Security

Last reviewed: May 2026
Owner: Fadi Abbas, Privacy & Security Officer

This page summarises the technical, administrative, and physical controls Medwork uses to protect customer data and Protected Health Information (PHI). For procurement questions or security disclosures, contact fadi@maivenx.com.

Medwork is an AI medical scribe operated by mAIvenX. We follow the HIPAA Security Rule's administrative, physical, and technical safeguards, and align with PIPEDA (Canada), Law 25 (Quebec), and Patientdatalagen (Sweden). The controls below are implemented today; planned or aspirational items are noted explicitly.

Encryption

  • In transit: TLS 1.2+ for all client and service-to-service traffic. HTTPS-only on medwork.life with HSTS.
  • At rest: AES-256 for application databases (AWS RDS), object storage (S3), and backups. Encryption keys managed in AWS KMS.
  • Field-level: Sensitive identifiers are encrypted at the column level where supported.

Access Controls & Authentication

  • MFA: Multi-factor authentication available to all users; required for administrative accounts.
  • Password policy: Strong-password requirements with secure hashing (bcrypt/argon2).
  • Session management: Short-lived JWTs with rotation, secure HTTP-only cookies, and idle-timeout auto-logout.
  • Least privilege: Role-based access control; internal access to production data restricted to named personnel under a documented access-review process.
  • Email verification: Required at sign-up; password reset flow uses single-use, time-bound tokens.

AI Model Handling of PHI

  • BAA-covered providers only: PHI is transmitted to AI services exclusively through providers we hold a Business Associate Agreement with (AWS Bedrock for large-language-model inference).
  • No training on customer data: Our AI providers do not use customer inputs or outputs to train their models.
  • De-identification: Where the workflow permits, data is de-identified (HIPAA Safe Harbor: all 18 identifiers removed) before AI processing.
  • Routing controls: Application-layer gates prevent PHI from being routed to any non-BAA AI provider.

Audit Logging

  • All access to PHI is logged with user identity, timestamp, resource, and action.
  • Authentication events (login, logout, MFA challenges, password resets) are recorded.
  • Audit logs are retained for at least 6 years to meet HIPAA retention expectations.
  • Logs are write-protected and stored separately from application data.

Infrastructure & Hosting

  • Hosted on Amazon Web Services (AWS) under a signed Business Associate Agreement.
  • PHI workloads run in HIPAA-eligible AWS services (RDS, S3, Lambda, Bedrock).
  • Network isolation via private VPC subnets; security groups enforce least-privileged ingress/egress.
  • Production secrets stored in AWS Secrets Manager / SSM Parameter Store — never in source control.
  • Automated backups with point-in-time recovery for the primary database.

Data Retention & Deletion

  • Audio recordings: Deleted automatically once transcription completes.
  • Transcripts & notes: Default retention 24–48 hours unless the user archives them; configurable in user settings.
  • Account data: Retained while the account is active; deleted on request.
  • Audit logs: Retained for 6 years per HIPAA.
  • Users can export or request deletion of their data — see the Privacy Policy for the full rights matrix.

Incident Response & Breach Notification

  • We maintain a written incident-response plan covering detection, containment, eradication, recovery, and post-incident review.
  • In the event of a breach of unsecured PHI, affected individuals and covered entities will be notified without unreasonable delay and no later than 60 calendar days after discovery, per the HIPAA Breach Notification Rule.
  • Security reports and disclosures: fadi@maivenx.com.

Sub-processors & Business Associate Agreements

We sign a Business Associate Agreement (BAA) with every sub-processor that handles PHI. Current PHI-handling sub-processors:

  • Amazon Web Services (AWS): Compute, storage, database, and AI inference (Bedrock).
  • Soniox: Speech-to-text transcription. US data residency. Real-time API processes audio in GPU memory with TLS in transit; no audio or transcripts are stored on Soniox infrastructure.
  • Stripe: Payment processing (no PHI; billing data only, PCI-DSS).

A current sub-processor list is available on request at fadi@maivenx.com.

Administrative Safeguards

  • Designated Privacy Officer and Security Officer (Fadi Abbas).
  • Annual HIPAA Security Risk Assessment using the HHS SRA tool, with documented remediation tracking.
  • Written policies for access management, incident response, data retention, and acceptable use — reviewed annually.
  • Workforce security training prior to PHI access; refresher training annually.
  • Vendor due-diligence review and signed BAAs before any sub-processor handles PHI.

Compliance Posture

HIPAA (United States)

Administrative, physical, and technical safeguards per the Security Rule; Breach Notification Rule observed.

PIPEDA & Law 25 (Canada / Quebec)

Consent-based collection, access & correction rights, breach notification as soon as feasible.

Patientdatalagen (Sweden)

Aligned controls for processing of patient data in Swedish healthcare contexts.

SOC 2 (planned)

Not currently SOC 2 attested. We initiate a Type I audit when a customer contract requires it.

Contact

Fadi Abbas
Privacy Officer & Security Officer
Medwork — A mAIvenX.com Company

Email: fadi@maivenx.com

For security disclosures, please include reproduction steps and avoid testing against real patient data. We acknowledge reports within 5 business days.