Privacy & Security at Mosaic
Your clients trust you with their most personal information – and you can trust us to protect it. From day one, Mosaic builds our products with privacy, security, and compliance as our top priorities.
Regulatory Compliance
- All sensitive data is processed and stored exclusively in U.S. data centers.
- Mosaic is designed to support HIPAA-regulated clinical workflows and maintains Business Associate Agreements (BAAs) with all customers and sub-processors.
Encryption & secure handling
- Mosaic encrypts all data using TLS in transit and AES-256 at rest.
- GraceNotes session audio is not retained — it’s temporarily held only for transcription, then immediately deleted.
Data Stewardship
- Mosaic does not use Personally Identifiable Information (PII) or Protected Health Information (PHI) to train our AI models.
- Session content is not sold or used for advertising, and is used only to deliver the service you request.
Your control
- Clinicians can choose to permanently delete any session note or report at any time.
- Full transparency into how your data is handled at every step.
Frequently asked questions
- No. Audio is processed to create your note and is then promptly discarded – audio is never stored.
- We retain personal information no longer than necessary for the purposes identified and as required by law, in line with our Privacy Policy.
- Yes. We provide a general client consent template you can adapt for your practice. Recording consent requirements vary by state. Use your state’s standard and your practice counsel’s guidance. Click here to download the template.
- Yes. A BAA is included as part of the onboarding process.
Read our full Privacy Policy here