Security at Mental Note AI - HIPAA Compliant Clinical Notes
Security First
Mental Note AI is built from the ground up with security as a core principle. You work with sensitive clinical information every day, and we protect it at every layer—from data transmission and storage to access controls and incident response.
We comply with HIPAA and maintain rigorous security standards. We encrypt your clinical data in transit and at rest, process it under Business Associate Agreements, and give you control over retention and deletion.
Data Protection and Encryption
Your data is encrypted and handled under strict controls. Clinical content is processed by our AI service providers under Business Associate Agreements and encrypted in transit and at rest. We minimize how long we retain data, and you can request deletion.
How It Works
- You compose your clinical note in Microsoft Word
- Mental Note AI processes your input in real-time to generate or enhance your note
- The generated content appears directly in your Word document
- Your data is encrypted in transit and at rest
- You maintain complete control over your document and when/where it's saved
We follow incident-response procedures and HIPAA breach-notification obligations, encrypt data in transit and at rest, and minimize retention to reduce risk.
Microsoft's Enterprise Infrastructure
Mental Note AI runs on Microsoft's world-class infrastructure: Azure and Office 365. Your data benefits from decades of Microsoft investment in security, compliance, and data center operations.
Microsoft Security Benefits
- Azure Security: Enterprise-grade data centers with continuous monitoring and threat detection
- Office 365 Integration: Seamless integration with Microsoft Word keeps clinical content within the Microsoft ecosystem
- Global Compliance: Microsoft's infrastructure supports compliance with healthcare regulations worldwide
- Redundancy & Backup: Automatic backup and disaster recovery systems ensure service availability
- Security Operations Center (SOC): 24/7 monitoring and incident response by Microsoft security experts
Your data benefits from Microsoft's enterprise security. We process it under Business Associate Agreements and minimize how long we retain it.
Encryption Standards
All data in transit and at rest uses industry-leading encryption. Multiple layers ensure confidentiality and integrity.
Our Encryption Standards
- In Transit: TLS 1.2 or higher for all API communications and data transmission
- At Rest: AES-256 encryption for account data and system logs
- Encryption in Transit: API calls between Microsoft Word and Mental Note AI are encrypted using TLS 1.2 or higher
- Key Management: Cryptographic keys are managed through Microsoft's secure key management services
These standards align with HIPAA and NIST guidelines for sensitive healthcare information.
Authentication & Access
Only authorized users access Mental Note AI features. We enforce strict authentication and access control.
Access Security Measures
- Microsoft Account Authentication: Users authenticate through Microsoft accounts, leveraging Microsoft's multi-factor authentication capabilities
- Role-Based Access Control (RBAC): Different user roles have appropriate permission levels
- No Shared Credentials: All users have unique authentication credentials; credential sharing is prohibited
- Session Management: Automatic session timeout and secure session handling
- API Key Security: Any API keys or tokens are rotated regularly and stored securely
We follow the principle of least privilege: each user and service has only the minimum permissions necessary for their role.
HIPAA Compliance
Mental Note AI is designed and operated to comply with the Health Insurance Portability and Accountability Act (HIPAA) and all associated regulations. Our encryption standards and Business Associate Agreements support HIPAA compliance requirements.
HIPAA Support
- Business Associate Agreement (BAA): Available upon request for covered entities and business associates
- Administrative Safeguards: Security management processes, assigned security responsibility, and authorization controls
- Physical Safeguards: Facility access controls and workstation security
- Technical Safeguards: Encryption, access controls, and audit logging
- Breach Notification: Notification procedures in compliance with HIPAA breach notification rules
For detailed information and to request a BAA, visit our HIPAA Compliance page.
Security Audits & Vulnerability Management
We proactively identify and address security risks through comprehensive audits and vulnerability management.
Our Audit Program
- Periodic Security Reviews: Regular internal security assessments and external audits by independent third parties
- Vulnerability Assessments: Regular scanning and testing of systems to identify potential vulnerabilities
- Penetration Testing: Annual penetration testing by qualified security professionals
- Code Review: Security-focused code review for all new features and updates
- Dependency Management: Regular updates and patching of third-party libraries and dependencies
Vulnerabilities are prioritized by severity and addressed immediately through our patching process.
Incident Response
We maintain a robust incident response plan to handle potential security incidents quickly and effectively.
Our Incident Response Procedures
- 24/7 Monitoring: Continuous monitoring of systems for suspicious activity and potential incidents
- Rapid Response Team: Dedicated team available to respond immediately to security incidents
- Investigation & Containment: Thorough investigation of incidents and immediate containment of any threats
- HIPAA Breach Notification: Compliance with HIPAA breach notification rules if applicable, including notification of affected individuals within 60 days
- Communication: Transparent communication with affected users about any incidents and remediation steps
- Post-Incident Review: Comprehensive review of incidents to prevent future occurrences
We minimize the data we retain and encrypt it in transit and at rest, which limits incident impact.
Employee Security
Employees are critical to security. All Mental Note AI staff follow strict security requirements and receive regular training.
Employee Security Measures
- Background Checks: Comprehensive background checks for all employees with access to sensitive systems
- Security Training: Regular mandatory security and privacy training for all employees
- HIPAA Training: Specialized HIPAA training for employees who work with healthcare data
- Least Privilege Access: Employees have access only to systems and data necessary for their role
- Confidentiality Agreements: All employees sign strict confidentiality and data protection agreements
- Access Revocation: Immediate revocation of system access when employees leave the company
We maintain a security-aware culture where all employees understand their role in protecting user data and privacy.
Found a Vulnerability?
If you discover a security issue, report it to our security team responsibly rather than publicly.
How to Report
Send detailed information about the vulnerability to: support@mentalnote.ai
Please include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact assessment
- Your contact information for follow-up
We'll acknowledge receipt within 48 hours and work with you on the fix. We appreciate the security community helping us stay secure.
More Security Resources
Learn more about our security and compliance practices:
- HIPAA Compliance Information – Detailed information about our HIPAA implementation
- Privacy Policy – How we handle your personal and clinical data
- Terms of Service – Our terms and conditions
- Support Center – Contact our support team with questions
- Documentation – Technical documentation and API reference
Last updated March 15, 2026