Data Processing Summary
HxWriter's application server is hosted in Australia. Core transcription and AI-assisted drafting may involve sending identifiable clinical audio and text to data processing partners, and those partners may process information outside Australia.
Current Data Flow
- Approved user signs in by OTP email.
- User starts a patient session or dictation session after consent requirements are met.
- Audio or transcript content, including patient-identifying details where dictated, may be sent to data processing partners for transcription, diarisation, normalisation, fact extraction, and drafting.
- Draft outputs are displayed to the clinician for review, correction, copying, or download.
- Temporary HxWriter clinical session artifacts are deleted within 24 hours by default and can be purged.
- Usage and audit metadata are retained separately for administration, security, cost tracking, and trial governance.
Data Categories
| Category | Examples | Purpose | Current retention posture |
|---|---|---|---|
| Account data | Name, email, organisation, role, account status, plan, preferences. | Access control, user setup, settings, support, admin governance. | Retained while account exists; archived accounts retained for audit/trial history. |
| Clinical session content | Audio, transcripts, context uploads, prompt payloads, extracted facts, generated drafts, generated letters. | Transcription, drafting, review, copy/download workflow. | Temporary HxWriter copies deleted within 24 hours by default unless purged earlier. |
| Usage metadata | Session counts, model calls, token/audio estimates, costs, output counts, timing. | Admin reporting, trial limits, cost awareness, operational monitoring. | Default 365 days unless configured otherwise. |
| Audit metadata | Account requests, approvals, archives, role changes, retention purge events. | Security, governance, trial control, accountability. | Default 730 days unless configured otherwise. |
| Authentication data | OTP delivery activity, session cookie, rate-limit metadata. | Secure access and abuse prevention. | Retained only as needed for secure operation and access controls. |
| Support and incident records | Reports, screenshots, descriptions, contact details, remediation notes. | Support, incident response, safety review, compliance. | Retained as needed to manage support, safety, security, and compliance issues. |
| Internal development material | De-identified or pseudonymised transcripts, extracted facts, structured outputs, generated drafts, and coverage checklists saved by internal users. | Governance review, fit-for-purpose testing, quality improvement, regression examples, and product development. | Retained as internal development material; current workflow excludes raw audio and context-upload files. |
| Internal training case archive | Changed-name or non-identifying internal test recordings, transcripts, stage artifacts, timings, generated drafts, and clinician-edited reference outputs saved by internal users. | Replay testing, variability review, quality improvement, and product development. | Retained separately from ordinary clinical sessions and limited to internal users and admins. |
Service Provider Categories
| Provider category | Role | Data involved | Controls and notes |
|---|---|---|---|
| Australian-hosted application infrastructure | Runs the HxWriter application server and stores configured application data. | Account data, session artifacts, metadata, logs, settings. | Access controlled and retention-limited according to HxWriter configuration and admin controls. |
| AI and transcription services | Transcription, diarisation, summarisation, extraction, and draft generation. | Audio, transcript text, prompts, context excerpts, generated text, model metadata. | May process information outside Australia. Used to provide the core documentation workflow. Output remains draft-only and clinician-reviewed. |
| Email delivery services | OTP delivery and access request notifications. | Email address, OTP email content, access request notification content. | Used for approved-account sign-in and account administration. |
| Security, domain, monitoring, and support services | Service availability, security, support, and incident response. | Operational metadata, IP addresses, logs, support messages, screenshots if submitted. | Used only as needed to operate, protect, and support the service. |
Current Technical Safeguards
- Approved-account OTP authentication.
- Admin role checks and account archive lockout.
- Account activation before clinical capture.
- Once-per-login consent/draft attestation before new sessions.
- Configurable HTTPS boundary and secure-cookie settings for production.
- Same-origin write protection.
- Content security and browser security headers.
- Clinical session retention cleanup and admin purge control.
- Internal development-material retention is limited to `internal` plan users and admins.
- Internal training-case archives are limited to `internal` plan users and admins, and are intended for changed-name or non-identifying test material.
- Text-generation requests are configured to avoid provider-side application-state storage where supported.
- Metadata-only audit and usage ledgers intended to avoid transcript or PHI payloads.
- Runtime package excludes source folders, docs, tests, data, `.env`, and source maps.
Customer Review
- Additional security and privacy documentation can be provided during formal onboarding or customer review.
- Practices should assess residual cross-border processing risk as part of their own privacy and governance process.
- Customer-specific retention and data-processing requirements can be addressed during onboarding.
- Incident and support contacts are documented in the linked incident pathway.