Privacy compliance hosted with Vanta – the third party trust centre
Trusted Hosting with AWS
Co-Linic AI is hosted on Amazon Web Services (AWS), one of the most reliable hosting platforms worldwide. AWS uses top-notch security measures, including human and video surveillance, intrusion detection systems, and strict security protocols, to keep your data safe at all times.
End to end encryption
We use end-to-end encryption to protect all your notes and reports. By default, only you — and those with permission — can access the information. If you’re part of an organization, your company admin may have access depending on the permissions they’ve been given. No one else, including our team, can view your data unless you choose to share it.
Strong Security and Encryption
Your data is well-protected with us. Your data is backed up every day and stored securely in Australia, ensuring it is protected whether it is stored or being transmitted, only accessible through TLS/SSL encryption.
ISO27001 Compliance
ISO 27001 is the leading international standard for information security. It means we follow strict, audited processes to keep your data safe, confidential, and well-managed. To maintain this high standard, we work with Vanta, a trusted third-party platform that continuously monitors our systems for compliance and security.
As a healthcare professional, you can trust that your client data is protected with the same level of care you provide in your work.
HIPAA Compliance
HIPAA (Health Insurance Portability and Accountability Act) sets the standard for handling protected health information (PHI) in the U.S. Being HIPAA compliant means we follow strict rules to safeguard your clients’ personal and medical information — including how it’s stored, shared, and accessed.
To ensure ongoing compliance, we partner with Vanta, a trusted third-party platform that continuously monitors our systems for security and privacy risks.
Australia Privacy Act 1988 Compliance
We follow the Australian Privacy Act to protect the personal and sensitive information you manage every day. This means client data is stored securely, handled with care, and only accessed by those with proper permission.
How We Handle De-Identification and What Information Is Removed
In compliance with HIPAA, we follow the Safe Harbor method for de-identification. This means we remove specific types of identifiers from data to ensure individuals cannot be identified. According to HIPAA §164.514(b)(2)(i), the following identifiers of the individual, their relatives, employers, or household members must be removed:
2. All geographic subdivisions smaller than a state, including:
• Street address
• City
• County
• Precinct
• ZIP code and equivalent geocodes
• The first three digits of a ZIP code may be retained only if the combined area has more than 20,000 people (based on current public Census data).
• If the combined area has 20,000 or fewer people, the first three digits must be replaced with “000”.
• Birth date
• Admission and discharge dates
• Date of death
• Ages over 89 must be aggregated into a category of “90 or older”.
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers (e.g., license plate numbers)
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photographs and similar images
• Any other unique identifying number, characteristic, or code (unless specifically allowed under HIPAA §164.514(c))
6. The covered entity must not have actual knowledge that the information could still be used (alone or with other data) to identify the individual.
We are fully HIPAA-compliant. This means we have already applied the above de-identification standards to your clients’ data, ensuring their privacy and protecting sensitive information.
How we use or store your data in each step
| Step in the process | How we use your data | How we store your data |
|---|---|---|
| Step 1 – Create / Select a Client Profile | The information you provide through the 5 quick questions is used to build the client’s profile, allowing our system to select the appropriate diagnosis and retrieve relevant insights from our AI database to get better analysis and elaboration for report generation. All personally identifiable health information (PHI) is automatically de-identified before being used in any further processing. | We store client information in a secure system provided by Amazon Web Services (AWS), which meets strict healthcare privacy standards like HIPAA. All data is safely encrypted both when it’s saved and when it’s being shared, so it stays protected at all times. Only authorized team members can access any personal details. Simply put, your data is kept as safe as your money in a bank. |
| Step 2 – Upload Files (short notes, speech reports, sample reports, scans, docx) | Uploaded documents are parsed so the AI can mirror your layout and writing style and pull any relevant clinical facts. Before parsing, each file is run through our de-identification pipeline to scrub names, IDs, dates of birth, and other PHI. | The raw originals are encrypted at rest in an S3 bucket with bucket-level versioning and Object-Lock (WORM) for auditability. De-identified working copies sit in a short-lived processing store that auto-purges after 30 days or when you delete the case. All storage inherits AWS HIPAA / ISO27001 controls. Which means your documents are stored in a way that ensures privacy, traceability, and automatic cleanup—like having a locked filing cabinet that clears itself after 30 days unless you tell it otherwise, all within a system designed to meet strict medical data protection standards. |
| Step 3 – AI Processing (“Let the Magic Happen”) | The de-identified data is sent to a secure system that analyses it to generate a draft report. This system uses the client’s profile and your uploaded documents to produce a report that matches your writing style and includes diagnosis-specific language. No personal health information ever leaves our secure environment. You have the option to choose how your data is used: you can tick a box to allow it to be used for training your account’s AI only, or to share de-identified data with us to help improve the overall system. If you choose to share your data with us, it will be de-identified again before being used for training our models. “Training your account’s AI only” means the system learns solely from your own data, within your individual account. Nothing is shared with the broader company system. So, even if your reports are getting better and smarter, we won’t know — it’s your own private upgrade! | Your data is securely stored on Amazon Web Services (AWS), which meets strict healthcare standards like HIPAA and ISO 27001. All information is encrypted both when stored and when transferred. Uploaded files are kept in secure, encrypted storage with automatic deletion after 30 days or when you remove the case. Any data used for training stays within your account unless you choose to share it, and all shared data is re-de-identified before being used to improve our system. |
| Step 4 – Review & Edit in Real Time | While you edit the AI-generated report, the system logs your changes and optional chat messages with Coli so it can refine suggestions. At here we use Claude to support you with refine Draft + edits remain linked to the client profile. | Edits are stored in real-time in an encrypted document store with version history. Access is limited to the logged-in clinician and authorised collaborators. Idle sessions time-out after 30 minutes; unsaved drafts are still retained in the same encrypted store. |
| Step 5 – Finalise & Export | When you click Export, the final report is merged with any re-identified client details (if you choose), then rendered to Word/PDF or emailed / saved back to the client record. Transient export files are discarded after delivery. | The signed-off report is stored in the client’s secure folder (AWS S3 + AES-256). Audit logs record who exported, when, and where it was sent. If you email directly, messages are sent via our HIPAA-compliant relay with forced TLS. You may delete or archive the report at any time through the dashboard. |
Key safeguards applied across every step
• End-to-end encryption (TLS 1.2+ in transit, AES-256 at rest)
• Automatic de-identification before any processing
• HIPAA-eligible AWS services with SOC 2 & ISO 27001 compliance
• Role-based access controls & audit logs for every data access
• Configurable retention policies, so you keep only what you need, for as long as you need
How to we dispose your data
We are committed to ensuring your data is handled securely throughout its entire lifecycle — including when it’s no longer needed. Our data disposal practices comply with HIPAA, ISO 27001, and the Australian Privacy Act 1988 to protect your privacy at all times.
Here’s how we manage and dispose of your data:
• Deleted File Retention (30-Day Grace Period):
When you delete a participant profile or any uploaded file, it is first moved to a Deleted Files box where it is retained for 30 days. During this period, you can recover or permanently delete the data at any time.
• Automatic Deletion After 30 Days:
If no action is taken, the deleted data is automatically and permanently erased from our systems after 30 days.
• Manual Permanent Deletion:
You can choose to immediately and permanently delete any file or profile from the Deleted Files box. Once manually deleted, the data is unrecoverable.
Online Editor – How We Process
We use Aspose (https://metrics.aspose.com/) as our secure online document editor to enable smooth and convenient editing of your reports.
Aspose functions purely as a viewing and editing interface — it does not store or retain any information you enter. Think of it like a tap: it allows content to flow for editing purposes, but it does not keep or store the content itself.
All written content is securely saved directly to our AWS servers , which are fully encrypted and compliant with healthcare data protection standards such as HIPAA and ISO 27001. Your data is never stored in Aspose and is only processed through it temporarily for editing within your session.
how can I control who can see my reports
For Individual Clinician Accounts
• Template Sharing (Optional): If you create templates, you can decide whether to keep them private or upload them to the shared community library for other clinicians to view and use. This is entirely optional and controlled by you.
For Company Manager Accounts
• Control Access Across the Team:
As a company manager, you can define what each clinician in your organization can access. This includes client profiles, reports, templates, and writing styles.
• Upload and Manage Templates for the Team:
Managers can upload shared templates and custom writing styles to be used across the team, ensuring consistency and saving time.
• View Clinician Activity:
Company managers have visibility into which reports have been completed and what content individual clinicians have written. This helps with oversight, quality assurance, and team coordination.
• Pre-Upload Participant Information:
Managers can upload participant data and documentation ahead of time, so clinicians have what they need when they begin writing. This streamlines workflows and reduces admin time for clinicians.