Your patients trust you with their health.
We take that seriously.
Medsage is built on Google Cloud's SOC 2 Type II certified infrastructure, with encryption at rest and in transit, complete audit trails, and architecture designed to align with AHPRA, GDPR, and PDPA standards.
Built on infrastructure that passes audits.
We chose Google Cloud because clinical data demands the highest standard of security available — not because it was convenient.
SOC 2 Type II Certified
Independently audited controls for security, availability, and confidentiality. Not a self-assessment — a real audit.
Encryption everywhere.
TLS 1.2+ in transit, AES-256 at rest. No patient data is ever transmitted unprotected.
Complete audit trail.
Raw audio preserved alongside the structured note for every session — a defensible, timestamped record for any regulatory review.
Six levels of access control.
Each user sees only what they're authorised to see. Interns can't access admin data. Reception can't edit clinical notes.
How AI scribing handles your data.
The AI scribing feature uses Google Gemini API. Here is exactly what happens to your consultation audio — no vague promises.
Logging Disabled
Gemini API configured with request logging disabled. Audio is not logged, stored, or reviewed by Google.
No Model Training
Google does not retain or use consultation audio to improve its public AI models under the API terms applicable to Medsage.
Data Processing Addendum
Google's processing is governed by their Cloud Data Processing Addendum — a formal agreement, not a checkbox.
Cross-Border Disclosure
Audio may be processed outside your jurisdiction. Standard Contractual Clauses apply where required under GDPR.
Clinical safety is built into the code.
AI can never overstep into clinical decision-making. Not by configuration. Not by accident. This is how it works:
Clinician-only fields are enforced, not configurable.
Pulse, tongue, pattern differentiation, acupoints, herbal formulas, treatment principles — the AI never populates them. This is enforced at the code level. No admin can change it.
Every AI output is a draft, not a record.
The practitioner reviews, edits, and approves before anything becomes a clinical record. The AI drafts. Humans decide.
No setting can disable this. No workaround exists.
Clinical safety boundaries are in the codebase, not in a settings panel. This is a philosophy, not a feature toggle.
Designed for global regulatory standards.
Whether you practise in Australia, the US, Europe, or Asia — Medsage's infrastructure is engineered to support your compliance obligations.
HIPAA Notice: Medsage is not a HIPAA-covered entity and does not currently offer HIPAA Business Associate Agreements (BAA). US-based healthcare providers subject to HIPAA should consult their legal advisor before storing regulated Protected Health Information (PHI) in Medsage.
Your responsibility: While Medsage's infrastructure is designed to support these regulatory standards, compliance with applicable laws in your jurisdiction remains your responsibility as the practitioner or clinic operator.
You own your data. Always.
What we do
Store your clinical data securely on your behalf
Process audio to generate note drafts
Provide you with data exports on request
Delete your data when you ask us to
Notify you of any security incidents
What we never do
Sell your data to third parties
Use patient records to train public AI models
Access your clinical notes without authorisation
Share data with advertisers
Use your data for purposes other than providing the Service
Questions about our security practices?
We're happy to discuss our technical controls, answer questions for procurement reviews, or provide additional documentation for your compliance team.