Security Practices
This document describes the security controls, infrastructure, and compliance measures that SutureNote maintains to protect patient data in accordance with HIPAA requirements.
1. HIPAA Compliance
SutureNote is built on HIPAA-eligible AWS infrastructure. All services involved in processing or storing patient data are covered by a signed Business Associate Agreement (BAA). No patient data leaves the HIPAA-compliant environment. To the best of our knowledge, all user data is stored in the United States.
2. Encryption
All protected health information is encrypted in transit and at rest.
- In transit — industry-standard encryption for all network communications
- At rest — encryption applied to all stored data, including databases, file storage, and caches
- Key management — encryption keys managed via hardware security modules with automatic rotation
3. AI & PHI Protection
SutureNote uses AI models for clinical note generation and medical transcription. Before any text is processed by an AI model, protected health information is automatically removed and replaced with secure placeholders.
- All AI processing runs within HIPAA-compliant infrastructure covered by AWS BAA
- Protected health information is tokenized before reaching AI models — AI models process de-identified data only and do not have access to actual patient information
- Original values are encrypted and stored in a patient-scoped secure environment; restored in real-time for physician display only
- Patient data is not used for model training or improvement under our current infrastructure agreements
4. Access Control
SutureNote follows a zero-trust model with minimal human access to production systems.
- Multi-factor authentication (MFA) required for all accounts
- Role-based access control with principle of least privilege
- Patient data is scoped to the authenticated user — no cross-user data access
- Automated deployments with no manual production access
- Quarterly access reviews with automatic revocation of unused permissions
5. Data Management
- Audio recordings — encrypted during processing, deleted after successful note generation
- Manual deletion — clinicians may delete any patient notes at any time
- Account deletion — users can request deletion of their personal information as described in our Privacy Policy
- Secure erasure — cryptographic deletion ensures data is unrecoverable after removal
6. Security Operations
- Regular penetration testing by third-party security firms
- Automated vulnerability scanning and dependency monitoring across all components
- Critical security patches applied promptly upon identification
- Background checks and annual HIPAA training for all employees
- Documented incident response plan with breach notification procedures
- Ongoing compliance monitoring and regular risk assessments
7. Business Continuity
| Measure | Details |
|---|---|
| Backups | Automated backups with point-in-time recovery are maintained. Database and storage are replicated across multiple availability zones. |
| Recovery Time | Recovery procedures are designed to target restoration within hours. Failover mechanisms are in place for critical services. |
| Availability | Architectured for high availability using redundant infrastructure. Continuous health monitoring enables rapid detection and response to service disruptions. |
| Data Durability | Leverages AWS S3's designed-for durability architecture. Database replication spans multiple availability zones for resilience. |
Security Inquiries
For questions about SutureNote's security practices, HIPAA compliance, or to report a security concern, contact our security team at security@suturenote.ai.