About AI VOX
AI VOX is an AI-powered voice receptionist for healthcare clinics. The product answers inbound and conducts outbound calls on behalf of a clinic, books and reschedules appointments into the clinic's calendar, and surfaces every call to clinic staff through a web dashboard. AI VOX is built specifically for owner-operated practices in dentistry, veterinary medicine, and aesthetic medicine.
AI VOX is operated by Sujal Samadhiya, sole proprietor doing business as AI VOX. The Security & Privacy Contact for all matters related to this document is work@theaivox.com.
Scope of Protected Health Information
In the course of providing the Services, AI VOX may create, receive, maintain, or transmit the following categories of information that may constitute Protected Health Information ("PHI") under the HIPAA Rules:
- Caller identifiers such as name, phone number, and email address provided by the caller.
- Stated reason for the call, including chief complaint or service requested.
- Appointment details, including provider, date, time, location, and appointment type.
- Audio recordings of the call between the caller and the AI voice agent.
- Text transcripts of the call generated by the speech-to-text layer.
- Caller sentiment, summary, and other metadata derived from the call by the AI.
AI VOX does not request or store financial account information, full date of birth, government identifiers, insurance member numbers, or clinical diagnoses unless a caller voluntarily provides such information during a call. The AI agent is configured to decline collecting payment card information.
System Architecture
AI VOX is composed of four logical layers. All layers are operated on infrastructure covered by signed Business Associate Agreements.
Voice layer
Provided by Retell AI, which orchestrates inbound and outbound telephony, speech-to-text, large-language-model dialog, and text-to-speech. AI VOX has a signed Business Associate Agreement with Retell that covers Retell and the downstream providers it uses on AI VOX's behalf. No PHI is transmitted in plain text outside of TLS-encrypted channels.
Workflow layer
When a call ends, Retell delivers a signed webhook to a workflow orchestration layer running on n8n, hosted on a private AWS EC2 instance in the US East (N. Virginia) region. The instance is not exposed to the public internet for direct API access; only the Retell webhook endpoint is reachable, protected by request-signature validation.
Storage layer
The workflow layer writes structured call results into a dedicated AWS RDS Postgres instance in a private subnet within a Virtual Private Cloud, not addressable from the public internet. All data is encrypted at rest using AWS-managed AES-256 keys and in transit using TLS 1.2 or higher. Database-level Row-Level Security enforces tenant isolation — no clinic can read or write another clinic's data, even in the event of an application bug.
Application layer
The clinic-facing dashboard is a Next.js application. Sessions are managed by signed JSON Web Tokens over secure, HttpOnly, SameSite cookies. Granular role-based permissions let a clinic owner restrict each staff member's visibility on a per-feature basis.
Security Controls
- Encryption everywhere — AES-256 at rest, TLS 1.2+ in transit, across every layer that touches PHI.
- Tenant isolation — database-level Row-Level Security, independent of application logic.
- Least-privilege access — production access is restricted, MFA-protected, and audit-logged.
- Signed webhooks — every inbound payload is signature-verified before processing.
- Audit logging — access, authentication, and administrative actions are logged and retained for six years.
Personnel Access
AI VOX is operated as a sole proprietorship. The founder is the only individual with access to production credentials, the production database, and production infrastructure. No contractors, vendors, or third parties have direct production access. Any future personnel will complete HIPAA workforce training before receiving access to any system that handles PHI, and access will be granted on a least-privilege basis.
Compliance Posture
AI VOX has not undergone a third-party SOC 2 audit or HITRUST certification at this time. AI VOX commits to:
- Executing a Business Associate Agreement with every Covered Entity before any PHI is processed.
- Maintaining signed Business Associate Agreements with every subprocessor that may handle PHI.
- Conducting an annual review of administrative, physical, and technical safeguards.
- Making its Security Overview, Subprocessor List, Security Policy, Breach Notification Procedure, and Data Retention Policy available to Covered Entities on request.
A third-party audit is on the AI VOX product roadmap; timing will be communicated to Covered Entities once scheduled.