How quickly can I get ClearCall AI up and running?

First week: We audit your call volume and identify your most expensive problem. Second week: We deploy AI on that one use case and validate ROI. Then we expand. Most businesses see results within days.

Can the AI agents handle complex customer inquiries?

Most 'complex' calls aren't actually complex. AI handles pricing inquiries, scheduling, order status, and more. For truly complex negotiations or escalations, it routes to humans with full context already captured.

What happens if the AI agent doesn't know how to respond?

It routes to a human with everything already documented. The AI captures the caller's info, reason for calling, and any details discussed. Your team picks up the call fully briefed.

How does pricing work?

We price based on the problem we're solving—not seat licenses or feature bundles. Schedule an audit and we'll calculate ROI before discussing price. Most clients save multiples of what they invest.

Can I customize the AI agent's personality and responses?

Yes. Tone, greetings, escalation rules, knowledge base—all fully customizable. We focus on accuracy, speed, and results first, then polish.

Is ClearCall AI HIPAA compliant?

We are HIPAA-aware and work with US clinics to handle PHI responsibly. We can execute Business Associate Agreements (BAAs) on our Scale tier and above. Our infrastructure uses HIPAA-compliant cloud providers (AWS with encryption).

What about GDPR compliance for EU clinics?

We are GDPR-compliant. All EU clinic data is processed and stored in EU data centers (we use Dublin and Frankfurt regions). We respect data subject rights, maintain processing records, and can provide Data Processing Addendums (DPAs) on request.

How is call data encrypted?

In transit: TLS 1.3 encryption (256-bit). At rest: AES-256 encryption. Call recordings, transcripts, and sensitive customer data are encrypted at rest in our cloud infrastructure.

Can you redact or exclude PHI from recordings?

Yes. We can configure agents to redact patient names, dates of birth, medical record numbers, and other PHI from transcripts and call logs. This is especially useful for clinics handling sensitive patient calls.

Who are your subprocessors?

Main subprocessors: Vapi (voice AI infrastructure), Twilio (call routing), OpenAI (transcription & LLM), Supabase (database). All have their own security certifications and data processing agreements. Full list available on our Subprocessors page.

How do I request a security audit or questionnaire response?

Contact our security team at security@clearcallai.com with your questions or audit requirements. We respond to vendor security questionnaires and can arrange calls to discuss compliance requirements.

Trust, Security & Compliance

When you're handling clinic calls, customer data, or sensitive business information, security matters. ClearCall AI implements enterprise-grade encryption, HIPAA-aware deployments for US clinics, GDPR compliance for EU, and transparent subprocessor practices.

Compliance posture

We work in regulated industries. That means compliance isn't optional — it's foundational.

HIPAA for US clinics

We are HIPAA-aware and work closely with medical and aesthetic clinics in the US. Our infrastructure is built to handle Protected Health Information (PHI) responsibly:

→ HIPAA-compliant cloud infrastructure (AWS with encryption)
→ Ability to execute Business Associate Agreements (BAAs) on Scale tier and above
→ PHI redaction capabilities for transcripts and call logs
→ Access controls and audit logging for all data access

If you're handling patient appointment calls, we can configure the system to exclude or redact sensitive data from recordings and transcripts. This means your call recordings don't become a liability.

GDPR for EU clinics

The EU is home to our clinic specialization (Budapest, Vienna, Munich, Berlin). GDPR compliance isn't a box to check — it's embedded in how we operate.

→ All EU clinic data processed and stored in EU data centers (Dublin and Frankfurt AWS regions)
→ Data Processing Addendums (DPAs) provided on request
→ Data subject rights support (access, deletion, portability)
→ Processing records and compliance documentation available for audit

We never cross EU data to non-EU regions without explicit consent. If you're a clinic in Hungary, your call transcripts stay in Hungary.

Encryption and data residency

In transit: TLS 1.3

All data moving between your systems, our infrastructure, and third-party services is encrypted with TLS 1.3 (256-bit cipher suites). This applies to call routing, API calls, webhook delivery, and any data your business shares with us.

At rest: AES-256

Call recordings, transcripts, customer records, and PHI are encrypted at rest using AES-256 encryption in our cloud infrastructure. Database records, file storage, and backup archives are all encrypted by default.

Data residency

Where your data lives matters, especially in regulated industries.

US clinics: Data stored in US regions (US-East or US-West AWS)
EU clinics: Data stored in EU regions only (Ireland or Frankfurt). No cross-border transfers without explicit consent.

PHI and sensitive data handling

If you're a clinic, your call recordings inevitably contain patient names, appointment details, medical history snippets, or insurance information. We handle this with care.

Redaction: We can strip patient names, dates of birth, medical record numbers, and other PII from transcripts automatically.
Retention: Call recordings and transcripts are retained only as long as you need them, then deleted securely (no recovery possible).
Access: Only authorized staff (your team + our support engineers under NDA) can access call data. We don't share call transcripts with subprocessors unless required for the service.
BAA coverage: On Scale tier, we execute a Business Associate Agreement that makes ClearCall AI legally accountable for PHI handling.

Our vendor stack

Transparency matters. We use enterprise-grade infrastructure providers. Here's the stack:

Vapi.ai

Voice AI infrastructure. Handles agent logic, call handling, and voice synthesis. SOC 2 Type II certified. You can request their security documentation.

Twilio

Call routing and SIP transport. Public company with strict security standards. HIPAA-compliant options available. SOC 2 certified.

OpenAI

Transcription (Whisper) and LLM inference. Call transcripts can be redacted before sending. Enterprise agreement available with data residency guarantees.

Supabase

Database and auth. PostgreSQL with encryption, ROW-level security, and compliance options. Supports EU data residency.

All of these vendors have their own SOC 2 certifications and security documentation. We can share their security credentials under NDA.

SOC 2 status

In progress

We are currently pursuing SOC 2 Type II certification. We're not yet certified, but we're committed to achieving it by Q4 2026. Until then, we provide transparency through detailed security documentation and vendor references.

Subprocessors

Here are all third parties that have access to your call data or customer information:

Service	Purpose	Data Access
Vapi.ai	Voice AI agent runtime	Call audio, transcripts, agent config
Twilio	Call routing and SIP	Caller ID, call metadata, call duration
OpenAI	Transcription & LLM inference	Call audio (for transcription), redacted transcripts (for inference)
Supabase	Database & auth	Call metadata, customer records, agent config

All subprocessors have signed Data Processing Addendums (DPAs) and are contractually bound to handle data according to the same standards we maintain.

Security practices

Access control: Role-based access control (RBAC). Only authorized staff can access production systems or customer data.
Secrets management: All API keys, credentials, and encryption keys are stored in a secrets vault (not in code). Automatic rotation enabled.
Audit logging: All data access, configuration changes, and admin actions are logged and retained for 90 days.
Incident response: We have an incident response plan. If a security issue occurs, we notify affected customers within 24 hours.
Regular testing: We conduct penetration testing and vulnerability scans quarterly. Results shared with customers under NDA.

Questions about security?

If you need to review our security documentation, discuss compliance requirements, or have specific audit questions, contact our security team:

[email protected]

We respond to vendor security questionnaires, can arrange security calls, and provide references from existing customers in regulated industries.

Security FAQs

What's the difference between SOC 2 Type I and Type II?

Type I is a point-in-time audit (we did X on date Y). Type II is a continuous audit over 6-12 months (we maintained X controls consistently). Type II is stronger. We're pursuing Type II, which will be completed by Q4 2026.

Can you sign my vendor security agreement?

Yes. Contact [email protected] with your template. We review and sign vendor agreements that are reasonable and aligned with standard industry practices.

How do you handle data deletion requests?

We support GDPR right-to-deletion requests. When you request deletion, we delete all call recordings, transcripts, and associated metadata from active systems within 24 hours. Backups are purged within 30 days.

What if there's a security incident?

We have an incident response plan. If a security issue affects customer data, we notify affected customers within 24 hours with details, remediation steps, and recommended actions. We also file breach notifications where legally required.

Can you provide a DPA?

Yes. For EU clinics or any customer handling personal data, we provide a Data Processing Addendum. It's available upon request — email [email protected].

Do you use my data for model training?

No. Call transcripts and customer data are never used to train our models or any third-party models. OpenAI (our transcription provider) has enterprise agreements that exclude data from model training.

Security and compliance you can trust