Security
Patient data is the most sensitive data class we touch. Here's how we protect it.
Encryption
All audio files and patient data are encrypted at rest (AES-256). All connections use TLS 1.3. Database backups are encrypted automatically.
Data residency
Malaysian and Singaporean customer data is hosted in Singapore (ap-southeast-1 region). Australian data will be hosted in Sydney (ap-southeast-2) when we expand to that market.
Access control
Row-level security enforced at the database. A doctor can only see their own consultations. Multi-factor authentication available (mandatory for clinic admins). No internal Annota staff has access to your audio or notes without an explicit support ticket from you.
Audit logging
Every action that touches patient data — login, recording, edit, sign, export, delete — is logged in an append-only audit trail. Audit logs cannot be modified or deleted, even by Annota staff.
No model training on patient data
Patient data is never used to train AI models. Ever. No exceptions. We use frontier models from OpenAI trained on broad public data; we do not fine-tune on patient content.
Compliance
PDPA Malaysia compliant. HSA Singapore aligned (formal compliance assessment in progress). AHPRA Australia aligned for future market entry.
Security questions or vulnerability reports: security@annota.my