← Back to Guide
Security and Compliance
Client encryption, sessions, CMEK, scope.
Client‑side PHI encryption (AES‑256 in storage)
- PHI saved in the browser is encrypted using AES‑256 with a key derived from your session, and marked with a recognizable prefix.
- If your session expires, encrypted PHI is cleared or hidden until you log back in.
Session expiry handling and recovery
On expiry, the assistant attempts to clear sensitive storage and offers encrypted session recovery for PHI fields when you re‑authenticate within a limited window.
GCS CMEK uploads and KMS health checks
- Audio uploads use short‑lived signed URLs; buckets can be configured with CMEK for encryption at rest.
- Periodic health checks verify KMS key accessibility and bucket lifecycle policies (e.g., auto‑deletion after a set period).
What is protected vs not protected
Protected:
- PHI at rest in browser storage (encrypted)
- Audio at rest in cloud storage (Google‑managed or customer‑managed keys)
- Short‑lived signed URLs for controlled access
Not fully protected:
- Data in active memory while you use the assistant
- Malicious browser extensions or XSS on the host page
- Network traffic if not over HTTPS (your deployment should enforce HTTPS)
Always
- Use clinic‑approved browsers and devices.
- Log out or lock your workstation when leaving.
- Review generated content for accuracy and compliance before filing.