Comprehensive security measures and HIPAA compliance framework designed to protect patient data and dental practices.
Data Retention Schedule
(Draft — Compliance / Security)
SideScribe is committed to the privacy and security of clinical providers and their patients. This schedule describes how audio used for transcription is handled and how clinical text produced by the app is stored in the standalone (local) desktop product. It does not replace your office's HIPAA policies or your legal counsel's advice.
| Data type | Retention period | Action |
|---|---|---|
| Raw vocal audio | Ephemeral (seconds) | Processed only on the local workstation. Audio exists in device memory while recording and encoding, and briefly as a temporary file on that device so local transcription can run. It is not saved to the encrypted clinical database and not retained for playback after transcription. The temporary file is removed when transcription completes (or when the operation ends). |
| Temporary cache | Until transcription completes | Temporary audio used for local speech-to-text is deleted after that step; it is not kept as a separate "cache" for later use. |
| Biometric identifiers (voiceprints) | None | SideScribe does not create or store voiceprints, speaker profiles, or other voice "fingerprints." |
| Final clinical note (e.g. transcript / summary / SOAP fields) | User / practice controlled | Stored in the office's local encrypted SQLite database on the machine where SideScribe runs, until removed using the application or the practice's own procedures (e.g. uninstall, device wipe, backups). Not stored on SideScribe's servers for this standalone product. |
Temporary audio data is removed from the local workstation after transcription: the temporary file is deleted, and in-memory buffers are released by the application. Because processing is local and not sent to SideScribe's cloud for transcription in this standalone build, there is no central copy of raw audio on our servers to destroy.
No multi-pass cryptographic "overwrite" of free disk space is performed by the app; deletion and normal OS handling apply.
Retention of transcripts and notes is governed by medical record, state, and federal requirements, and by your practice's policies. SideScribe's local database holds clinical text until you delete it or remove the data according to your workflow.
Illinois BIPA / biometric framing (if you use it): Laws such as the Illinois Biometric Information Privacy Act (BIPA) may apply depending on facts and jurisdiction. Whether voice audio or derived data qualifies as a "biometric identifier" under BIPA is a legal question. If your organization adopts a policy that any data treated as biometric under applicable law must be destroyed when the original purpose (here, generating the clinical text) is satisfied, or within three (3) years of the individual's last interaction with the software, whichever comes first, document that policy separately and have counsel review it. The standalone app may not automatically enforce that 3-year rule unless you implement that feature or operational process.
This schedule is provided to describe product behavior at a high level and may change as the product changes. It is not legal advice.
Local model only — available today. Cloud-based service coming soon.
SideScribe implements a comprehensive security program aligned with HIPAA Security Rule requirements, combining administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information.
Policies and procedures that govern workforce operations and data handling.
Code-level protections and access controls for data security.
Procedures for handling, processing, and destruction of patient data.
Internal policies that govern how the workforce operates.
Annual audit process for Azure/OpenAI infrastructure, including vulnerability assessments, penetration testing, and security control effectiveness reviews.
Disciplinary guidelines for HIPAA violations, including progressive discipline procedures, mandatory reporting requirements, and corrective action plans.
Record of founder's HIPAA certification and annual security awareness training, including completion dates, training topics, and assessment results.
Schedule for weekly audit log checks, including automated monitoring alerts, manual review procedures, and escalation protocols for suspicious activities.
Descriptions of the code-level protections built into the system.
Unique User IDs with role-based access controls, automatic log-off after 15 minutes of inactivity, and forced multi-factor authentication for all user sessions.
Description of immutable audit logs capturing Who, What, When, and Where for all system activities, with tamper-proof storage and automated retention policies.
API rate-limiting and payload validation procedures to prevent data corruption, including input sanitization, schema validation, and checksum verification.
TLS 1.3 encryption standards for all data-in-transit, with perfect forward secrecy, certificate pinning, and automated certificate renewal procedures.
Procedures for the handling and destruction of patient data.
Formal declaration of immediate data purging after clinical note generation, ensuring no audio recordings or raw data persist beyond the active session.
Scripted deletion of metadata after 7 days, with automated cleanup procedures and manual verification processes to ensure complete data removal.
Procedures for secure wiping of local devices if retired, including cryptographic erasure methods and certificate of destruction documentation.
Contracts with patients, partners, and vendors.
Signed agreements with Microsoft (Azure) and OpenAI, establishing their obligations as business associates under HIPAA and ensuring chain of trust compliance.
The standard BAA template provided to all dental practices, outlining mutual responsibilities and liability for protected health information.
Robust consent form for Illinois dental offices, explaining recording procedures, data handling practices, and patient rights under HIPAA.
Public-facing website documentation outlining data practices, user rights, and service terms for all customers and users.
What happens when things go wrong.
5-step checklist for breach containment: (1) Detection and Assessment, (2) Containment, (3) Eradication, (4) Recovery, and (5) Post-Incident Review.
Procedures for service restoration via Azure geo-redundant backups, including recovery time objectives, backup verification, and failover testing.
Pre-written notification letter for alerting affected dental practices of security events, including required HIPAA elements and communication timelines.
Our security measures are designed to protect both patient data and your practice. For specific security inquiries, please contact our compliance team.
Contact Compliance Team