Security First
Mental Note AI is built from the ground up with security as a core principle. You work with sensitive clinical information every day, and we protect it at every layer—from data transmission and storage to access controls and incident response.
We comply with HIPAA and maintain rigorous security standards. Our zero-data retention architecture ensures your clinical data is protected and stays under your control.
Zero Data Retention: The Core Principle
We don't store patient data. Period. Clinical content is processed in real-time within Microsoft Word and deleted immediately. Your patient information never travels to our servers and is never saved in our systems.
How It Works
- You compose your clinical note in Microsoft Word
- Mental Note AI processes your input in real-time to generate or enhance your note
- The generated content appears directly in your Word document
- No data is stored on Mental Note AI infrastructure
- You maintain complete control over your document and when/where it's saved
We can't be breached for patient data because we don't store any. All clinical information remains under your control at all times.
Microsoft's Enterprise Infrastructure
Mental Note AI runs on Microsoft's world-class infrastructure: Azure and Office 365. Your data benefits from decades of Microsoft investment in security, compliance, and data center operations.
Microsoft Security Benefits
- Azure Security: Enterprise-grade data centers with continuous monitoring and threat detection
- Office 365 Integration: Seamless integration with Microsoft Word keeps clinical content within the Microsoft ecosystem
- Global Compliance: Microsoft's infrastructure supports compliance with healthcare regulations worldwide
- Redundancy & Backup: Automatic backup and disaster recovery systems ensure service availability
- Security Operations Center (SOC): 24/7 monitoring and incident response by Microsoft security experts
Your data stays within Microsoft's ecosystem with zero data retention. You get Microsoft's security benefits without additional data silos or third-party storage.
Encryption Standards
All data in transit and at rest uses industry-leading encryption. Multiple layers ensure confidentiality and integrity.
Our Encryption Standards
- In Transit: TLS 1.2 or higher for all API communications and data transmission
- At Rest: AES-256 encryption for account data and system logs
- End-to-End Encryption: API calls between Microsoft Word and Mental Note AI processing servers are encrypted end-to-end
- Key Management: Cryptographic keys are managed through Microsoft's secure key management services
These standards align with HIPAA and NIST guidelines for sensitive healthcare information.
Authentication & Access
Only authorized users access Mental Note AI features. We enforce strict authentication and access control.
Access Security Measures
- Microsoft Account Authentication: Users authenticate through Microsoft accounts, leveraging Microsoft's multi-factor authentication capabilities
- Role-Based Access Control (RBAC): Different user roles have appropriate permission levels
- No Shared Credentials: All users have unique authentication credentials; credential sharing is prohibited
- Session Management: Automatic session timeout and secure session handling
- API Key Security: Any API keys or tokens are rotated regularly and stored securely
We follow the principle of least privilege: each user and service has only the minimum permissions necessary for their role.
HIPAA Compliance
Mental Note AI is designed and operated to comply with the Health Insurance Portability and Accountability Act (HIPAA) and all associated regulations. Our zero-retention architecture and encryption standards support HIPAA compliance requirements.
HIPAA Support
- Business Associate Agreement (BAA): Available upon request for covered entities and business associates
- Administrative Safeguards: Security management processes, assigned security responsibility, and authorization controls
- Physical Safeguards: Facility access controls and workstation security
- Technical Safeguards: Encryption, access controls, and audit logging
- Breach Notification: Notification procedures in compliance with HIPAA breach notification rules
For detailed information and to request a BAA, visit our HIPAA Compliance page.
Security Audits & Vulnerability Management
We proactively identify and address security risks through comprehensive audits and vulnerability management.
Our Audit Program
- Periodic Security Reviews: Regular internal security assessments and external audits by independent third parties
- Vulnerability Assessments: Regular scanning and testing of systems to identify potential vulnerabilities
- Penetration Testing: Annual penetration testing by qualified security professionals
- Code Review: Security-focused code review for all new features and updates
- Dependency Management: Regular updates and patching of third-party libraries and dependencies
Vulnerabilities are prioritized by severity and addressed immediately through our patching process.
Incident Response
We maintain a robust incident response plan to handle potential security incidents quickly and effectively.
Our Incident Response Procedures
- 24/7 Monitoring: Continuous monitoring of systems for suspicious activity and potential incidents
- Rapid Response Team: Dedicated team available to respond immediately to security incidents
- Investigation & Containment: Thorough investigation of incidents and immediate containment of any threats
- HIPAA Breach Notification: Compliance with HIPAA breach notification rules if applicable, including notification of affected individuals within 60 days
- Communication: Transparent communication with affected users about any incidents and remediation steps
- Post-Incident Review: Comprehensive review of incidents to prevent future occurrences
Our zero-retention architecture limits incident impact: we don't maintain patient data on our systems, so there's no patient data to expose.
Employee Security
Employees are critical to security. All Mental Note AI staff follow strict security requirements and receive regular training.
Employee Security Measures
- Background Checks: Comprehensive background checks for all employees with access to sensitive systems
- Security Training: Regular mandatory security and privacy training for all employees
- HIPAA Training: Specialized HIPAA training for employees who work with healthcare data
- Least Privilege Access: Employees have access only to systems and data necessary for their role
- Confidentiality Agreements: All employees sign strict confidentiality and data protection agreements
- Access Revocation: Immediate revocation of system access when employees leave the company
We maintain a security-aware culture where all employees understand their role in protecting user data and privacy.
Found a Vulnerability?
If you discover a security issue, report it to our security team responsibly rather than publicly.
How to Report
Send detailed information about the vulnerability to: support@mentalnote.ai
Please include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact assessment
- Your contact information for follow-up
We'll acknowledge receipt within 48 hours and work with you on the fix. We appreciate the security community helping us stay secure.
More Security Resources
Learn more about our security and compliance practices:
- HIPAA Compliance Information – Detailed information about our HIPAA implementation
- Privacy Policy – How we handle your personal and clinical data
- Terms of Service – Our terms and conditions
- Support Center – Contact our support team with questions
- Documentation – Technical documentation and API reference
Last updated March 15, 2026