Nota’s Statement on Security

Not only is security of the information you put into Nota very important to us, the HIPAA Security and Privacy rules apply to us as a Business Associate, so we have a responsibility to keep your data safe.

To protect your information, all data is written to multiple disks instantly, backed up daily, and stored in different physical locations. Files you upload are stored on servers which are designed to remove bottlenecks and points of failure.


To be compliant with HIPAA regulations for data transmission and storage, we must ensure protected health information (PHI) is secure "in-flight" and "at-rest". Whenever your data is in transit between you and us, everything is encrypted, sent using HTTPS. All patient data and any files you upload to us are stored and encrypted at rest. Our backups of your data are encrypted. 


Under HIPAA, covered entities must have a contingency plan to protect data in case of an emergency and must create and maintain retrievable exact copies of electronic PHI. Nota regularly replicates your data between physical locations to prevent data loss. Additionally, Nota stores regular backups and has the ability to perform point-in-time recovery for granular data recovery.

Nota uses Amazon’s relational database service (RDS) to manage all user data. Amazon RDS provides us with the ability to do point-in-time recovery of our entire database at any second over the previous 5 days.

For more information about Amazon’s relational database service, please see this page:


All data access in Nota is subject to numerous checks to ensure no users from outside your company ever see or modify your data without you explicitly granting them access within Nota.


Nota follows best practices in all areas of application security and prevents common web attack vectors.

When you enter information into Nota, we use secure socket layer (SSL) technology to encrypt the transmission of your data to our servers, which helps protect your data.


All of Nota's servers are hosted in secure, SAS 70 audited data centers. They are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches.

Do you have a security question? Email us at