Privacy & Security Policy

All data is encrypted at rest and in transit using industry-standard encryption. Our infrastructure is network-isolated: no database or storage service is publicly accessible.

• Encryption at rest for all stored data including notes and recordings
• TLS encryption for all data in transit
• Network-isolated architecture with no public access to data services
• Strict firewall rules restricting traffic to authorized sources only

TryCaSIE is built on HIPAA-aligned Microsoft Azure services. Our infrastructure satisfies all Technical Safeguards required for handling Protected Health Information.

• All data services are HIPAA-eligible Azure managed services
• Network-isolated database and session storage with no public exposure
• Secrets and credentials managed through Azure's dedicated vault service
• Credential-free authentication between services using managed identities
• AI processing through enterprise Azure services with no data retention

TryCaSIE acts as a business associate of customers who may be subject to 42 CFR Part 2, the federal regulation governing the confidentiality of substance use disorder treatment records. The Part 2 final rule (April 2024, compliance February 2026) extended HIPAA-aligned protections to these records. Our Business Associate Agreement (v2.3) explicitly covers Part 2 obligations, including the qualified service organization acknowledgments required by 42 CFR § 2.11.

• Part 2 records and any testimony relaying their contents will not be used or disclosed in any civil, criminal, administrative, or legislative proceeding against the patient absent specific patient consent or a Part 2-compliant court order under 42 CFR §§ 2.61–2.67
• Subpoenas or compelled-process demands for Part 2 records are referred to the customer; TryCaSIE does not respond on its own authority
• Breach notification follows the HIPAA Breach Notification Rule by reference under 42 CFR § 2.16
• Infrastructure subcontractors that process Part 2 records are HIPAA business associates and therefore qualify as qualified service organizations under 42 CFR § 2.11 as amended in 2024; TryCaSIE uses commercially reasonable efforts to obtain express Part 2 contractual coverage where it is not already in place
• Patient notices under 42 CFR § 2.22 and patient consent under 42 CFR § 2.31 remain the customer's responsibility; TryCaSIE has no direct relationship with patients

Your client data is NEVER used to train AI models. We use enterprise-grade AI services with data processing agreements that explicitly prohibit training on your data.

• Enterprise Azure AI services for intelligent note generation
• HIPAA-compliant third-party transcription for voice-to-text
• Business Associate Agreements in place with all AI providers
• Patient data is never retained or used for model training
• Enterprise data processing terms, not consumer API terms

Your data resides on HIPAA-aligned Microsoft Azure infrastructure located in the United States. All services are fully managed with enterprise-grade security and reliability.

• US-based data residency with no cross-border transfers
• Fully managed Azure services for database, caching, and secrets
• Encrypted backups retained for disaster recovery only
• Soft-delete policies to prevent accidental data loss

You have full control over your data.

• Access: Request a copy of all your data at any time
• Correction: Update or correct any inaccurate information
• Deletion: Request permanent deletion of your data
• Portability: Export your notes in standard formats
• Restriction: Limit how your data is processed

In the unlikely event of a security incident:

• Notification within 72 hours of discovery as required by HIPAA
• Detailed incident report including scope and nature of the breach
• Remediation steps and timeline for resolution
• Guidance on protective measures you can take