> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scribe.commure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Consent & Platform FAQ

> Quick answers to the recording consent, data handling, and security questions patients and staff ask most.

Quick reference for patient and team questions about recording consent, data handling, and platform security.

## Patient Consent Guidance

We recommend a two-step approach that covers both intake and the moment of care.

<Steps>
  <Step title="Written waiver at intake">
    Have patients sign a written waiver as part of their intake paperwork, before the visit begins.
  </Step>

  <Step title="Verbal permission at the encounter">
    Ask the patient verbally for permission to use a note-taking tool at the start of each encounter, before activating recording.
  </Step>
</Steps>

<Warning>
  Verify your consent workflow against applicable local, state, and federal requirements. Requirements vary by jurisdiction.
</Warning>

## Platform FAQ

<AccordionGroup>
  <Accordion title="What does the platform capture?">
    When recording is activated, the platform captures ambient audio from the patient encounter along with patient demographic data. That audio is converted into transcripts and structured clinical outputs.
  </Accordion>

  <Accordion title="Is raw audio retained, or only the generated note? What is the default retention period?">
    Both are retained. Patient demographic data, audio recordings, transcripts, generated clinical outputs, and usage logs are all retained for 6 years.
  </Accordion>

  <Accordion title="Where is data stored? Is it kept in the United States?">
    For US-based customers, all data is processed and stored within the United States.
  </Accordion>

  <Accordion title="What encryption standards are used in transit and at rest?">
    Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted with AES-256.
  </Accordion>

  <Accordion title="How are access controls managed, and is there an audit trail?">
    Access is role-based on a least-privilege model and provisioned only through documented requests. Comprehensive audit logs capture access, edits, and exports at the individual record level. Access permissions are reviewed monthly.
  </Accordion>

  <Accordion title="What certifications or attestations does Commure hold?">
    Commure holds a SOC 2 Type II attestation. Full security documentation is available at the [Commure Trust Center](https://commure.com/trust-center).
  </Accordion>

  <Accordion title="Are there subprocessors or third parties that handle patient data?">
    Yes. Subprocessors are involved. All are HIPAA-compliant, have Business Associate Agreements (BAAs) in place, and undergo security reviews at least annually.
  </Accordion>

  <Accordion title="Is patient data used to train AI models? Can that be turned off?">
    No. Models are never trained using Protected Health Information (PHI). There is no opt-out required.
  </Accordion>

  <Accordion title="What is the breach notification process and timeline?">
    The breach notification process and timeline are defined in the active Business Associate Agreement (BAA). Please refer to that document for specifics.
  </Accordion>
</AccordionGroup>

For additional questions, visit the [Commure Trust Center](https://commure.com/trust-center).

<Info>
  See also [HIPAA Compliance & BAA](/security-compliance/hipaa-compliance-baa) and [Data Retention Policy](/security-compliance/data-retention-policy).
</Info>
