Compliance isn't a feature
HIPAA compliance is baked into how Ava runs — not a checkbox we tick. Every call, every intake, every insurance verification happens inside your BAA. No patient data leaves the perimeter you authorize.
— SECURITY
Healthcare-grade security, by default.
PHI never leaves your BAA perimeter. Every call is encrypted, logged, and auditable. Here's how we handle the part of your practice that can't ever leak.
[01]— The principles
/ Three non-negotiablesData stays yours
Axis reads and writes to your PMS. We don't copy your patient database. We don't train public models on your records. If you cancel, your data stays where it always was — in your system.
Audit on every call
Every interaction with Ava is logged: timestamp, transcript, intent classification, resolution. Available to your compliance officer on request. Exportable for HIPAA audits.
[02]— The stack
/ Controls in production| Category | Standard | Status |
|---|---|---|
| Encryption at rest | AES-256 | Live |
| Encryption in transit | TLS 1.3 | Live |
| Access control | SOC 2 Type II framework | In progress (not yet live) |
| BAA | Every call, every vendor | Live |
| Data retention | Configurable per practice | Live |
| Access logs | Retained 7 years | Live |
| Penetration test | Annual, third-party | Scheduled Q2 (not yet live) |
| PHI redaction | Automated in transcripts | Live |
[03]— Business associate agreement
/ Signed before onboardingEvery practice gets a BAA.
We sign a BAA before you onboard — not after a sales conversation, not as an upsell. It covers every vendor in our stack: the voice infrastructure, the language models, the storage layer.
Request our BAA— Email response within one business day
[04]— What we don't do
/ Explicit non-behaviorsWe don't train on your calls
Patient call recordings are never used to train public language models. Your voice data stays in your BAA perimeter. Full stop.
We don't sell analytics
We will never aggregate your practice data and sell it — not as 'industry benchmarks,' not as 'de-identified insights,' not to anyone.
We don't hide breaches
If a security incident affects your practice, you hear about it within 24 hours. Every time. In writing. We've never had one, and we intend to keep it that way.
— Security contact
Questions about our security posture?
sales@useaxis.appResponse within one business day