Protecting patient health data with confidence

At PatientNotes robust security measures create the strong immune system we know is vital to your patient's healthcare data. We know medical information is sensitive, and we’ve fortified PatientNotes with cutting-edge security measures to safeguard your clinical consults and notes.

Caring about confidentiality

Our encryption protocols ensure your data remains confidential and readable only by authorized parties. All communication between our systems is encrypted using HTTPS/TLS (TLS 1.2 or higher). All data at rest is encrypted using AES-256.

It starts with consent

The first step of every practitioner session is gathering consent. This ensures that patients have consented to be recorded. The platform is designed to proactively communicate with participants so they understand their consultation is in safe hands.

Global Compliance

Engagements with third-party vendors such as Google and Microsoft are governed by master service agreements ensuring adherence to HIPAA, Australian Privacy Standards and privacy obligations.

Trusted by health practitioners worldwide

PatientNotes combines machine transcription with AI text generation of clinical notes based on large language models trained on large bodies of text and refined on medical source material. PatientNotes uses a combination of proprietary models and certified partners for transcription and AI services.

In order to meet industry best-practice and standards (and our own even higher ones), any partner that we use has to meet stringent security, privacy and governance requirements, including a requirement that they don't store any data or use any data that we send them for the training of future models.


HTTPS/TLS (TLS 1.2 or higher): Secures all data transmissions between client devices and Firebase services, ensuring data integrity and confidentiality. Modern ciphers are used, with Cloudflare providing TLS termination and providing threat detection and analysis.

AES (Advanced Encryption Standard): Automatically encrypts data before being written to disk using AES-256 or better, safeguarding data at rest.

Currently applied to API keys, with an extension planned for all practitioner and patient data by year-end. Managed using Google Cloud’s Key Management Service (KMS).

Utilizes Google Cloud’s KMS for managing encryption keys, providing a secure and organized method for handling cryptographic materials for field-level encryption. Key material never leaves the KMS, ensuring encryption operations are performed in a secure environment. These keys are regularly rotated as per industry best practices.

Global Certification

We are fully HIPAA compliant and GDPR compliant. The team have previously built compliant platforms at scale and best practices have been incorporated from day one. This means PatientNotes meets international standards for managing and securing data.

Encryption Expertise

Our use of HTTPS/TLS and AES-256 encryption protocols means your data isn’t just locked; it’s in a vault, inaccessible to intruders. Our infrastructure is secure by design and follows principles our engineers learnt from building high-security infrastructure at CashApp and Zendesk.

Australian Storage & Beyond

We store your data in a high-security, HIPAA compliant data facility in Sydney, and we’re working on setting up similar strongholds in each country for local storage.

No Storage, No Model Training

We believe in boundaries. The partners we work with don’t store or misuse your data. It’s like lending someone a book, but they can’t keep it or make copies.

Data Retention

Our system purges older data, securely deleting all patient information after 30 days. It’s like having a shredder that automatically disposes of outdated documents. Practitioners also have the option to manually delete at any time.

No SMS 2-Factor Authentication

SMS isn’t the fortress it used to be. That’s why we have fortified the authentication process without relying on SMS.

Two-Person Rule for Key Changes

Major changes in our system require two authorized persons to approve, ensuring a higher level of scrutiny and security. It’s teamwork with a security twist.

Responsible Disclosure

We have a designated mailbox for your security concerns, helping us to continuously improve. If you spot a vulnerability, please email [email protected]

Continuous Monitoring

Access to data is logged with audit trails and cloud-based intrusion detection is in place to bolster security. Automated alerting and regular operational log reviews are carried out as part of the monitoring process. Our system is like a security guard that never sleeps, continuously monitoring, detecting, and preventing any suspicious activities.

Robust Access Control

Access to patient health information (PHI) is like VIP access at a club—access is restricted to administrators, actions are logged & cloud-based intrusion and anomaly detection is in place (Cloud SIEM). Individual access is secured by multi-factor authentication and OpenID Connect-based authentication tokens provided by Google Cloud.

We prioritise safety and security
with the same care you have for your patients.

If you have any questions or concerns, or simply want to learn more about our product, please don't hesitate to contact our team.