history and invoices (credit card numbers are stored at Stripe)
  • Software usage data
    • Time and duration of when Caption.Ed has been used.
    • URL where Caption.Ed has been used

TalkType Dictation

TalkType provides Mac based dictation and computer control dictation. When enabled, TalkType will transcribe all audio spoken into the Mac’s microphone.

TalkType stores the following data in it’s cloud services:

  • Emails (if the customer is using email-based sign up).
  • Name

Encryption

Data in transit is encrypted and protected through SSL certificates using SHA-256 and RSA signing.

All production databases and customer data are encrypted at rest with AES-256.

Authentication

CareScribe supported email verification based sign in with strong minimum password requirement of minimum of six characters including one digit, one symbol and one uppercase letter.

SAML vs based SSO is available for institutional clients.

GDPR and Data Retention

Customer can delete all their data by sending an email to [email protected]

Customer can request all their data by sending an email to [email protected]

Once a user account is deleted, all associated data (account settings, transcripts etc) are removed from CareScribe systems. This action is irreversible.

3rd Party Sub-processors

CareScribe is a data processor and engaged certain onward sub-processors. Below are the sub-processors that CareScribe currently utilises and a description of their service:

Sub-processor EntityDescription Website
Amazon Web ServicesCloud services providerhttps://aws.amazon.com
GoogleCloud services providerhttps://cloud.google.com
StripePayment processinghttps://stripe.com
IntercomOnboarding and customer supporthttps://www.intercom.com
PostmarkEmail processinghttps://postmarkapp.com

Last updated 18th January 2021

Internal CareScribe Team Data Access

By default, only our key engineering leads have access to customer data. This access is granted only for production releases, debugging and fixes. All other engineers do not have access to customer data unless granted permission for debugging purposes.

Infrastructure Availability

TalkType operates locally on the users’ machine and most of the time does not need to connect to its backend (within CareScribe Cloud Services). Regular connection is required for updates and validation of software license permissions.

Caption.Ed desktop and browser applications require a continuous connection to CareScribe Cloud Services.

Our backend infrastructure, CareScribe Cloud Services, is entirely hosted in AWS, it’s fully automated and monitored by continuous functional tests to detect and sort of downtime.

Product and Datacenter Security

CareScribe backend is hosted on AWS and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS provides. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.

Responsible Disclosure

We consider the security of our systems and your data a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. We ask that you please do the following:

  • Email your findings to [email protected]
  • Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
  • Do not reveal the problem to others until it has been resolved,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Contact

If you have any questions about this document please don’t hesitate to contact us at [email protected]