Encryption
Data is encrypted in transit with TLS 1.2 or higher, and sensitive data including PHI is encrypted at rest using strong encryption with secure key management.
Wavo Security Center
Security built for clinical documentation
Wavo protects patient information across the note workflow, from secure authentication and encryption to private AI handling and clinician-controlled retention.
HIPAA
Administrative, physical, and technical safeguards for PHI.
PIPEDA
Privacy practices designed for Canadian healthcare workflows.
TLS 1.2+
Encrypted web and API communications in transit.
AES-256 / AES-GCM
Strong encryption for sensitive data at rest.
Data protection
Safeguards across the clinical note lifecycle
The controls below cover how data is accessed, encrypted, monitored, processed by AI, retained, and deleted.
Scoped access
Access is scoped by user and organization, following the minimum necessary principle so users can only reach the data they are authorized to use.
Audit logging
Audit logs record access to and use of sensitive data, including document views and exports, to support monitoring and compliance reviews.
Authentication
Wavo uses a trusted identity provider for unique user identification, strong passwords, session management, and MFA or SSO where supported.
Secure hosting
The platform runs in secure, cloud-hosted environments with providers that maintain strong physical and logical security controls.
No AI training on PHI
Wavo's AI does not train on Protected Health Information, helping keep clinical data private.
No audio retention by default
Wavo processes the recording, generates the clinical note, and then automatically deletes the audio.
Clinician-controlled retention
Users and organizations can adjust retention preferences, delete notes and recordings from account settings, or enable 30-day auto-deletion.
Data ownership
You retain ownership of the data you create in Wavo. Wavo does not sell personal information or PHI.
Compliance
Built for healthcare privacy obligations
Wavo's privacy and security program is designed around HIPAA requirements for protecting PHI and PIPEDA privacy principles for Canadian healthcare workflows.
Business Associate Agreements with vendors that create, receive, maintain, or transmit PHI on Wavo's behalf.
Periodic risk assessments to identify PHI risks and reduce them to an acceptable level.
Security and HIPAA awareness training for the workforce, refreshed at least annually.
Incident response procedures for identifying, assessing, and notifying affected parties where required by law.
Policies on request
Breach Notification, Vendor Management, Information Security, Data Protection, subprocessor information, and additional policy summaries are available on request.