Trust Centre

OnScribe is designed with privacy and security as the foundational priorities, ensuring compliance with Australian healthcare regulations and the Australian Privacy Act 1988. All sensitive information is processed and retained within Australian borders, never transferred offshore.

Encryption Architecture

Dual-Layer Security Model

OnScribe employs a dual-layer encryption strategy with AES-256-GCM authenticated encryption for master key protection and AES-256-CBC encryption for patient data.

Local Device Protection

  • Database-level AES-256-CBC encryption for all patient data


  • Passphrase (OnKey)-derived master key is the root of security


  • The master key is encrypted using AES-GCM and stored in Azure Key Vault, with a local cache on device


  • Local cache is hardware keystore protected (Android Keystore/iOS Keychain) and expires every 30 days


  • Authenticated encryption automatically detects tampering - if data is modified, decryption fails


  • If cache is invalidated (expiry, corruption, biometric change, or tampering detected), the OnKey passphrase must be re-entered to decrypt local data

Transmission Security

  • End-to-end encryption before leaving device

  • Random IVs and session keys ensure perfect forward secrecy

  • SHA-256 integrity checks for tamper prevention

Keys Management

  • Azure Key Vault manages encryption keys securely

  • Monthly tramsission key rotation ensures forward secrecy

  • Zero-knowledge architecture: neither OnScribe nor cloud providers can decrypt patient data

Data Sovereignty & Processing

  • 100% Australian Processing – all data stored and processed exclusively in Australia

  • Primary Processing: Microsoft Azure (Sydney)

  • Storage Infrastructure: Google Cloud Platform (Australia regions)

  • Traffic Routing: No international transfers

Real-Time Audio (and Smart PDF) Processing

  • Audio transcribed in real-time on Azure Sydney servers

  • Audio files hard-deleted immediately after processing

  • Only encrypted transcription results retained

  • Zero persistent audio storage


A similar mechanism applies to Smart PDF Import, where referral letters are processed securely in-memory and deleted immediately after extraction.

Access Controls & Security

Zero-Trust Architecture

  • Principle of Least Privilege enforced

  • Multi-factor authentication for all admin access

  • Time-limited access tokens

  • Audit trails for all access and modifications

Secondary Recipient (Admin) Access to Web Portal

  • Admin access only when explicitly authorised by a healthcare professional

  • OnKey Passphrase sharing required for admin access

  • Audit logging for all admin access

Vendor Security

  • OnScribe leverages Microsoft Azure and Google Cloud Platform in Australia

  • Both providers maintain compliance with leading security standards:

    • Azure: SOC 2, ISO 27001, HITRUST

    • Google Cloud: SOC 2, ISO 27001, IRAP

  • Providers cannot access or decrypt PHI

AI Processing & Privacy

  • Microsoft Azure (Sydney) Cognitive Services used for transcription

  • Microsoft Azure (Sydney) LLM processing for document enhancement

  • No offshore processing

  • No training data use – user data is never used to train AI models

  • Zero-knowledge architecture ensures OnScribe cannot view patient content


  • AI Limitations and Intended Use

    • OnScribe’s AI systems assist with transcription, document enhancement, and summarisation.

    • They may occasionally generate additional or imprecise wording (“hallucinations”), which can sound interpretive or therapeutic.

    • Such output is unintended and does not represent diagnostic, prognostic, or treatment advice.

    • AI models are trained to avoid therapeutic recommendations, and clinicians must not rely on AI-generated or summarised text for clinical decision-making.

Compliance & Legal Assurance

  • Patient consent must be obtained by the healthcare professional before recording

  • OnScribe provides consent reminders in-app

  • Therapeutics Goods Administration ( TGA) exemptOnScribe is a documentation tool, not a diagnostic or therapeutic device

  • Australian Privacy Principles compliance maintained

  • Regular internal compliance reviews conducted


  • Free trial users (Pro/Platinum) are subject to the same security, encryption, and retention policies as paid users.

Platform Security

Mobile App Security:

  • Hardware keystore protection (Android Keystore/iOS Keychain)


  • Biometric authentication with 30-day sessions


  • Passphrase-derived encryption keys with Azure Key Vault backup


  • Database-level AES-256-GCM encryption for all patient data


  • Automatic tamper detection and integrity verification


  • App sandboxing enforced

Web Portal (Platinum only):

  • Encrypted session tokens

  • HTTPS with certificate pinning

  • Content Security Policy applied

Temporary Files:

During PDF/DOCX generation or image processing, the app may create temporary files within the device’s secure sandbox. These files are automatically cleared on app restart and are not transmitted or stored in the cloud. On standard devices this process is fully secure. On rooted or jailbroken devices, however, system-level access may expose such temporary files. OnScribe does not support the use of rooted or jailbroken devices for this reason.

Data Lifecycle Management

Retention & Deletion Policies

Plus users: Data stored locally only; users control retention or deletion.

  • Pro & Platinum users:

    • Local recordings auto-deleted after 14 days

    • Cloud recordings auto-deleted after 21 days (Pro) / 28 days (Platinum) unless user deletes earlier

    • Transcriptions remain in cloud until user deletes

  • Account data: Retained for service provision/legal requirements


  • Audit logs: Retained per compliance needs

Deletion

  • Users can delete data anytime

  • Secure deletion protocols applied

Exported files (PDF/DOCX):

Once shared, documents are no longer encrypted within OnScribe. Clinicians must ensure secure handling of these files under their professional and legal obligations.

Incident Response & Monitoring

  • 24/7 monitoring for system security events

  • Immediate isolation of affected systems if incident detected

  • Regulator notification within mandated timeframes

  • User notification if their data is impacted

  • Post-incident review and security improvement

Security Contact & Support

Liability Cap

  • Security: security@docworks.com.au

  • Privacy Officer: privacy@docworks.com.au

  • Support: support@docworks.com.au

Compliance & Certifications

Australian Privacy Act 1988 – full compliance

TGA exempt (documentation tool, not a medical device)

Hosted on Azure & Google Cloud – both certified to SOC 2, ISO 27001, and more

Internal compliance reviews and security monitoring in place

External audits planned as OnScribe scales

OnScribe Trust Centre – Security and privacy for Australian healthcare professionals.

Last updated: 17/08/2025
Next review: 17/02/2026


© 2025 Docworks Pty Ltd. All rights reserved.

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC