Trust
How Matilda handles your patients' information, in plain language.
Where we are today
Matilda is in early access and operated by Matilda Health for Australian clinicians. We are not yet certified to any external standard (SOC 2, ISO 27001, HDS, etc.) and do not currently hold any external clinical accreditation.
Regulatory position
Matilda is administrative software for transcription and clinical note drafting. The clinician reviews and edits all Matilda output before any clinical use. We rely on the Therapeutic Goods Administration's exclusion for software whose function is purely administrative or supports good clinical practice without making, or directly contributing to, a clinical decision. Matilda is not a medical device, is not used for diagnosis, and is not intended to influence clinical decisions on its own.
Audio handling
Audio captured from your microphone is streamed in 5-second chunks to our server, transcribed in real time using Cloudflare's Workers AI (Whisper-large-v3-turbo), and discarded. It is never written to any disk or database. There is no audio playback.
Transcript and note storage
Transcripts and notes are stored encrypted at rest using AES-GCM with a per-user data key, wrapped by an application master key held in Cloudflare's secret store. The master key is also held in offline backup so we can recover if Cloudflare's secret is lost; it is not held by any third party.
Sub-processors
| Provider | Purpose | Data |
|---|---|---|
| Cloudflare, Inc. | App hosting, database, session storage, AI inference | Account, transcripts, notes, audio (transient), audit log |
| Resend | Transactional email (sign-in links) | Email address only |
Data location
Cloudflare's network is global. Your data — including audio in transit, transcripts, and notes — may be processed in any Cloudflare data centre worldwide, including outside Australia.
AI training
Cloudflare's published documentation states that customer inputs and outputs to Workers AI are not used to train models. We re-check this quarterly. Matilda itself does not use your transcripts or notes to train any model.
Incident response
If we become aware of a security incident or data breach likely to result in serious harm, we will notify affected users by email and, where required by Australian law, notify the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme.
Reporting a security concern
Email [email protected]. We aim to acknowledge within one business day.
For patients
A plain-language information sheet you can hand to patients is available at /patient-info (printable / save-as-PDF from the browser).