Your patients' data is not our business model.

We process patient conversations. We don't store them. We don't learn from them. We don't sell them. Here's exactly how we keep it that way.

Zero PHI retention

Patient health information is processed in real-time and discarded. We don't store transcripts, recordings, or conversation logs containing PHI. Your data passes through. It doesn't stay.

We don't train on your data

Your clinic's conversations never enter our training pipeline. Agent improvements come from quality metrics and conversation structure — never from patient content.

BAA before byte one

We sign a Business Associate Agreement before any patient data touches our systems. Not after your trial. Not after you ask. Before we start.

What we comply with.

Not aspirational. Not "in progress." These are the certifications and standards we meet today.

✓

HIPAA

Full compliance with the Privacy Rule, Security Rule, and Breach Notification Rule. Administrative, physical, and technical safeguards implemented across all infrastructure.

✓

BAA

Business Associate Agreement executed with every customer before PHI processing begins. Covers all subprocessors in the data chain.

✓

SOC 2 Type II

Independently audited over time — not a point-in-time snapshot. Covers security, availability, and confidentiality trust service criteria.

✓

Encryption

AES-256 encryption at rest. TLS 1.3 in transit. End-to-end encryption for voice streams. No unencrypted PHI at any point in the pipeline.

✓

Access Controls

Role-based access. Multi-factor authentication. Audit logs for every PHI access event. Principle of least privilege enforced at every layer.

✓

AI Disclosure

Compliant with state AI disclosure requirements including Texas TRAIGA and Utah AI Policy Act. Patients are informed they're speaking with an AI agent.

How a call flows through our infrastructure.

Every step encrypted. No PHI stored. Audit trail at every handoff.

Encrypted

Patient Call

TLS 1.3 voice stream

→

Isolated

Voice Processing

Real-time STT No recording stored

→

Stateless

Agent Logic

FSM + LLM No PHI in context

→

Encrypted

EHR Action

FHIR R4 API Direct to your system

→

Logged

Audit Trail

Metadata only No PHI retained

What we do and don't do with your data.

No ambiguity. No "it depends." Clear answers.

Voice recordings

Processed in real-time for speech-to-text. Not stored. Not replayed. Not accessible to our team. Discarded after the call ends.

Zero retention

Conversation transcripts

PHI-containing transcripts are not stored. De-identified conversation structure (no patient details) is used for quality metrics only.

De-identified only

Patient information

Name, DOB, insurance — passed directly to your EHR via FHIR APIs. We're a conduit, not a database. Nothing lands on our servers.

Pass-through only

Agent improvement data

Quality scores, conversation flow patterns, completion rates — all de-identified. Used to improve your agent's performance. Never shared across clinics.

Clinic-scoped

Questions your compliance officer will ask.

Do you sign a BAA?

Yes. Before any PHI is processed. Our BAA covers all subprocessors including cloud infrastructure and speech-to-text services.

Where is data hosted?

US-based cloud infrastructure only. No data leaves the country. SOC 2 Type II certified hosting with AES-256 encryption at rest.

Do you train AI models on our patient data?

No. We never use patient conversations, transcripts, or PHI to train models. Agent quality improvements use de-identified structural metrics only.

What happens during a breach?

We follow HIPAA Breach Notification Rule requirements. You're notified within 24 hours of discovery. Full incident report within 72 hours. But our zero-retention architecture means there's minimal PHI exposure surface.

How do you handle state AI disclosure laws?

The agent identifies itself as an AI assistant at the start of every call. We stay current with state requirements including Texas TRAIGA (Jan 2026) and Utah AI Policy Act.

Can we audit your systems?

Yes. We provide SOC 2 Type II reports on request. For enterprise customers, we support third-party security assessments and penetration testing.

Security isn't a feature.
It's the foundation.

Talk to our team about your compliance requirements.

Book a Demo