Security & compliance

Healthcare runs on trust.

Here is exactly how Voxoth handles data, consent and clinical boundaries — in plain language, no legalese.

Scope

Non-clinical by design

Voxoth never diagnoses, triages severity, counsels or prescribes — this is enforced in the product's architecture, not just its instructions. Any question that reads as clinical (symptoms, dosage, urgency) is transferred to your staff immediately, and emergency keywords trigger a clear escalation script. The agent handles patient access — booking, reminders, information — and nothing else.

Consent

Consent & AI disclosure on every call

Every call opens with an AI disclosure and a recording-consent step; both events are logged with timestamps. Callers who decline are routed to your staff. On the marketing site, our waitlist form captures explicit, timestamped consent before we ever contact you.

Data

DPDP-ready data handling

We follow the Digital Personal Data Protection Act's principles: collect the minimum, use it only for the stated purpose, retain it only as long as needed, and honour access and erasure requests. The marketing site collects business lead data only — never patient data.

Encryption

Encryption everywhere

Data is encrypted in transit (TLS) and at rest. Call recordings live in an encrypted bucket with retention controls; access is role-scoped and audited. Passwords are hashed with argon2; API access uses short-lived, rotating tokens.

Isolation

Tenant isolation

Each clinic's data is scoped to its organization at every layer — application, repository and database (row-level security). Cross-tenant access is architecturally blocked, and our test suite proves it on every release.

Telecom

Telecom compliance (India)

Outbound calling follows TRAI norms: DLT registration, quiet-hours enforcement, consent gating at dial time, and immediate, permanent opt-outs — spoken, via keypad, or from the dashboard.

Questions about our data practices? Write to hello@voxoth.com, or read the privacy policy.