Trust Center

All customer data is classified as Internal or Confidential. Sensitive data is handled according to strict internal security policies on a need-to-know basis.

Role-based access with Multi-Factor Authentication (MFA) and audit logging is enforced across all relevant systems.

We utilize US-based major cloud providers. For details, see our sub-processors list.

Our AI is designed with appropriate safeguards for healthcare administrative use with human oversight.

Detailed audit logs are maintained for all system activity and retained according to our data retention policy. Call logs are also accessible to customers in the dashboard.

• Encryption: AES-256 encryption at rest, TLS 1.3 + TLS-SRTP for media streams in transit.
• Password Requirements (per NIST):
  • Minimum 20 characters
  • Three of four character types (uppercase, lowercase, numbers, special characters)
  • Multi-Factor Authentication (MFA) enforced

Role-based access control (RBAC) plus MFA is enforced across all environments containing confidential or internal data.

Our CI/CD pipeline includes code scanning, security testing, and automated checks to identify vulnerabilities before deployment.

24/7 real-time monitoring of all systems with on-call support. We maintain a public status page for transparency.

We host our services in US data centers provided by major cloud vendors. See our sub-processors list for details.

Production and non-production environments are strictly isolated. Servers are replicated for fault tolerance and high availability.

We leverage a Zero Trust architecture using WireGuard for secure networking and strict identity-based access controls.

All infrastructure components are monitored 24/7 for performance, availability, and security indicators.

We maintain HIPAA compliance standards for handling Protected Health Information (PHI) with appropriate safeguards and controls.

We support individual privacy rights with streamlined processes for data access, correction, and deletion requests.

We maintain clear guidelines on data lifecycle management, including secure deletion.

Our Privacy Policy and Business Associate Agreement (BAA) are available for healthcare customers.

Our platform is designed with appropriate risk management controls for healthcare administrative tasks with human oversight. Clinical or diagnostic use may require additional safeguards.

We design workflows to ensure human validation and accountability throughout the AI interaction lifecycle.

We apply strict prompt control, link extractions to source transcripts, and leverage Azure OpenAI's content filtering to maintain safe and compliant outputs.

All call transcripts are viewable in the product. When the AI extracts structured data (e.g. date of birth), we clearly show which part of the transcript it was derived from—ensuring auditability and contextual traceability.

We offer a standardized Business Associate Agreement (BAA) for healthcare customers requiring HIPAA compliance.

We perform security assessments of our third-party processors and update the list of sub-processors regularly.

Our platform usage guidelines and restrictions to prevent misuse and maintain compliance.

We maintain and review our Disaster Recovery (DR) plan on a quarterly basis. The plan outlines key recovery procedures, contact protocols, and infrastructure dependencies across our US-based cloud providers.

Our core database is managed by US-based cloud providers and has daily encrypted backups.

Our current disaster recovery targets include:

• RPO (Recovery Point Objective): ≤ 24 hours
• RTO (Recovery Time Objective): ≤ 4 hours

We target a 99.9% availability SLA across our services, with infrastructure-level monitoring in place to minimize downtime.

We conduct scheduled disaster recovery drills and document outcomes.

We maintain continuous security monitoring and alerting for quick incident detection.

A clearly defined communication workflow ensures timely breach notifications to all stakeholders.

For security incidents or queries view responsible disclosure policy.

We provide RCAs for all security incidents. These are available to affected customers upon request.

Regular automated vulnerability scanning of our infrastructure and applications.