HIPAA Compliance
For healthcare clients — medical practices, dental offices, and therapy providers — BLKBOX operates as a HIPAA Business Associate. We sign Business Associate Agreements (BAAs) with all covered entities before any Protected Health Information (PHI) is processed.
- BAAs executed prior to onboarding for all healthcare clients.
- PHI is never used for marketing, analytics, or any purpose outside service delivery.
- Access to PHI is restricted to authorized personnel on a need-to-know basis.
- Breach notification procedures comply with HIPAA's 60-day notification requirement.
- Annual risk assessments and workforce training conducted per HIPAA requirements.
SOC 2 Type II
Our infrastructure is certified under SOC 2 Type II, covering the Trust Service Criteria for Security, Availability, and Confidentiality. This means an independent auditor has verified our security controls are in place and operating effectively over time — not just on paper.
Data Encryption
- In transit: All data transmitted between callers, our platform, and your practice is encrypted using TLS 1.2+.
- At rest: Call recordings, transcripts, and client data are encrypted at rest using AES-256.
- Keys: Encryption keys are managed using industry-standard key management services and rotated regularly.
Security Controls
Access Control
Role-based access controls (RBAC) limit data access to authorized personnel only. Multi-factor authentication required for all internal systems.
Audit Logging
All access to call data and PHI is logged and monitored. Logs are retained for a minimum of 12 months and reviewed regularly.
Infrastructure Security
Hosted on enterprise-grade cloud infrastructure with network segmentation, WAF protection, and automated vulnerability scanning.
Incident Response
Documented incident response plan tested quarterly. Clients are notified within 72 hours of any confirmed security incident.
Vendor Management
All third-party vendors undergo security review before integration. Subprocessors are bound by confidentiality agreements aligned with our security standards.
Data Minimization
We collect only the data necessary to deliver your service. Retention periods are defined per plan and data is securely purged upon expiration.
Legal Industry Compliance
For law firms and attorneys, BLKBOX is designed to support attorney-client privilege considerations. Call handling scripts can be configured to avoid eliciting privileged information and to route sensitive matters directly to counsel. We do not retain legal intake call data for any purpose outside your service delivery.
Financial Services
For financial advisors and RIAs, BLKBOX call handling can be configured in accordance with your compliance requirements. We do not provide investment advice and our AI is trained to route regulatory or investment-specific questions to licensed personnel immediately.
Your Data. Your Control.
- Export your call logs and transcripts at any time from your dashboard.
- Request data deletion at any time — we will purge all data within 30 days.
- Data is never sold, shared with advertisers, or used to train third-party AI models.
- Upon termination, data is available for export for 30 days then securely deleted.
Need A BAA Or Security Documentation?
We provide BAAs, security questionnaire responses, and compliance documentation to all clients on the Compliance plan. Book a call and we'll walk you through everything.
Schedule A Compliance Call