Security Practices

    Effective Date: February 1, 2025 · Last Updated: February 19, 2026

    1. Our Commitment to Security

    At Third Voice, security is not an afterthought — it is foundational to our platform. We handle sensitive healthcare data and patient communications, and we take that responsibility seriously. This document outlines the security measures, certifications, and practices we implement to protect your data and your patients' information.

    2. Data Protection

    Encryption

    • Data in transit: TLS 1.2+ encryption for all communications between clients, servers, and third-party services
    • Data at rest: AES-256 encryption for all stored data, including database records, backups, and logs
    • Voice data: Real-time processing with no persistent storage of raw voice recordings

    Access Controls

    • Role-based access control (RBAC) with principle of least privilege
    • Multi-factor authentication (MFA) required for all internal systems and administrative access
    • Unique credentials for every team member — no shared accounts
    • Automated access deprovisioning upon employee departure
    • Regular access reviews conducted quarterly

    Data Minimization

    • We collect only the minimum information necessary to provide our Services
    • Patient data is limited to scheduling-relevant information (name, contact, appointment preferences)
    • We do not store raw voice recordings — voice data is processed in real-time and discarded
    • Data retention periods are defined and enforced automatically

    3. Compliance and Certifications

    SOC 2 Type II (In Progress)

    We are actively pursuing SOC 2 Type II certification, which verifies that our systems meet rigorous standards for security, availability, processing integrity, confidentiality, and privacy.

    HIPAA Compliance

    • We operate as a Business Associate under HIPAA
    • Business Associate Agreements (BAAs) are executed with all covered entity clients
    • Administrative, physical, and technical safeguards are implemented per the HIPAA Security Rule
    • Regular HIPAA risk assessments are conducted
    • Workforce members receive HIPAA training upon hire and annually thereafter

    Regulatory Compliance

    • CCPA/CPRA: California consumer privacy rights are supported
    • GDPR: European data protection requirements are honored where applicable
    • Virginia CDPA: We comply with the Virginia Consumer Data Protection Act

    4. Infrastructure Security

    Cloud Hosting

    • Our platform is hosted on enterprise-grade, SOC 2-compliant cloud infrastructure
    • Data is stored in U.S.-based data centers with physical security controls including biometric access, 24/7 surveillance, and environmental protections
    • Geographic redundancy ensures availability in the event of regional incidents

    Network Security

    • Web Application Firewall (WAF) protects against common attack vectors (OWASP Top 10)
    • DDoS mitigation and rate limiting are active on all endpoints
    • Network segmentation isolates sensitive systems and data stores
    • All production traffic is encrypted end-to-end

    Monitoring and Logging

    • 24/7 automated monitoring of all systems, services, and infrastructure
    • Centralized logging with tamper-resistant audit trails
    • Real-time alerting for anomalous behavior, unauthorized access attempts, and system errors
    • Log retention for a minimum of 12 months

    5. Application Security

    Secure Development

    • Security is integrated into our software development lifecycle (SDLC)
    • Code reviews are mandatory for all production changes
    • Static application security testing (SAST) and dependency scanning are automated in CI/CD pipelines
    • Third-party penetration testing is conducted annually

    Vulnerability Management

    • Automated vulnerability scanning of infrastructure and applications
    • Critical vulnerabilities are triaged and remediated within 24 hours
    • Regular patch management cycle for all systems and dependencies
    • Responsible disclosure program for external security researchers

    6. Third-Party Security

    We carefully evaluate the security posture of all third-party service providers:

    ProviderServiceSecurity Measures
    TwilioTelephony and communicationsSOC 2 Type II certified, encrypted communications
    VAPIAI voice processingSecure API, no persistent data storage
    KollaPMS integrationsSecure authentication, encrypted data exchange
    Google AnalyticsWebsite analyticsAnonymized data collection, compliant with privacy regulations
    Cloud ProviderInfrastructure hostingSOC 2 Type II, ISO 27001, HIPAA-eligible

    All third-party providers are subject to security review and contractual data protection obligations.

    7. Incident Response

    Response Plan

    • We maintain a comprehensive incident response plan that is tested and updated regularly
    • Our incident response team is on-call 24/7
    • Incidents are classified by severity with defined response timeframes: — Critical: Response within 1 hour, resolution target within 4 hours — High: Response within 4 hours, resolution target within 24 hours — Medium: Response within 24 hours, resolution target within 72 hours

    Breach Notification

    • In the event of a data breach involving Protected Health Information, we will notify affected covered entities within 24 hours of discovery, in compliance with the HIPAA Breach Notification Rule
    • We cooperate fully with any required notifications to individuals, HHS, or state authorities

    8. Business Continuity

    • Regular automated backups of all critical data
    • Backup integrity testing conducted monthly
    • Disaster recovery plan with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
    • 99.9% uptime SLA for production services

    9. Employee Security

    • Background checks conducted for all employees with access to production systems or customer data
    • Security awareness training provided at onboarding and annually
    • HIPAA-specific training for all workforce members
    • Clean desk and screen lock policies enforced
    • Acceptable use policies govern all employee access to company systems

    10. Responsible Disclosure

    We welcome and appreciate reports of potential security vulnerabilities from the security research community. If you discover a security issue, please report it to us responsibly.

    Email: security@thirdvoice.ai

    We ask that you:

    • Provide sufficient detail to reproduce the vulnerability
    • Allow us reasonable time to investigate and remediate before public disclosure
    • Do not access, modify, or delete data belonging to other users
    • Do not perform denial-of-service attacks or social engineering

    We commit to:

    • Acknowledging your report within 48 hours
    • Providing regular updates on our investigation
    • Not pursuing legal action against researchers acting in good faith

    11. Contact Us

    For security questions or concerns:

    Third Voice, Inc.

    7930 Jones Branch Drive, Suite 310

    McLean, VA 22102

    Email: security@thirdvoice.ai

    Phone: (703) 626-8914

    Talk to me! 💬

    !