Security & compliance
Built for healthcare. Designed with HIPAA-aligned controls from the ground up.
Clinical data is the most sensitive data. Notevyx treats every design decision — infrastructure, data flows, access controls, deletion policies — as a security decision.
Four pillars. Zero shortcuts.
HIPAA-Aligned Controls
All technical and administrative safeguards are designed with HIPAA Security Rule requirements in mind. BAA executed with every customer.
AES-256 Encryption
All data encrypted at rest using AES-256. All data in transit protected by TLS 1.3. No PHI travels unencrypted at any point in the data pipeline.
Zero PHI Retention
Audio recordings are permanently deleted immediately after note generation. Notevyx retains no PHI beyond note delivery — patient data lives only in your EHR.
No Model Training on PHI
Your patient data is never used to train or fine-tune Notevyx models. The AI that generates your notes does not learn from your patients' data.
How data flows — and where it stops.
Every PHI element follows a defined path with defined deletion. Nothing persists in Notevyx infrastructure beyond what's needed for note generation.
For healthcare IT and security teams.
Infrastructure
- Hosted on AWS GovCloud-adjacent environment
- US-only data residency — no data leaves US jurisdiction
- VPC isolation with no public access to data stores
- AES-256 encryption at rest across all storage tiers
- TLS 1.3 for all data in transit
- Daily encrypted backups with 30-day retention
Access Controls
- Role-based access control for all internal systems
- MFA required for all Notevyx staff accounts
- Least-privilege access principle enforced
- Audit logging for all access to PHI-adjacent systems
- Background checks for all employees with data access
- Annual security training for all staff
Data Handling
- Audio deleted immediately after note generation — no exceptions
- No PHI retained in Notevyx systems post-note-delivery
- No patient data used for AI model training or improvement
- De-identified aggregate metrics only for product analytics
- Data Processing Agreement available for EU-adjacent customers
Compliance & Agreements
- BAA signed with every Notevyx customer
- Designed with HIPAA Security and Privacy Rule requirements
- Breach notification procedures in place per HITECH
- Security questionnaire responses provided to enterprise accounts
- Pen testing cadence and results shared with enterprise IT on request
Questions about our security architecture?
We provide detailed security documentation, questionnaire responses, and IT review calls for enterprise and health system accounts.