scrypa

Security and privacy

Trust comes from clarity.

You document about people, patients, and cases that deserve protection. That is why Scrypa processes data within the EU, deletes audio data after transcription, and encrypts consistently. This page states openly what is already live and what we are still working on.

Core principles

Privacy is not a module. It is the foundation.

Four principles carry every processing step in Scrypa. They apply to every industry and every case, from the first word to the entry in the target system.

Processing within the EU

Speech, transcription, and structuring are processed and stored within the European Union. No routing through third countries without a legal basis.

Audio data is deleted

A recording is a means to an end, not an archive. After transcription the audio file is deleted. Only the entry you reviewed remains in the target system.

Encryption

Data is encrypted in transit (TLS) and at rest. Access runs exclusively over secured connections.

Data minimization

Scrypa collects what is needed for documentation and no more. Less data means less risk, for you and for the people you document about.

The journey of a recording

What happens to what you say.

Transparency starts with making the path of the data traceable. Four stages, one clear line.

01

Record.

You speak in the moment of work. Offline too, then encrypted and cached until synchronization.

02

Transfer.

The transfer into EU processing is encrypted via TLS. No detour through third countries.

03

Structure.

Scrypa transcribes and sorts what you said into the right field. The audio file is then deleted.

04

Store.

The reviewed entry lands encrypted in the target system. Access only by role and permission.

Access and roles

Only those who need it. Only for what is necessary.

The best protection for sensitive data is a tight circle. Scrypa limits access to what is necessary and makes every permission traceable.

Role-based permissions

Who sees and edits what is determined by role and responsibility within the team. Access is limited to what is necessary.

Authentication

Sign-in via personal credentials. Multi-factor authentication can be enabled for sensitive areas.

Tenant separation

Your organization's data is processed and stored logically separated from that of other customers.

Logging

Security-relevant access and changes are logged to ensure traceability.

Human in the loop

Nothing is transferred without approval.

Scrypa proposes, a person decides. Before every transfer into your target system, a responsible person reviews the structured result and approves it. There is no silent, automatic write into the patient or case record.

Approval by a person

Every entry goes through a visual review. Only approval by an authorized person triggers the transfer.

Correct before it is taken over

The result can be adjusted before the transfer. Professional responsibility stays with the people who document.

Logged and traceable

Approval and transfer are logged with timestamp and the acting person, so the process stays traceable later.

Encryption and infrastructure

Encrypted in transit, encrypted at rest.

Sensitive data deserves a protected path and a protected place. Scrypa encrypts the transfer and the storage and runs the processing within the EU.

Encryption in transit

Every connection between app, processing, and target system runs over TLS. Data only leaves the device encrypted.

Encryption at rest

Data stored at rest is encrypted. Transcripts and entries are not held in plain text.

Operated in the EU

Processing and storage take place in data centers within the European Union, without routing through third countries lacking a legal basis.

Offline capability

Recording works even without a signal. Until synchronization, recordings are cached encrypted on the device.

Data processing

Set out in a contract, not just promised.

When Scrypa processes personal data on your behalf, we enter into a data processing agreement (DPA) under Article 28 GDPR. It states in black and white what Scrypa may do, for what purpose, and with which technical and organizational measures.

Set out in the DPA

  • Subject, duration, and purpose of the processing
  • Type of data and categories of data subjects
  • Technical and organizational measures (TOM)
  • Handling of sub-processors within the EU
  • Support with data subject rights and reporting obligations
  • Deletion or return of the data after the contract ends

Sub-processors

Who else processes is stated openly.

Scrypa relies on technical service providers to operate, for example for hosting and processing. These sub-processors are named within the data processing agreement and bound to the same level of protection.

  • Sub-processors are named in the DPA and contractually bound to the GDPR
  • Selection guided by registered seat and processing within the EU
  • Information about changes to the set of sub-processors
  • The same technical and organizational measures along the entire chain

Honestly labeled

What is live and what we are working on.

Security is a journey, not a seal. We clearly separate what applies today from what is still in progress. No claim that we cannot keep.

Live
  • GDPR compliant processing and storage within the EU
  • Deletion of audio data after transcription
  • Encryption in transit and at rest
  • Role-based access and personal credentials
  • Data processing agreement (DPA) under Article 28 GDPR
In progress
  • Formal certification to ISO 27001 (orientation in place, audit intended)
  • Extended multi-factor options and single sign-on
  • Expanded self-service functions for access and export
  • Independent external security reviews as a recurring process

Note: orientation around ISO 27001 means we align our processes with this standard. Formal certification is intended but not yet complete. We do not claim a certification that is not in place.

At a glance

The cornerstones in brief.

GDPR

Processing in line with the EU General Data Protection Regulation.

EU processing

Data remains within the European Union.

DPA under Article 28

Data processing governed by contract.

ISO 27001

Orientation around the standard, certification intended.

These cards describe the framework of our processing and do not represent test seals or external certificates.

Your rights

You stay in control of your data.

The GDPR gives data subjects clear rights. As the data controller, Scrypa supports you in fulfilling these rights and provides the necessary functions.

Clarify privacy questions

Access

Which data is processed can be traced and made available.

Rectification

Entries can be corrected before and after they reach the target system.

Erasure

Data is deleted on request and after the retention period ends.

Portability

Data can be exported in a common format.

Privacy that fits your industry?

We discuss the DPA, technical and organizational measures, and the concrete data flow in your organization with you.

Book a security consultation