Security & Compliance

How Case Scribe protects your data and your participants' information

🇦🇺

Australian data

Stored in Sydney

🔒

Encrypted

In transit & at rest

👤

Row-level security

Your data, only you

🤖

No AI training

On your data

Data Storage

All participant data, case notes, and account information is stored in Supabase PostgreSQL, hosted in the Sydney, Australia region. Your data remains on Australian soil and is subject to Australian data protection laws.

Case Scribe does not store data in the United States or any other jurisdiction, except when temporarily processed by the Anthropic API to generate AI outputs.

Access Controls

Row Level Security (RLS)

Case Scribe enforces Row Level Security at the database level. Each Employment Mentor can only access their own participants and notes. Team Leaders can only access their assigned team. No user can access another organisation's data.

Authentication

Authentication via Supabase Auth with JWT tokens
Passwords are never stored in plain text
Email confirmation required for all new accounts
Sessions expire automatically after inactivity

Encryption

In transit: TLS 1.2+ (HTTPS) for all communication
At rest: AES-256 encryption via Supabase
API keys: Stored as environment variables, never exposed client-side

AI Processing — Anthropic API

Case Scribe uses the Anthropic API (Claude) to generate case notes, coaching plans, CV content, policy answers, and participant summaries.

Anthropic does not use data submitted via their API to train AI models. Data is processed solely to generate the requested output. See Anthropic's Privacy Policy.

Background context documents

ESAt summaries, resumes, and uploaded documents are processed to generate a participant summary and then immediately discarded. Raw documents are not stored in Case Scribe's database.

Voice Transcription — OpenAI Whisper

Audio recordings are sent to OpenAI Whisper for transcription only. Audio is not retained by OpenAI or Case Scribe after transcription. See OpenAI's Privacy Policy.

Infrastructure

Component	Provider	Location	Purpose
Application server	Railway	United States	Node.js/Express API hosting
Database	Supabase	Sydney, Australia	All participant and user data
AI generation	Anthropic API	United States	Note generation, coaching, policy
Voice transcription	OpenAI Whisper	United States	Audio transcription only
Payments	Stripe	United States	Subscription billing

IEA Compliance Responsibilities

WAOP remains the system of record. Case Scribe does not replace any mandatory recording obligations under the IEA Deed.
Users are responsible for accuracy. AI-generated notes are drafts — review before saving.
Policy guidance is a reference tool. Always verify critical compliance decisions with your account manager.
Participant consent. Organisations should inform participants about AI-assisted note preparation consistent with their privacy notices.

Incident Response

Affected users notified within 72 hours of a notifiable data breach
OAIC notified as required under the Notifiable Data Breaches scheme
Full incident disclosure including data affected and containment steps

Report a security concern: security@casescribe.com.au

Security questions or concerns?

Security: security@casescribe.com.au

Privacy: privacy@casescribe.com.au

We respond to all security enquiries within 2 business days.