Modules and the data they handle
The platform splits into two groups of features with distinct data flows:
Educational platform
Courses, interactive content, profiles, progress records, certifications, payments. Text only — no audio.
Subprocessors: LearnWorlds, Supabase.
Voxi (dictation) — opt-in
Optional voice-dictation module. Captures audio in real time, anonymises it automatically, and persists only de-identified text. Audio is never stored.
Additional subprocessor: Microsoft Azure (West Europe).
Data flow — Voxi (dictation)
This section describes the pipeline of the Voxi module only. The remaining features do not involve audio.
Audio retention: zero. Audio bytes exist only in volatile memory of the gateway and the transcription service. They are never written to persistent storage on Dioscope, Supabase, or Azure infrastructure.
Subprocessors
Dioscope acts as data controller. The following subprocessors are engaged under Data Processing Agreements compliant with GDPR Art. 28. Microsoft Azure is engaged only when a user opts in to the Voxi module; the remaining subprocessors support the educational platform as a whole.
| Subprocessor | Role | Region | Certifications |
|---|---|---|---|
| Microsoft Azure | AI Speech (transcription) and AI Language (PII detection) | West Europe (Netherlands) | ISO/IEC 27001 ISO/IEC 27017 ISO/IEC 27018 ISO/IEC 27701 ISO/IEC 22301 ISO/IEC 42001 SOC 2 Type 2 HIPAA HDS |
| Supabase | Authentication, edge runtime, encrypted database | West EU (Ireland) | ISO/IEC 27001 SOC 2 Type 2 HIPAA |
| LearnWorlds | Learning Management System (course delivery, certification) | EU | ISO/IEC 27001 SOC 2 GDPR |
What data we process
Dioscope persists only the data strictly required to operate the educational platform: account information, course progress and certification records, and de-identified text after PII anonymisation. Audio and pre-anonymisation text never reach persistent storage.
Retention
- Audio: zero retention — discarded within seconds of transcription
- De-identified text: user-deletable at any time
- Account & certifications: retained while the account is active and as required by applicable CME record-keeping rules
Security controls
- Encryption in transit: TLS 1.3, all endpoints
- Encryption at rest: AES-256, provided by the underlying infrastructure
- Access control: Row-Level Security on user-scoped tables
- PII anonymisation: defence-in-depth (Azure NER + Portuguese-specific rules)
- Logging: automatic PII redaction before write
Your rights under GDPR
Every user has the rights granted by Articles 15–22 of the GDPR:
- Access (Art. 15): request a copy of all your data
- Rectification (Art. 16): correct inaccurate data
- Erasure (Art. 17): request deletion of your account and data
- Restriction (Art. 18): limit processing while a dispute is resolved
- Portability (Art. 20): receive your data in machine-readable format
- Object (Art. 21): object to processing for specific purposes
- Complaint: lodge a complaint with the supervisory authority (CNPD in Portugal)
To exercise any right, write to suporte@dioscope.com. Response time: up to 30 days (GDPR Art. 12(3)).
Contact
For data protection, security incidents and general compliance: suporte@dioscope.com