Public document · Updated: June 11, 2026
The page your IT department, your privacy officer, and your auditor will ask us for: how every record travels, the U.S. laws we answer to, how we govern the AI, and what we sign with you. Public, to the point, and built to be shared with your technical team.
Six things we sign — not just promise. Each one is backed by a contract, a verifiable technical control, or a law that sanctions us directly if we fail.
Our AI model providers operate under zero-data-retention configurations: they process and return, they do not store or train. What the agent learns about your operation lives inside your organization only.
Not your data and not your patients'. No exceptions, no fine print.
Isolation here isn't a software rule: it's infrastructure. Each organization runs on its own dedicated database, with data-ownership checks layered on every operation. Two institutions' data never mix — not to answer, not to predict, not to “improve the service.”
The agent identifies itself as a virtual assistant at the start of every conversation and announces recording. Transparency is a legal requirement in the jurisdictions we serve — here it ships on by default and cannot be hidden.
Every conversation is recorded, transcribed, and audit-logged — who accessed what, and when. What the agent did can be verified, not taken on faith.
Export everything anytime (CSV/JSON). When the contract ends we delete your data and confirm it in writing. Custody of the medical record was, is, and will remain your institution's.
Six steps between a patient dialing and the record resting under your control. This is what we walk technical committees through when they ask.
The patient dials your number or messages your WhatsApp. From the first packet the connection travels encrypted (TLS 1.2+ for data, encrypted voice media). The agent identifies itself as your institution's virtual assistant and announces recording before going on.
TLS 1.2+Agent self-identifies
The conversation is transcribed in real time by voice-processing providers configured for zero data retention: they process the audio, return the text, and keep nothing. Where PHI is involved, they additionally operate under a BAA.
Zero retentionBAA
To answer, the agent reads only your organization's configuration: services, schedules, rates, the protocols your committee approved. And the query lands on your organization's dedicated database — one institution can't see another's data even by mistake, because they don't even share a database.
Dedicated databaseApproved answers only
The language models and predictive models process under zero-retention arrangements and never train on your data. Predictions — who is at risk of a no-show, who to reach first — are computed only from your organization's data and only for your approved purposes.
Zero trainingPredictions stay in-org
The recording, the transcript, and the structured fields of the conversation are stored encrypted at rest (AES-256) in your organization's dedicated database, behind role-based access control (RBAC), least privilege, and an audit log over every access. Our database and analytics providers operate under BAAs and SOC 2 Type II / ISO 27001 certification.
AES-256RBAC + audit log
Retention is configured by your institution according to its legal duties — your state's medical-record retention rules, for instance. Delete whenever you want: gone from active systems in ≤30 days and from backups in ≤90, with written confirmation.
Configurable retentionWritten confirmation
Every legal department's first question: who is the controller and who is the processor? Your institution decides; we execute — and we're accountable.
Covered Entity / Controller
Business Associate / Processor
| Document | When it applies | What it covers |
|---|---|---|
| BAA — Business Associate Agreement | Every HIPAA-covered customer | Permitted PHI uses, Security Rule safeguards, breach reporting, return or destruction of PHI at termination. Our PHI-touching subprocessors carry downstream BAAs — the complete chain of trust. |
| DPA — Data Processing Agreement | U.S. state privacy laws | Service-provider / processor role: documented instructions only, no selling, no sharing, no cross-customer combining, obligations flowed down to subprocessors. |
| NDA for documentation | On request | Under NDA we hand over the named subprocessor list, internal policies, and security-assessment summaries. |
| Data-transmission agreement | Customers under Colombian law | The Colombian DPA (Decreto 1377, arts. 24–25). Detail in the Colombia version of this document. |
Rule by rule: what it demands and how we comply. One architecture, built to the strictest requirement of each.
We operate as a Business Associate and sign BAAs
What it requires
Contact data, recordings and transcripts created on behalf of a healthcare provider are PHI. A vendor processing them is a Business Associate: it must sign a BAA, apply administrative, physical and technical safeguards, use only the minimum necessary, and notify breaches without unreasonable delay (60 days at most). Its subcontractors touching PHI need downstream BAAs. One more line that matters for proactive outreach: treatment and care-coordination communications are permitted uses of PHI, but using PHI for marketing requires the patient's prior written authorization.
How we comply
We sign a BAA with every HIPAA-covered customer and maintain BAAs with every subprocessor that touches PHI — the complete chain of trust. Risk analysis and workforce training, documented. Our proactive outreach is care outreach — overdue follow-ups, pending screenings, reminders — never commercial content based on someone's condition. One honest note: “HIPAA certified” does not exist; distrust anyone promising it. What exists is this: safeguards, BAAs, and evidence.
Not yet law; its core proposals are already implemented here
What it requires
HHS proposed strengthening the Security Rule: mandatory ePHI encryption in transit and at rest, mandatory MFA, asset inventories, periodic vulnerability scanning and penetration testing, critical-system restore within 72 hours. As of mid-2026 it remains a proposal, with no confirmed final date.
How we comply
We aren't waiting for the final rule: encryption in transit and at rest, internal MFA, and continuous vulnerability management run by design. We track the rule and will close any remaining gap once it's final.
Since Feb. 2024, an AI voice is an “artificial voice” under the law
What it requires
The FCC ruled (Feb. 2024) that AI-generated voices are “artificial or prerecorded voice” under the TCPA: outbound AI-voice calls require prior express consent (written for marketing), with healthcare exemptions for covered entities and their Business Associates (appointment reminders and treatment messages, frequency-capped). Consent revocation must be honored within 10 business days (in force since April 2025). Several states require all-party consent for recording.
How we comply
Self-identification at the start of every call, recording announced by default (all-party-consent standard), consent management, and immediate opt-out: whoever asks not to be contacted is not contacted again.
One rule covers them all: the agent says it's AI, always
What it requires
California's AB 3030 requires AI-generated audio clinical communications to say so verbally at the beginning and end, with a path to a human. Utah's AI Policy Act requires proactive disclosure in health interactions. Texas's TRAIGA (in force since Jan. 2026) requires clear disclosure when AI is involved. Colorado's AI Act was delayed and narrowed — monitored, not in force.
How we comply
The agent identifies itself as AI at the start of every interaction, by default and with no option to hide it; additional notices (e.g., at the end) are configurable per jurisdiction. There is always an escalation path to your human team.
We are a service provider: documented instructions, never a sale
What it requires
Some twenty states have comprehensive privacy laws on the controller/processor model. A vendor processing on a customer's behalf is a “service provider”: documented instructions only, no selling or sharing, no cross-customer combining, obligations flowed down to subprocessors. PHI is exempt: HIPAA governs it. Washington's My Health My Data covers health data outside HIPAA.
How we comply
A DPA available to every customer, zero selling or ad-sharing of data, and the health data we process for providers is always handled as PHI under a BAA — the highest available standard.
We say “aligned” when it's aligned and “certified” only with a certificate
What it requires
SOC 2 is an auditor attestation against the Trust Services Criteria (Type II tests controls operating over months and is the de facto due-diligence standard). NIST CSF 2.0 and NIST AI RMF are voluntary alignment frameworks. ISO/IEC 42001 certifies AI management systems. None of them is self-declared: there's an auditor's report, a certificate, or the word “aligned.”
How we comply
A security program built on SOC 2's Trust Services Criteria and aligned with NIST CSF 2.0; AI risk management aligned with NIST AI RMF. Our infrastructure runs on SOC 2 / ISO 27001-certified clouds (shared responsibility). Attestation status and roadmap are shared under NDA — and you will never find a badge here we can't back up.
Operating in Colombia? Ley 1581 de 2012, the SIC's AI guidance, and the clinical-record regime have their own version of this document.
Generative and predictive models under one governance, with risk management aligned with NIST AI RMF (Govern · Map · Measure · Manage).
A virtual assistant from the first sentence, on every channel. Required by U.S. state disclosure laws — “hidden” is not a setting here.
It answers only from the configuration your institution approved: services, rates, schedules, protocols. If it doesn't know, it says so — and escalates.
Alarm symptoms, delicate cases, and anything requiring judgment is handed to your team, with a summary and the collected data. The final clinical and administrative decision is always human and always yours.
Zero retention at the model providers and zero training on your data. Privacy by design and by default.
Predictions — care gaps, no-show risk, who to reach first — are computed only from your organization's data, for approved care purposes. Using PHI to push commercial offers is “marketing” under the HIPAA Privacy Rule and would require the patient's written authorization — it is not part of the product's flows. A privacy impact study is available to your committee.
Every conversation is recorded, transcribed, and audited; agent performance is continuously evaluated. Risk management aligned with NIST AI RMF.
Only the ones strictly necessary to operate, each under a back-to-back processing agreement and — where PHI is involved — a downstream BAA. The full named list is delivered under NDA, and we notify you before adding or replacing any of them.
| Function | Location | Safeguards |
|---|---|---|
| Infrastructure & hosting | U.S. | SOC 2 / ISO 27001 cloud · DPA · BAA |
| Database & analytics | U.S. | BAA · SOC 2 Type II · ISO 27001 · dedicated DB per org |
| Telephony & messaging | U.S. | DPA · HIPAA-eligible configuration |
| Voice processing | U.S. | Zero retention · BAA · no training on your data |
| AI models (language & prediction) | U.S. | Zero retention · zero training · BAA |
| Authentication & identity | U.S. | DPA · MFA · SOC 2 |
| Payments | U.S. | PCI DSS · we never see full card numbers |
| Transactional email | U.S. | DPA · operational email only |
| Security & CDN | Global | DDoS protection · end-to-end TLS |
Every subprocessor that touches PHI operates under a downstream BAA — the complete chain of trust. Request the named list (under NDA).
The questions technical departments of clinics, hospitals, and insurers ask us — with the answers we put in writing. If one is missing, we answer it in writing in the due-diligence packet.
No system is infallible. What can be guaranteed is what happens in the hours that follow — and every deadline below is a legal or contractual duty, not a courtesy.
Hour 0
Continuous monitoring, severity classification, immediate containment. The clock starts — and we document everything from minute one.
≤ 72 hours
Notification to the affected customer without undue delay: what happened, what data is involved, what we did, what's next. No euphemisms.
≤ 60 days
As a Business Associate, we notify the covered entity without unreasonable delay and within 60 days at most, with everything the Breach Notification Rule requires.
Afterwards
Root cause, corrective actions, and security-program changes — in writing and available to your committee.
For customers under Colombian law, the SIC's incident clocks are in the Colombia version.
For your committee, your counsel, and your privacy officer. Sent in writing, at no cost:
Related documents: Privacy Policy, Terms of Service and Patient Governance.
This page informs; it is not legal advice. Contract versions prevail. Rules verified as of June 11, 2026.