ScribeberryScribeberry Docs

Security & Best Practices

Security considerations, HIPAA compliance, and production best practices for Scribeberry integrations.

Scribeberry processes sensitive healthcare data. Follow these guidelines to keep your integration secure and compliant.

API Key Security

Do

  • ✅ Store API keys in environment variables or a secrets manager
  • ✅ Use separate keys for development and production
  • ✅ Use temporary tokens (sb_rt_) for any client-side/browser code
  • Rotate keys every 90 days
  • Monitor usage in the Scribeberry Console for anomalies

Don't

  • ❌ Hardcode API keys in source code
  • ❌ Commit keys to version control (even private repos)
  • ❌ Share keys between services or team members
  • ❌ Use sk_live_ or sk_test_ keys in browser JavaScript
  • ❌ Log API keys or include them in error reports

Temporary Token Pattern

For any situation where credentials might be visible to end users (browsers, mobile apps, desktop apps), always use the temporary token pattern:

// ✅ SECURE: Server creates short-lived token
const { token } = await sb.realtime.createToken({ expiresInSeconds: 3600 });
// Pass token to client
 
// ❌ INSECURE: Sending full API key to client
res.json({ apiKey: process.env.SCRIBEBERRY_API_KEY }); // NEVER DO THIS

Data Privacy

What Scribeberry Processes

  • Audio streams (realtime transcription)
  • Conversation text (note generation)
  • Template configurations

What Scribeberry Does NOT Store

  • Raw audio data is not persisted after transcription
  • Conversation text is processed in-memory and not stored after note generation
  • Transcripts from realtime sessions are not retained after the WebSocket disconnects

Data in Transit

  • All API communication uses TLS 1.2+ encryption
  • WebSocket connections use WSS (encrypted WebSockets)
  • API keys are transmitted via the Authorization header (never in URLs for REST calls)

⚠️ Warning: For realtime WebSocket connections, the token is passed as a URL query parameter (?token=...). This is standard practice but means tokens may appear in server access logs. Use temporary tokens to minimize the impact.

HIPAA Compliance

Scribeberry is designed for HIPAA-compliant workflows:

  • No PHI in logs — sensitive data is never logged on our servers
  • Encryption at rest — all stored data is encrypted
  • Access controls — data is isolated per project with row-level security
  • Audit trails — all API key usage is logged
  • BAA available — Business Associate Agreements available for production customers

ℹ️ Info: Contact support@scribeberry.com to execute a BAA for your organization before processing real patient data.

Rate Limiting

Each project has rate limits to ensure fair usage and prevent abuse:

EnvironmentDefault Rate Limit
Sandbox100 requests/minute
Production60 requests/minute (configurable per plan)

When you hit a rate limit, the API returns HTTP 429 Too Many Requests. The SDK throws a RateLimitError. See Error Handling for retry strategies.

Production Checklist

Before going live, verify:

  • Using sk_live_ keys (not sk_test_)
  • API keys stored in environment variables / secrets manager
  • Browser-side code uses temporary tokens only
  • Error handling implemented with retries for transient errors
  • Rate limiting handled gracefully in your application
  • BAA executed with Scribeberry (if processing real PHI)
  • Usage monitoring set up in the Console dashboard
  • API key rotation schedule established
  • No PHI appears in your application logs

Previous

Error Handling

On this page