Security & Compliance
Security & HIPAA โ The Honest Truth
We believe dental clinics deserve straight answers about how their patient data is handled. No marketing speak. No vague claims. Just facts.
โ
TLS 1.3 Encryption
โ
BAA Available at No Cost
โ
SOC 2 Infrastructure
โ
Data Isolated Per Clinic
โ
No Data Sold. Ever.
โณ Full HIPAA Mode โ Q4 2026
Our Current Security Posture
What We Are
Aria is an AI scheduling assistant. We are HIPAA-conscious in design โ we minimize PHI collection, encrypt all data, and offer signed BAAs at no cost. All our infrastructure partners are SOC 2 certified.
What We Are Not (Yet)
We are not a covered entity or EHR system. "HIPAA certified" is not an official designation โ but we operate with HIPAA principles throughout. Full enterprise HIPAA mode (zero-retention voice, advanced audit logs) is on our Q4 2026 roadmap.
What Aria Does With Patient Data
- Collects patient name, phone, appointment date/time, and reason for booking only
- Creates Google Calendar events in the clinic's own Google account
- Sends SMS confirmation via Twilio (HIPAA-eligible carrier)
- Stores scheduling data in Airtable โ encrypted at rest, isolated per clinic
- Provides signed Business Associate Agreement (BAA) on request โ at no cost
- Deletes all clinic data within 30 days of subscription cancellation
- All data transmitted over HTTPS/TLS 1.3
- Does NOT collect insurance details, diagnoses, or treatment records
- Does NOT retain full audio recordings of calls
- Does NOT sell or share data with any third party
Infrastructure & Partners
Vapi.ai
SOC 2 Certified
Processes voice calls and transcriptions. No patient audio retained for model training.
Twilio
HIPAA Eligible
SMS and voice communications. BAA available directly with Twilio.
Airtable
SOC 2 Type II
Clinic and scheduling data storage. Encrypted at rest and in transit.
Google Calendar
Google Workspace
Appointment scheduling. Access-controlled per clinic via OAuth2.
n8n Cloud
EU Data Residency
Workflow automation. Processes booking logic without storing PHI.
Vercel / Node.js
TLS 1.3
API backend. Credentials stored server-side, never exposed client-side.
Business Associate Agreement (BAA)
Request a BAA
As a service provider handling patient scheduling data on behalf of dental clinics, EletvaAi qualifies as a Business Associate under HIPAA. We provide a signed BAA at no additional cost to all paid subscribers.
To request your BAA: Email milind@eletvaai.com โ we send it within 24 hours.
Data Isolation & Access Control
Each clinic's data is completely isolated โ no clinic can access another's records. Access requires authentication via the clinic's unique credentials. API keys and OAuth tokens are stored server-side and never exposed in client-facing code. Dashboard access is scoped to the clinic's own data only.
Incident Response
- Any suspected data breach is investigated within 24 hours
- Affected clinics notified within 72 hours (60 days for PHI breaches per HIPAA requirements)
- Full incident report provided to affected parties
- Security questions answered within 24 hours: milind@eletvaai.com
Questions About Security or Compliance?
We respond to all security and compliance questions within 24 hours. BAA requests fulfilled same business day.
Contact Us About Security โ
milind@eletvaai.com ยท EletvaAi / Tatva Solutions
