SutureNote Security Practices

This document describes the security controls, infrastructure, and compliance measures that SutureNote maintains to protect patient data in accordance with HIPAA requirements.

Last Updated: February 2026

1. Cloud Infrastructure

SutureNote operates within Amazon Web Services (AWS). The following services are used in the processing and storage of data.

Core AWS Services

Service	Purpose & Security Features
Amazon S3	Storage for voice recordings, transcriptions, and clinical documents. Server-side encryption (SSE-KMS) with automatic key rotation.
AWS Transcribe Medical	HIPAA-eligible medical transcription service. Data is encrypted in transit and at rest. No data is retained after processing.
AWS Bedrock	AI-powered clinical documentation using Claude Sonnet 4.5. Processing is ephemeral with zero data retention.
AWS KMS	Centralized key management backed by hardware security modules (HSM). All key usage is audit-logged.
AWS Secrets Manager	Credential storage with AES-256 encryption. Automatic rotation policies are enforced.
AWS CloudTrail	API logging for security analysis and compliance auditing. Logs are immutable.

2. Data Encryption & Protection

The following encryption protocols are applied to protect protected health information (PHI) at every stage of the documentation process.

🔒

Data in Transit

TLS 1.3 with perfect forward secrecy is used for all network communications. Certificates are managed through AWS Certificate Manager with automatic renewal.

🛡️

Data at Rest

AES-256 encryption is applied to all stored data. S3 server-side encryption (SSE-KMS) is applied to all objects. Database encryption uses AWS-managed keys.

🔑

Key Management

AWS KMS manages all encryption keys using hardware security modules. Keys are rotated annually with a complete audit trail.

3. Security Testing & Vulnerability Management

SutureNote conducts ongoing security testing and monitoring to identify and remediate vulnerabilities.

Penetration testing: Quarterly tests are conducted by certified third-party security firms using the OWASP Top 10 framework.
Automated vulnerability scanning: AWS Inspector and third-party tools scan continuously across all components.
Dependency monitoring: Snyk and Dependabot are used to track all code dependencies for known vulnerabilities.
Patch management: Critical security patches are applied within 24–48 hours of identification.
Security audits: Quarterly reviews of access controls, encryption configurations, and compliance measures are performed.

4. Access Control & Production Security

SutureNote follows a zero-trust security model with access controls designed to minimize human interaction with production systems and protected health information.

🤖

Automated Operations

Approximately 99% of operations are automated through CI/CD pipelines and Infrastructure as Code. Human access to production systems is limited to documented emergency procedures.

🔐

Multi-Factor Authentication

MFA is required for all accounts. SSO integration is supported via SAML 2.0. Credentials are time-limited and expire automatically.

👥

Role-Based Access Control

The principle of least privilege is applied with minimum necessary permissions. Access reviews are conducted quarterly, and unused access is revoked.

5. Artificial Intelligence & Medical Processing

SutureNote uses AI models through AWS Bedrock for clinical document generation. The following safeguards are in place to protect patient privacy.

HIPAA-compliant AI processing: All AI operations run within HIPAA-compliant AWS infrastructure covered by signed Business Associate Agreements (BAAs).
Zero data retention: AI models do not retain patient data after processing. All information is ephemeral.
No training on PHI: Protected health information is not used for model training or improvement.
AWS Transcribe Medical: A purpose-built service for healthcare transcription with specialized medical vocabulary and HIPAA eligibility.
Claude Sonnet 4.5: Used for clinical documentation generation within a privacy-preserving architecture.

6. Patient Data Management

The following controls govern patient information throughout the documentation lifecycle.

Temporary audio storage: Voice recordings are encrypted in S3 during transcription and document generation.
Automatic deletion: Audio files are deleted after successful document generation and quality verification.
Manual deletion: Clinicians may delete any patient notes at any time through the application interface.
Configurable retention: Optional automatic deletion policies are available at 30, 60, or 90 day intervals.
Secure erasure: Cryptographic deletion is used to ensure data is unrecoverable after removal.

7. Organizational Safeguards

The following organizational policies and procedures support ongoing HIPAA compliance.

📚

Personnel Security

Background checks are conducted for all employees. Annual HIPAA training is mandatory, covering the Privacy Rule, Security Rule, and breach notification procedures.

📊

Compliance Monitoring

A dedicated security team monitors compliance on an ongoing basis. Daily log reviews are conducted to identify anomalous activity. Regular risk assessments are performed.

⚡

Incident Response

A 24/7 on-call security team is maintained. Breach notification procedures are documented and tested. Post-incident analysis and remediation are conducted following any security event.

8. Business Continuity & Disaster Recovery

The following measures are in place to maintain availability of the platform during service disruptions.

💾

Backups

Continuous automated backups with point-in-time recovery are maintained. Multi-region replication provides geographic redundancy.

⏱️

Recovery Objectives

The recovery time objective (RTO) is 4 hours for full system recovery. Automatic failover to a secondary region is configured.

📈

Availability

A 99.9% uptime target is maintained for all production services. Continuous health monitoring with automated failover is in place.

Questions About Our Security?

For questions regarding SutureNote's security practices, HIPAA compliance, or data protection measures, contact our security team.

security@suturenote.ai