Security

All traffic runs over HTTPS, and the live transcription stream runs over a secure WebSocket. The browser reaches the transcription service using short-lived, scoped tokens minted server-side — the durable API keys never reach the client.

Transcripts and notes are stored in Postgres. Audio is never persisted. Every read is scoped by user and team, and clinical records sit behind non-enumerable identifiers so URLs cannot be guessed.

Accounts use email and password with hashed credentials and signed, cookie-based sessions. Application routes that touch clinical data are gated server-side on every request, and role-based access separates team owners from members.

We never log transcript text, note content, audio, prompts, or model completions. Operational logs carry identifiers and error codes only. The activity log records actions, not clinical content.

Service credentials are read from the server environment at runtime and are never exposed to the browser or baked into the build. Third-party clients are initialized lazily so a build never requires secrets.

Transcription (Deepgram) and note generation (via OpenRouter) receive session content. A HIPAA-compliant deployment requires Business Associate Agreements with these providers and a configuration that disables data retention and model training.

If you believe you have found a security vulnerability, please contact security@nextvisit.example rather than filing a public issue.