Security, compliance, and governance
Understand technical and legal safeguards: encryption, traceability, and Quebec compliance.
AuraScribe is built from the ground up with privacy-by-design to meet the obligations of Quebec Law 25 (formerly Bill 64 / PL 64), PIPEDA/LPRPDE, and the Collège des médecins du Québec regulations.
All health data is hosted exclusively in Canadian data centers (Montreal). No processing occurs on foreign servers. AI models (Deepgram, Vertex AI) are accessed through data processing agreements that guarantee Canadian data residency for clinical data.
AES-256 encryption is applied to all data at rest. Transit is secured by TLS 1.3 minimum. Encryption keys are rotated monthly and managed in a FIPS 140-2 Level 3 certified Hardware Security Module (HSM).
Every action in AuraScribe generates an immutable audit log entry: who accessed what, when, and from which device. Logs are retained for 7 years and can be exported for regulatory audits. The shared responsibility model is documented in our Data Processing Addendum (DPA).
In the event of a privacy incident, AuraScribe automatically triggers the notification protocol: investigation within 24 hours, notification to the Commission d'accès à l'information du Québec (CAI) within 72 hours if the incident presents a serious risk, and notification to affected individuals if required.
