Security & compliance

The hospital or clinic is the Data Fiduciary (decides purpose and means). MITTAI (CareScribe) acts as the Data Processor, operating only on the Fiduciary’s documented instructions. We apply strict safeguards, support data-principal rights, and ensure breach notification without undue delay.

Hosted exclusively in India cloud data centers for sovereignty and performance. Encryption in transit (TLS 1.2+) and at rest (AES-256). HIPAA and SOC 2 Type II compliant controls with RBAC, least-privilege access, continuous monitoring, and comprehensive audit logs.

The Data Fiduciary (hospital) obtains valid consent. CareScribe provides configurable multilingual templates and an auditable withdrawal flow meeting the “ease of withdrawal” principle.

3 years for in-patient records (as per NMC 2002 regulations). 72 hours to fulfil record-copy requests. Upon expiry or verified erasure request, data is permanently deleted and a Certificate of Data Destruction is issued.

We follow a documented Incident-Response plan (Detect → Contain → Eradicate → Recover → Notify). The Fiduciary is informed immediately, and any statutory notification to the Data Protection Board or CERT-In is supported within 6 hours for notifiable incidents.

The clinician remains responsible for the final record. CareScribe is assistive, not a replacement for clinical judgment.

Workflow: Review → Edit → Approve. The clinician must review and sign-off electronically. Each approval is timestamped and stored in the audit log.

Yes – legible, timestamped, retrievable records complying with 72-hour copy release and 3-year retention requirements.

API-first design using HL7 FHIR/REST (ABDM-aligned) standards; HL7 v2 or secure file exchange supported if required.

Yes – standards-based FHIR exports for portability and offboarding.

Cloud-only deployment in India data centers with redundancy, backups, and controlled access.

Through SSO (OIDC/SAML), role-based access control, and comprehensive audit trails for every access and edit event.

Multi-zone architecture, automated backups, and regular restore testing with defined RTO/RPO objectives.

Uptime: 99.9 % monthly. Support: 24 × 7 for critical issues. P1 Critical – 1 h response / 4 h resolution P2 High – 4 h response / 1 business day P3 Normal – 1 business day response / 3 days resolution P4 Low – 2 business days response / scheduled fix

Typical go-live within 4–6 weeks (integration, UAT, training). Clinician enablement via 1–2 hour sessions and quick-start guides.

Web and mobile interfaces with support for clinical-grade USB or Bluetooth microphones. Offline buffering is available for temporary connectivity loss.

The hospital and patient retain full ownership. MITTAI acts solely as a Data Processor.

No identifiable data is ever used. Optional learning from aggregated, anonymized signals is permitted within DPDP bounds and may be opted out of at any time.

We provide complete FHIR-standard exports, securely erase all data, and issue a Certificate of Destruction within 30–90 days.

No – partnerships are non-exclusive and without any Right of First Refusal.

Subscription-based: per clinician/year or enterprise/site license with volume and multi-year discounts.

Mutual indemnities apply: MITTAI covers processor non-compliance; hospitals remain responsible for their own systems and clinical actions. Caps and terms defined in the MSA/DPA.

No. All open-source components use MIT or Apache-2.0 licenses; no GPL/copyleft dependencies.

Yes. Our DPDP-compliant DPA, SOC 2 Type II report, and HIPAA attestation can be shared under NDA along with the sub-processor list and change-notification policy.

12-month initial term with automatic 12-month renewal and a 60-day non-renewal notice window. Multi-year pricing available.

No – it is a clinical documentation and AI decision-support assistant, not diagnostic or prescriptive.

All major Indian languages + English (others on request). Includes specialty templates for OPD, Dental, Gynae, Oncology, and General Medicine.

60–70 % reduction in documentation time < 30 s draft generation for OPD notes Higher clinician satisfaction and audit readiness

If an existing patient profile is reused, the system may reference previous context. Always create and use a fresh patient record for every demo session to ensure clean, session-specific responses.

Yes – the platform already supports a fresh-patient demo workflow that runs in real time without pulling any stored history. This is the recommended method for product demonstrations.

Demo data follows the same HIPAA and SOC 2 Type II security standards as production data and is automatically purged after each session.

Lengthy sessions can increase latency. Continuous optimizations are in place for real-time streaming and faster turnaround during extended dictations.

Master Service Agreement (MSA) + Data Processing Addendum (DPA) HIPAA Business Associate Agreement (if required) SLA and Support Policy

Sub-Processor List and Change-Policy Data Retention and Deletion Policy Implementation & Integration Guide (FHIR/HL7) Incident Response & Breach Playbook