Encryption and access
All client data is encrypted at rest in our PostgreSQL database and in transit via TLS. Only authenticated users with a workspace assignment can read a given client's records.
Idle sessions automatically time out. Account-level deletion permanently removes all PHI within 30 days of request.
AI processing consent
When you generate a note, we send your session summary plus minimal client context (initials, age, diagnosis if provided) to OpenAI under a business associate agreement that prohibits training on your data.
You can revoke AI consent in Settings → Privacy at any time; you'll keep access to existing notes but won't be able to generate new ones until you re-consent.
Business Associate Agreements (BAA)
Agency customers can request a BAA at support@bxscribe.com. We'll send a standard template covering BxScribe and our subprocessors.