Security and Privacy FAQ
Common questions about how Medilee protects your data and maintains compliance.
Medilee is designed for medico-legal work, where privacy, security, and trust are critical. The answers below address common questions from specialists, clinics, and technical, IT, and compliance teams.
What type of data does Medilee handle?
Medilee processes medico-legal information, including referral documents and supporting records, interview audio recordings and transcripts, and AI-generated summaries and draft reports.
This information may include personal, sensitive, and health information, which is why Medilee is built with security and compliance as a core design principle.
Who owns the data uploaded to Medilee?
You do.
All data uploaded to or generated within Medilee remains the property of your practice or organisation. Medilee does not claim ownership of your data and does not use customer content to train public or shared AI models.
Is Medilee compliant with Australian privacy requirements?
Yes.
Medilee is designed to align with the Australian Privacy Principles and relevant state-based health records legislation. Privacy requirements are embedded into how data is collected, processed, stored, accessed, and retained.
Where is data stored?
Medilee uses secure, enterprise-grade cloud infrastructure with strong regional controls.
Data is stored in approved cloud environments with encryption at rest and in transit. Access to production systems is tightly restricted and continuously monitored.
If your organisation has specific data residency requirements, these can be discussed during onboarding.
How is my data protected?
Medilee applies multiple layers of security, including encryption of data at rest and in transit, role-based access controls so users only see what they are permitted to, secure authentication and identity management, and continuous logging and monitoring of system activity.
Who can access my data?
Access is strictly limited.
Only authorised users within your organisation can access your cases. Access is controlled by defined user roles and permissions, and all access is logged and auditable. Medilee staff do not access customer data unless explicitly authorised for support or troubleshooting purposes.
Is AI used safely and responsibly?
Yes.
Medilee uses AI to assist with transcription, summarisation, and drafting, but AI outputs are always reviewable and editable by the specialist. AI does not make clinical or medico-legal decisions.
Customer data is not used to train public or shared AI models. AI is used as an assistive tool, not a replacement for professional judgement.
Do you use our data for quality assurance or product improvement?
Yes, in a privacy-protective way.
To ensure Medilee's transcription, summarisation, and drafting features remain accurate and clinically relevant over time, Medilee may use de-identified data for quality assurance and model evaluation.
Before any data is used for this purpose, identifying information is removed or masked so it cannot be linked back to a specific individual, organisation, or case.
Medilee follows best-practice medical de-identification approaches aligned with the Stanford clinical text de-identification standard. This includes the removal or transformation of direct and indirect identifiers commonly found in clinical content, such as names, contact details, addresses, dates, identifiers, and other information that could reasonably identify a person or organisation.
De-identified data is used only to assess quality and relevance of outputs. It is handled under strict access controls and governance processes.
Can de-identified data be traced back to my organisation or cases?
No.
De-identified data used for quality assurance does not contain identifiers that can reasonably be used to re-identify a person, organisation, or specific matter. Medilee does not use de-identified data to build customer profiles or benchmark individual organisations.
Are interviews and recordings stored securely?
Yes.
Audio recordings and transcripts are treated as sensitive data and protected with the same security controls as other medico-legal documents. Access is restricted to authorised users associated with the relevant case.
Does Medilee support single sign-on?
Medilee supports modern authentication approaches, including integration with enterprise identity providers where required. This allows organisations to apply their own identity, access, and password policies consistently across systems.
Is Medilee audited or independently assessed?
Medilee is built to support recognised security and compliance frameworks, including ISO 27001 and SOC-aligned controls.
Independent penetration testing, control validation, and ongoing assurance activities form part of Medilee's security program to ensure controls are operating effectively, not just documented.
Additional security and assurance information is available through the Medilee Trust Centre.
How does Medilee handle security incidents?
Medilee maintains a formal incident response process that includes monitoring and detection of security events, defined escalation and response procedures, and customer notification where required by law.
The focus is on rapid containment, transparency, and continuous improvement.
Can organisations review Medilee's security posture in more detail?
Yes.
Medilee provides security documentation, policy summaries, and responses to due-diligence questionnaires as part of procurement, onboarding, or vendor risk assessments.
Further information is available via the Trust Centre.
What if I have specific security or privacy requirements?
We encourage you to reach out.
Medilee regularly works with clinics, insurers, and organisations with strict legal, privacy, or IT requirements.
Need more information?
We're happy to discuss your specific security and privacy requirements.