Compliance Centre

Do your own assessment, with a running start

Practical, Canada-first resources to help you and your privacy advisor assess DirectScribe under PIPEDA and your province's health-privacy law (in Ontario, PHIPA). We do not market against US HIPAA.

How the design maps to common assessment questions

A starting point for your PIA — confirm each against your own configuration and your regulator's current guidance.
Assessment questionHow DirectScribe is designed
Who receives PHI?Only the transcription and intelligence vendors you choose. There is no DirectScribe server in the path.
Is the patient recorded?No. Only the physician's voice is recorded for dictation; it is not an ambient scribe.
Where are credentials stored?API keys are held in the macOS Keychain, protected by your login and FileVault.
How long is data kept?On your retention window (7/30/90 days) plus a session-end delete. Deletion is logged.
Can you evidence data flows?Yes — a PHI-free, tamper-evident audit log records every transmission and deletion.
Is there vendor lock-in?No. Bring your own keys; switch vendors; run note-shaping locally with LM Studio.

About the audit log, so no one over-claims

DirectScribe's audit log is a transmission-and-deletion transparency record. It is explicitly not a PHIPA s.10.1 access-audit log: that section is enacted but not yet in force, and it concerns logging who views a patient's record. The app logs sends and deletes, not PHI access — and your EMR remains the system of record for the clinical note and its access history. The log helps you evidence where data went and when it was removed; it does not, by itself, satisfy any regulatory audit obligation.