Data Processing & Security

clients trust autoscriber with their data so that they can focus on the work that matters most within healthcare that’s why we are focused not only on creating automation, but also on implementing robust safeguards to keep our customers’ data safe this article is focussed on giving an overview of the processes and standards that autoscriber has in place to ensure the utmost security and our customers data is safe summary autoscriber is fully gdpr compliant and our processes have been checked by our legal counsel accordingly, all data is stored in eu data centres, patients and other stakeholders can access our privacy statement and data processing addendum at docid 7aeudbwnwt4ufxdbap iy that clearly explains how their data are being used, data are stored only as long as needed or removed (within the integrated version), data retention policy is applicable, where data is deleted within 48 hours after a data deletion request is made, autoscriber has docid 1s0ujm mf0xblzezfpdl6 and docid\ vbew9upws6sm08pz0o ll security measures taken by autoscriber access control the access to the personal data is restricted to the authorised employees on a need to know basis employee verification every employee (even interns) are required to present a vog (or police clearance) certificate and identification card encryption personal data is always encrypted at rest and in transit (ssl connections are used) multi factor authentication the access to the personal data is secured with two factor authentication (2fa) pentesting our system's security is being tested by an external auditor at least once a year non disclosure non disclosure agreements (nda’s) are concluded in the event that confidential information is exchanged our security certificates & standards autoscriber currently holds the following security certificates iso 27001, with an external audit conducted by kiwa netherlands the certificate can be found here docid 1s0ujm mf0xblzezfpdl6 nen 7510, with an external audit conducted by kiwa netherlands the certificate can be found here docid\ vbew9upws6sm08pz0o ll gdpr compliance, based on our privacy policy, found in this document here docid\ pcwhugb4bkdsofjv7n9ki eu ai act, based on our compliance, found in this document here docid\ qtum3jeqiqr7kkm5zf8gm c5, our cloud providers are c5 approved and have c5 attestations more info found here docid\ dtyap0o1lxy2qajpasg m how we protect our customers’ data the following describes the measures autoscriber takes to ensure our customers’ data is protected we adhere to strict data minimisation policies e g audio is not stored we employ end to end encryption for data at rest and in transit we conduct regular penetration testing and vulnerability assessments we use secure cloud infrastructure through our partnerships with microsoft azure and google cloud our staff undergoes rigorous training in data processing sub processors we do not share data with any third parties and data is processed by sub processors only insofar as it is necessary for us to provide you with the service we offer we strive towards total transparency regarding your data, who processes your data and for what ends furthermore, we conduct regular supplier checks to ensure that our suppliers meet the minimum conditions according to iso and other standard requirements please see our docid\ kccvpfgtywwqgpxjfezkd for a detailed overview of our sub processors and their purpose training our models for autoscriber to improve on services delivered, the training of models is necessary we will, however, never use customer data without explicit consent in case you would like us to use your data to finetune our models to your use case, we will conclude a separate data processing agreement outside of our standard contract in short, unless you request otherwise, your data is never used to train our models and is never stored longer than you wish cloud security and compliance autoscriber makes use of a combination of azure and gcp, which each have their relevant security standards, which are described below microsoft azure security and compliance azure's compliance portfolio azure has one of the largest portfolios of compliance certifications, including key data privacy and security certifications such as iso/iec 27001, iso/iec 27018, csa star, and most importantly, general data protection regulation (gdpr) compliance this provides legal assurance that the data protection principles set forth in the gdpr are being followed data encryption and protection azure encrypts data both at rest and in transit using industry standard encryption techniques (aes 256 for data at rest and tls for data in transit) this ensures that even if data is not pseudonymised, it remains secure through layers of encryption and protected from unauthorised access azure security controls the platform includes azure security center, which provides advanced threat detection, security monitoring, and automated remediation capabilities these tools help continuously monitor and secure data processing environments, ensuring protection against emerging threats google cloud platform (gcp) security and compliance gcp's compliance standards gcp is also certified against key international standards such as iso/iec 27001, iso/iec 27018, soc 1/2/3 and is fully gdpr compliant gcp offers tools and services such as cloud data loss prevention (dlp) to ensure sensitive data is handled securely encryption as standard like azure, gcp encrypts data in transit and at rest with robust encryption technologies data stored on google cloud is protected by industry leading encryption algorithms (aes 256), and all communications between google services and between data centers are encrypted with transport layer security (tls) data sovereignty and privacy control gcp provides granular control over where data is stored geographically (within the eu or other regions), ensuring compliance with gdpr data storage requirements google also maintains advanced logging and audit trails, allowing companies to monitor access and activity on their data how we ensure secure data processing even without pseudonymisation strong data encryption encryption is a core part of our security strategy and provides a strong level of protection with encryption at rest and in transit, sensitive data remains unreadable to unauthorised parties, even in the event of a data breach this provides a significant layer of protection for personal data data at rest both azure and gcp encrypt all data at rest by default this means that even if a storage medium is compromised, the data remains unreadable without the associated decryption keys, which are strictly managed with access controls data in transit data transferred between autoscriber systems and external systems or between cloud services is encrypted using strong cryptographic protocols (tls 1 2 or later), which protects against man in the middle attacks access control and monitoring both azure and gcp implement role based access control (rbac), which ensures that only authorised individuals can access specific data based on the principle of least privilege access logs and auditing mechanisms provide a comprehensive view of who has accessed or modified data, ensuring traceability and accountability identity and access management (iam) we use iam features across both platforms to tightly control who has access to sensitive data access is limited to those who need it for their role, and access requests are continuously logged and audited monitoring and threat detection both platforms offer advanced monitoring tools such as azure monitor and google cloud security command center these systems use machine learning to detect anomalies or potential threats in real time, enabling proactive defense against security incidents data residency and local data storage for companies operating in europe or needing to comply with the gdpr, where data is stored plays an important role both azure and gcp offer the ability to store data within specific geographic regions or countries, ensuring strict compliance with data localization requirements under the gdpr (such as the requirement to keep eu citizen data within the eu) why these guarantees are sufficient although in certain cases data is not pseudonymised, the combination of encryption, access control, monitoring and compliance certifications provides a high level of assurance that personal data is processed securely and in accordance with the gdpr data protection by design and default both cloud providers implement data protection by design and default, as required by gdpr article 25 this means that azure and gcp integrate data protection principles into their core infrastructure, ensuring that security is not an afterthought, but a primary consideration in all data processing activities limiting data leaks in the unlikely event of a data breach, both azure and gcp have robust incident response processes and tools to quickly detect, analyze, and contain breaches with encryption and access controls, even in the event of a breach, exposure of personal data is minimised, significantly reducing the risk to data subjects legal guarantees and processing agreements both microsoft and google offer legally binding data processing agreements (dpas) that meet gdpr requirements these agreements define the roles of data controllers and processors, which ensures that data is handled in accordance with gdpr standards in addition, these companies ensure that data subject rights, such as the right to access, rectify or delete personal data, are respected