Built to protect clinical data.

In Private Session, dictated audio and transcripts are processed in memory and are not written to persistent storage.

Every byte that leaves your device is encrypted with TLS 1.2 or higher. The same applies to traffic between our servers and the AI providers we use. No plain-HTTP fallback exists anywhere in the stack.

• Authentication is handled by a dedicated identity provider with multi-factor support.
• Administrative endpoints are gated by an explicit allowlist — the default state is deny. When the list is empty, no one is admin.
• Production access to backing services follows least-privilege and is reviewed on a regular cadence.

RadReason does not store dictated audio or transcripts in Private Session. Case data is only stored if the user explicitly chooses to save a case.

The in-app session — the conversation you see on screen — is held in your browser and cleared when you log out, leave the page, or start a new case.

Operational metadata we do keep — model name, latency, success/failure, token counts — is non-identifiable and sits alongside the model usage record. Access is restricted to a small set of operators under least-privilege.

All transcript content is redacted from application logs. Logs contain only non-identifiable operational data.

We use a small set of trusted providers for authentication, transcription, and reasoning. Each is contractually configured to protect your data and to refrain from training on your inputs. Vendor security posture is reviewed before integration and re-reviewed on changes.

If you believe you've found a security issue, please email support@radreason.com with steps to reproduce. We acknowledge reports within 24 hours and won't pursue legal action against good-faith researchers acting under reasonable disclosure.