Security

We take the security of your data seriously. Here is how we protect your information and your clients' privacy.

Last updated: May 2026

Data Handling

Scrippio stores the data you enter, including client records, session notes, draft reports, and uploaded documents in a secure database linked to your account. This is what allows you to access your work across sessions.

  • Client records, session notes (text and voice transcripts), and draft report content are stored in your account database
  • All data is encrypted in transit (TLS 1.2 or higher) and encrypted at rest via our database provider
  • You can export a copy of your data or permanently delete your account and all associated records from Settings → Data
  • Client data is stored securely and accessible only to your account

Infrastructure

Scrippio is hosted on a globally distributed cloud platform with SOC 2 Type II and ISO 27001 compliant infrastructure.

  • Edge network hosting with DDoS protection
  • SOC 2 compliant infrastructure at the platform level
  • Automatic HTTPS on all endpoints - no plaintext connections
  • Database storage encrypted at rest via our infrastructure provider

AI Processing

Report generation uses a third-party AI service. When you generate a report, your inputs are transmitted to our AI provider's API and the response is returned to you. Scrippio does not retain a copy of this exchange.

  • Input data is sent to our AI provider's API over an encrypted connection
  • Scrippio does not log or store the content of AI requests or responses
  • Our AI provider's data retention and usage policies apply to API interactions - see their privacy policy for details
  • API inputs are not used to train AI models by default (per our AI provider's standard API terms)

Authentication

User accounts and authentication are managed by a purpose-built authentication service that follows security best practices.

  • Industry-standard password hashing - we never store plaintext passwords
  • Session tokens are short-lived and stored securely in HTTP-only cookies
  • Email verification required on account creation
  • Sessions are automatically invalidated on sign-out
  • SOC 2 Type II compliant authentication infrastructure

Your Responsibilities

The biggest risk factors for any clinical software aren't usually the vendor — they are the everyday practices around consent, credentials, and devices. These four steps move the needle more than anything else.

1. Update your client consent disclosure

Add one sentence to your service agreement or intake form — something like: “Reports may be drafted with AI assistance using a secure clinical documentation tool. No information is used to train AI models. All drafts are clinically reviewed by your clinician before finalisation.” This covers APP 5 (notice of collection) and APP 6 (use and disclosure) under the Australian Privacy Act. One sentence in your paperwork does more than any de-identification effort.

2. Use a strong, unique password and MFA

The most likely breach path is not the vendor being hacked — it is a clinician account being accessed through phished or reused credentials. Use a password manager with a unique password for Scrippio, and enable multi-factor authentication (MFA) as soon as it is available.

3. Practice basic device hygiene

Lock your screen when you step away, ensure full-disk encryption is enabled (FileVault on Mac, BitLocker on Windows — both are on by default on modern devices), avoid generating reports on shared computers, and log out properly. Mundane, but this is where most real-world health data leaks happen.

4. Check your PI insurance

Send a quick email to your insurer: “I use AI-assisted documentation software for draft generation, with full clinical review before any report is finalised. Is this covered under my current policy?” Get the yes in writing and file it.

Reporting Vulnerabilities

If you discover a security vulnerability in Scrippio, please disclose it responsibly. We review all security reports and respond within 5 business days.

Contact us at scrippio.au@gmail.com with a description of the vulnerability and steps to reproduce it. Please do not disclose the issue publicly until we have had a chance to address it.