DPA summary for customer review

Roles

The customer is the controller of participant and provider personal information. NDIScribe acts as processor and service provider for customer data submitted to the workspace.

Processing instructions

NDIScribe processes customer data only to provide and secure the service, generate exports and AI drafts that the customer requests, support the account, meet legal obligations, and protect the service from abuse. Participant data is de-identified before any AI processing, and it is encrypted in transit and at rest.

Subprocessor categories

• Application hosting: Hosting and serving the NDIScribe workspace from Australian data residency
• AI processing: Generating drafts, scores, and summaries from de-identified text only
• Billing: Subscription billing and invoices
• Transactional email: Account, security, and notification emails
• Error monitoring: Service reliability monitoring with personal information scrubbed

Data residency and data flow detail is maintained on the security page.

Security measures

Controls include authenticated sessions, role based access gates, queries scoped to each organisation, de-identification of participant data before AI processing, encryption in transit and at rest, audit events for regulated write paths, and owner only export and deletion controls.

Assistance

We assist customers with access, deletion, correction, security questionnaire, and incident response requests via mitsi@ndiscribe.com.