Data Handling & Security

Patient conversation data stays protected.

Charthalo is designed with data minimization, encryption at rest and in transit, and access controls appropriate for ambient clinical conversation data. This is a tool that sits in the exam room. We designed it accordingly.

Security Design

How Charthalo handles patient conversation data

Four design principles govern every decision about how ambient audio, transcripts, and clinical note drafts are processed and stored.

Encrypted in transit and at rest

All data transmitted between your browser and our servers uses TLS 1.3. Stored data — including note drafts and account information — is encrypted at rest using AES-256. Encryption is not optional or configurable; it is on by default for all users.

Audio processed transiently

Charthalo processes audio in real time and does not store raw audio past the active session. Once the session ends and the transcript is generated, the audio stream is discarded. We do not build a corpus of patient voice recordings.

BAA available for covered entities

Charthalo will execute a Business Associate Agreement with covered entities upon request. Our data handling is designed with HIPAA technical and organizational safeguards in mind. A BAA is available at no additional cost on every plan. Contact [email protected] to initiate.

No raw audio stored past the session

The only data Charthalo retains after session end is the structured note text and your account information. Raw audio is discarded once the transcript is generated. Intermediate transcripts older than 90 days are purged automatically. You can request immediate deletion of your account data at any time.

Technical Details

Technical and organizational controls

Technical Controls

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest for stored notes and account data
  • Least-privilege access control model for internal systems
  • Session-scoped API tokens; no long-lived credentials in client
  • Input validation and rate limiting on all endpoints
  • Audit logging designed for access and modification events

Organizational Controls

  • Access to production systems limited to named engineers
  • No Charthalo employee can access your note content without explicit support request from you
  • Data processing agreements in place with all sub-processors
  • Patient data not used for AI model training without explicit opt-in
  • Incident response process designed for clinical data incidents
  • Annual internal security review

BAA Availability

Business Associate Agreement

Charthalo will execute a Business Associate Agreement with covered entities upon request. To initiate a BAA, contact [email protected]. A signed BAA is included in Practice plans and available at no additional cost on Solo Clinician plans.