scrypa

Security and privacy

Trust comes from clarity.

You document about people, patients, and cases that deserve protection. That is why Scrypa processes data within the EU, deletes audio data after transcription, and encrypts consistently. This page states openly what is already live and what we are still working on.

Core principles

Privacy is not a module. It is the foundation.

Four principles carry every processing step in Scrypa. They apply to every industry and every case, from the first word to the entry in the target system.

Processing within the EU

Speech, transcription, and structuring are processed and stored within the European Union. No routing through third countries without a legal basis.

Audio data is deleted

A recording is a means to an end, not an archive. After transcription the audio file is deleted. Only the entry you reviewed remains in the target system.

Encryption

Data is encrypted in transit (TLS) and at rest. Access runs exclusively over secured connections.

Data minimization

Scrypa collects what is needed for documentation and no more. Less data means less risk, for you and for the people you document about.

The journey of a recording

What happens to what you say.

Transparency starts with making the path of the data traceable. Four stages, one clear line.

01

Record.

You speak in the moment of work. Offline too, then encrypted and cached until synchronization.

02

Transfer.

The transfer into EU processing is encrypted via TLS. No detour through third countries.

03

Structure.

Scrypa transcribes and sorts what you said into the right field. The audio file is then deleted.

04

Store.

The reviewed entry lands encrypted in the target system. Access only by role and permission.

Access and roles

Only those who need it. Only for what is necessary.

The best protection for sensitive data is a tight circle. Scrypa limits access to what is necessary and makes every permission traceable.

Role-based permissions

Who sees and edits what is determined by role and responsibility within the team. Access is limited to what is necessary.

Authentication

Sign-in via personal credentials. Multi-factor authentication can be enabled for sensitive areas.

Tenant separation

Your organization's data is processed and stored logically separated from that of other customers.

Logging

Security-relevant access and changes are logged to ensure traceability.

Data processing

Set out in a contract, not just promised.

When Scrypa processes personal data on your behalf, we enter into a data processing agreement (DPA) under Article 28 GDPR. It states in black and white what Scrypa may do, for what purpose, and with which technical and organizational measures.

Set out in the DPA

  • Subject, duration, and purpose of the processing
  • Type of data and categories of data subjects
  • Technical and organizational measures (TOM)
  • Handling of sub-processors within the EU
  • Support with data subject rights and reporting obligations
  • Deletion or return of the data after the contract ends

Honestly labeled

What is live and what we are working on.

Security is a journey, not a seal. We clearly separate what applies today from what is still in progress. No claim that we cannot keep.

Live
  • GDPR compliant processing and storage within the EU
  • Deletion of audio data after transcription
  • Encryption in transit and at rest
  • Role-based access and personal credentials
  • Data processing agreement (DPA) under Article 28 GDPR
In progress
  • Formal certification to ISO 27001 (orientation in place, audit intended)
  • Extended multi-factor options and single sign-on
  • Expanded self-service functions for access and export
  • Independent external security reviews as a recurring process

Note: orientation around ISO 27001 means we align our processes with this standard. Formal certification is intended but not yet complete. We do not claim a certification that is not in place.

At a glance

The cornerstones in brief.

GDPR

Processing in line with the EU General Data Protection Regulation.

EU processing

Data remains within the European Union.

DPA under Article 28

Data processing governed by contract.

ISO 27001

Orientation around the standard, certification intended.

These cards describe the framework of our processing and do not represent test seals or external certificates.

Your rights

You stay in control of your data.

The GDPR gives data subjects clear rights. As the data controller, Scrypa supports you in fulfilling these rights and provides the necessary functions.

Clarify privacy questions

Access

Which data is processed can be traced and made available.

Rectification

Entries can be corrected before and after they reach the target system.

Erasure

Data is deleted on request and after the retention period ends.

Portability

Data can be exported in a common format.

Privacy that fits your industry?

We discuss the DPA, technical and organizational measures, and the concrete data flow in your organization with you.

Book a security consultation