Security & trust

Trust is theclinical buying gate.

Scribara handles PHI under a BAA, keeps an immutable audit of every action, and can run entirely inside your boundary. Security is designed in, not bolted on.

HIPAA · SOC 2 roadmap · on-prem · per-tenant isolation

Epic FHIRathenahealthNVIDIA InceptionHL7SOC 2HIPAA
Trust

Enterprise-grade from day one

Healthcare buys on trust. Scribara is built to clear procurement, security review, and compliance.

HIPAA / BAA

PHI handled under a Business Associate Agreement.

SOC 2 Type II

[ASPIRATIONAL] — roadmap to Type II within 12 months.

On-prem NIM

Run owned models inside your datacenter via NVIDIA AI Enterprise. [ASPIRATIONAL]

Immutable audit

Every agent action logged, reversible, tied to the clinician's signature.

Data residency

US, EU, UK regions; per-tenant keys (BYOK option). [ASPIRATIONAL]

ISO 42001

AI management-system conformity on the roadmap. [ASPIRATIONAL]

Ingress redactionon
Tenant isolationper-key
On-premPHI-resident
Auditimmutable
Data handling

PHI stays where it belongs

PHI is redacted at ingress, isolated per tenant, and — in on-prem mode — never leaves your datacenter. Owned models mean no third-party API sees patient data in production.

  • PHI redaction at ingress (Presidio + custom)
  • Per-tenant KMS / BYOK option [ASPIRATIONAL]
  • On-prem NIM on NVIDIA AI Enterprise [ASPIRATIONAL]
  • No third-party API sees PHI in production
Governance

How every action is controlled

Agentic autonomy with the controls regulated buyers require.

  1. 1

    Abstain

    Low-confidence outputs abstain rather than guess.

  2. 2

    Escalate

    Ambiguous cases route to a human with context.

  3. 3

    Approve

    Consequential actions need clinician sign-off.

  4. 4

    Audit

    Every step is logged, reversible, and signed.

Controls

Security controls

Defense in depth across compute, data, and model layers.

Encryption

In transit and at rest; per-customer keys (BYOK). [ASPIRATIONAL]

Access control

SSO/SAML/SCIM via WorkOS; per-action RBAC.

Audit log

Immutable, append-only, exportable to your SIEM.

Prompt-injection defense

Input sanitization, tool allowlists, output validators.

Residency

US/EU/UK regions. [ASPIRATIONAL]

Testing

Annual pen-test; bug bounty. [ASPIRATIONAL]

Assurance

Security posture

0
Actions audited
0
Raw PHI to third-party APIs
0
Isolation layers (compute/data/model)
0
BAA per customer
Transparency

We publish what we can prove

Healthcare AI lives or dies on trust, so Scribara favors verifiable claims over adjectives. Accuracy and uptime targets are marked [ASPIRATIONAL] until measured in production, and compliance milestones are dated on the roadmap, not implied.

If you're evaluating Scribara through security review, we provide a documentation pack covering data flows, sub-processors, model governance, and incident response. Contact the team to begin.

Answers

Frequently asked

No — production runs on owned models served on NVIDIA compute. Frontier APIs are a non-PHI bootstrap/fallback only.

Yes — Scribara handles PHI under a Business Associate Agreement.

Every action is logged in an immutable, reversible trail tied to the clinician's signature.

Start your security review.

We'll share data-flow diagrams, sub-processors, and our compliance roadmap.