HIPAA and GDPR, by default
How Noeta handles encryption, retention, consent, and data subject requests — without making you read a 40-page whitepaper.
Privacy isn't a feature you bolt on at the end. It's the substrate.
Encryption everywhere
All audio, transcripts, and notes are encrypted in transit (TLS 1.2+) and at rest (AES-256). Audio is processed in-region and deleted as soon as the transcript is generated, unless you explicitly opt to retain it for QA.
Consent and retention
Patient consent is captured per visit, with a signed audit log. Retention is configurable per practice: 30, 90, or 180 days for audio; indefinite for the structured note (because that's the legal record).
Data subject rights
GDPR rights — access, export, rectification, erasure — are first-class. Patients (or you on their behalf) can request a full export or deletion from the Account → Your Data portal. Requests complete within 30 days, usually within minutes.
What we don't sell
Your data is never sold. It is never used to train third-party models. It is never shared with anyone outside the processors listed in our DPA.