Compliance & Security

Your data is safe with QuickChart

QuickChart is built for the privacy and security standards required in Canadian and U.S. clinical settings, so you can focus on patients, not paperwork.

Trust Center

For institutions & security teams: review our security documentation, compliance reports, and subprocessor list.

Open Trust Center

What we promise you

The short version, in plain language. The details are spelled out in our Privacy Policy.

Stored in Canada by default

Your data lives on Canadian infrastructure (AWS Canada) and is encrypted at every step.

Never used to train AI

We don't use your clinical content to train AI models, and we never use it for advertising.

Encrypted end to end

All clinical data is encrypted in transit and at rest using industry-standard protocols.

Never sold or shared

We never sell your information. We only work with vetted providers under strict contracts.

Your questions, answered

The things clinicians and institutions ask us most about privacy and security.

Where is my data stored?

By default, your data is stored in Canada on AWS Canada infrastructure and encrypted in transit and at rest. To deliver certain advanced AI features, a specific task may be carried out by an approved processor outside Canada, but your records are always returned and stored in Canada. We never use a non-Canadian provider as the permanent home for your records. If you need everything to stay in Canada, Canada Strict mode keeps both storage and processing in Canada.

Does QuickChart train AI on my data?

No. We do not use your clinical content to train AI models, and any approved AI processors we work with are contractually bound by no-training commitments. We also never use your clinical content for advertising.

Who can see my patients' information?

Access is tightly controlled. Our support team is not given routine access to your clinical content such as transcripts, notes, audio, documents, or images. Access is role-based, authenticated, and recorded in audit logs.

Is my audio recording kept?

No. Audio is used only to create your transcript and is not stored or retained after transcription is complete. It is not kept in application logs, debugging logs, or support tooling.

Do you sell or share my data?

We never sell personal information or personal health information, and we never share clinical content for advertising or marketing. We only share data with the approved providers needed to operate the platform, such as secure cloud hosting, and they are bound by confidentiality, no-training, and limited-retention commitments.

How long is my data kept?

You control retention. Options include 3 days, 30 days (the default), or no fixed deletion period, depending on your plan or institutional configuration. When data is deleted, it may remain in encrypted backups for a short period (currently up to 7 days) before routine backup expiry.

What happens before my notes are processed by AI?

Where technically feasible, we automatically apply identifier-reduction techniques to clinical text before it is sent to an approved external AI processor. This is designed to reduce direct identifiers. Because clinical notes can contain contextual detail, we don't claim the result is fully anonymized, but it meaningfully limits what is shared.

Can my clinic or institution set its own rules?

Yes. For institutional deployments, data residency, processing mode, and retention can be configured at the organization level. Institutions that require Canadian-only handling can use Canada Strict mode, which disables features or fallback pathways that would require non-Canadian processing.

Choose where your data is processed

Data residency (where your data is stored) and processing location (where it may be handled to deliver a feature) are configurable. In every mode, your data is encrypted in transit and at rest, and any external processors are bound by no-retention, no-training commitments.

Canada Preferred

Default / Recommended

Our default configuration. Core infrastructure and persistent storage stay in Canada. Canadian services are used wherever suitable; approved non-Canadian processors may be used only for selected features, fallback, or capacity overflow, never as the permanent storage location for your records.

Canada Strict

Canada-Only Storage & Processing

Storage and processing both remain in Canada for supported workflows. Features requiring non-Canadian processing are disabled or routed to Canadian alternatives. No U.S.-based AI processors are used. Built for customers with strict Canadian data requirements.

U.S. Processing Preferred

U.S.-Based AI Processing

Intended for U.S. customers who prefer U.S.-based AI processing. Eligible AI workflows, including report generation, chat, system workflows, transcription fallback, and advanced AI features, may be routed through approved U.S. processors.

Standards & safeguards

Our platform is designed to align with the key frameworks governing healthcare data, backed by layered technical safeguards.

HIPAAU.S. Health Insurance Portability and Accountability Act

PIPEDACanada's Personal Information Protection and Electronic Documents Act

PHIPAOntario's Personal Health Information Protection Act

Encryption in transit and at rest

Role-based access controls

Authentication & audit logging

Monitoring & vulnerability management

Private, managed cloud infrastructure

Least-privilege access for staff

Privacy & legal documents

Review the policies that govern how we handle your data and how our services may be used.

Privacy Policy

How we collect, use, and protect your personal information.

Terms and Conditions of Use

The terms that govern your use of QuickChart MD services.

Questions about compliance or security?

Our team is happy to discuss our approach to data privacy and security for your specific context.