Security & Privacy

Your data,your jurisdiction.

Hosted in the EEA. Encrypted at rest and in transit. Authenticated through national eIDs where they exist. Never used to train models you have not opted into. The patient owns the record, always.

security@stenoly.aiRead the DPA
Built to clinical-grade standards
GDPR-compliantCE-markedEEA-hostedISO 27001-aligned
Four principles

How we hold the data, plainly stated.

Principle
01

Sovereignty.

Patient data lives in the European Economic Area. Recordings and notes are stored on infrastructure subject to EU law — not transferred outside without explicit, lawful basis.
A small cast-bronze compass rose finished in matte deep teal, lying flat on a cream paper surface — a marker of where data belongs.
Principle
02

Encryption.

Encryption in transit (TLS 1.3) and at rest (AES-256). Engineers don't have access to raw clinical material — clinical data is isolated from product development.
A single solid cast-metal key in matte deep teal, lying flat on a cream paper surface — minimal, weighty, iconic.
Principle
03

Identity.

Sign-in uses a one-time email passcode by default, with national electronic ID — BankID and Buypass — available to clinicians in Norway. Session tokens are hashed and salted in the database, and revocable on demand.
A blank rectangular cream-paper card lying flat on a cream surface with a single deep-teal wax seal pressed into its upper-right corner — identity stamped, recognised.
Principle
04

No model training.

Your consultations never become someone else's training data. We do not train large models on clinical recordings, transcripts or notes. Opt-in research collaborations are governed by a separate data-processing agreement.
A small bound cream-paper notebook lying closed on a cream surface, with a thin deep-teal ribbon bookmark threading out from between its pages — kept private, not opened up.
The practices

The specifics, kept short on purpose.

Things your security or privacy team will want to know before the questionnaire begins.

Audio retention

No audio is ever stored. Stenoly transcribes consultations in five-second chunks; each chunk is destroyed the moment it is transcribed. No full recording of any consultation exists, anywhere.

Note retention

Notes are kept for 24 hours by default — long enough to review, edit, and send to your EHR — then permanently deleted. A delete-now button is available at any moment.

Access control

Each clinician sees only their own consultations. Notes do not leave the user that authored them, except when explicitly sent to the EHR.

Sub-processors

Microsoft Azure (compute, models, speech), Anthropic and Mistral (models), Speechmatics (speech), Vercel (hosting), and Neon (database). EEA-hosted where available; sub-processors that handle clinical data are under signed DPAs.

Security testing

Internal pentesting and red-team work is run by the engineering team. Vulnerability disclosure to security@stenoly.ai is acknowledged within one business day.

Have a security questionnaire? security@stenoly.ai — our privacy lead replies personally, often within a business day.
From clinicians using Stenoly

In their own words.

Portrait of Amalie Moger, Resident Physician.
Stenoly has made my workday so much easier. When my last patient leaves now, all my clinical notes are already complete. I get efficient and structured notes in real-time.

A major advantage is also the impressive interpretation of English conversations into precise local language. The tool works seamlessly for both physical consultations and e-consultations.

The result is that I save 1–2 hours daily — without affecting my salary. A game changer in a busy clinical day.

Amalie Moger
Resident Physician
01 / 03
A small cream-paper folded plane resting on a dark teal surface — easy launch, two minutes to set up.
Try it free for fourteen days

Get your evenings back.

Free for fourteen days, no card required.

Start free trialTalk to our team
Stenoly · Security & Privacy