Security & Compliance

Your patient data stays in Canada. Always.

Vocatively is built from the ground up for healthcare privacy — HIPAA, PHIPA, and PIPEDA compliant, with Canadian-hosted infrastructure and encryption at every layer.

HIPAA
USA
PHIPA
Ontario
PIPEDA
Canada
BAA
Included
Canadian Data Residency

Your data never leaves Canada

Unlike US-based competitors, Vocatively stores all patient data in Canadian data centres. This isn't just a feature — it's a requirement under Ontario's Personal Health Information Protection Act (PHIPA).

  • Database hosted in Toronto, Canada (ca-central)
  • No patient data processed or stored in the United States
  • Meets PHIPA Section 10(3) data residency requirements
  • Full compliance with PIPEDA fair information principles
Primary Database
Toronto, Canada
ca-central region
Encryption
AES-256
At rest and in transit (TLS 1.3)
Data Retention
90 Days
Call recordings auto-deleted after retention period

How we protect your data

Security isn't a feature we added — it's the foundation we built on.

Encryption Everywhere

  • AES-256 encryption for all stored data
  • TLS 1.3 for all data in transit
  • SSL-required database connections

Access Controls

  • Role-based access (Owner, Admin, Staff)
  • Brute-force login protection
  • Per-organization data isolation

Secure Infrastructure

  • Canadian-hosted managed database
  • Automated backups and disaster recovery
  • Real-time error monitoring and alerting

Audit Trail

  • Complete email delivery logs
  • Call activity and access records
  • Timestamped system event logging

Secure Communications

  • HIPAA-compliant email delivery
  • No PHI in email notifications
  • Secure dashboard for sensitive content

Payment Security

  • Stripe PCI-DSS Level 1 certified
  • No card data stored on our servers
  • Tokenized payment processing

Our AI Data Commitments

  • Zero-retention AI processing

    Your call data is not stored by our AI providers after processing

  • Never used for training

    Your patient data is never used to train, retrain, or improve AI models

  • Caller identity protection

    Phone numbers are cryptographically hashed — even we can't reverse them

  • Automatic data cleanup

    Call recordings are auto-deleted after 90 days — no data hoarding

AI & Privacy

AI that respects patient privacy

Our AI receptionist handles sensitive conversations every day. We designed our AI pipeline with privacy as the default, not an afterthought.

Call Intelligence analyses calls for sentiment, category, and revenue opportunities — but only stores structured metadata. No raw transcripts. No patient identifiers. No training on your data.

Email notifications include only contact information and generic call types — never protected health information. All detailed call content is accessible only through your authenticated, encrypted dashboard.

Compliance frameworks we follow

Whether you practice in Ontario, across Canada, or in the United States, Vocatively meets the privacy requirements your regulators expect.

PHIPA

Personal Health Information Protection Act (Ontario)

Ontario's health privacy law governs how health information custodians collect, use, and disclose personal health information. Vocatively ensures your practice stays compliant.

  • All patient data stored in Canadian data centres (Toronto)
  • No cross-border transfer of personal health information
  • Minimum necessary principle — only structured metadata retained

HIPAA

Health Insurance Portability and Accountability Act (USA)

The US federal standard for protecting sensitive patient health information. We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule.

  • Business Associate Agreement (BAA) included with every account
  • AES-256 encryption meets HIPAA technical safeguard requirements
  • Access controls and audit logging for all PHI access

PIPEDA

Personal Information Protection and Electronic Documents Act (Canada)

Canada's federal privacy law for private-sector organizations. We adhere to all 10 fair information principles outlined in PIPEDA.

  • Accountability — designated privacy practices and oversight
  • Limiting collection and use — only what is necessary
  • Individual access — export or delete your data on request

PCI DSS

Payment Card Industry Data Security Standard

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified service provider — the highest level of payment security certification.

  • No credit card numbers stored on our servers
  • Tokenized payment methods via Stripe Elements
  • Webhook signature verification for all payment events

Business Associate Agreement included

Every Vocatively account includes a BAA at no additional cost. If your practice handles protected health information, our BAA covers your use of Vocatively as a business associate under HIPAA.

Our BAA covers:

  • All call recordings and transcripts processed through Vocatively
  • Call intelligence metadata and analytics
  • Email notifications sent on behalf of your practice
  • Data stored in your authenticated dashboard
  • All subprocessors and third-party services we use

Report a Vulnerability

If you discover a security issue, please report it responsibly. We take every report seriously and will respond within 24 hours.

security@vocatively.app

Compliance Questions?

Need a copy of our BAA, have questions about data handling, or need documentation for your compliance review? Our team is here to help.

compliance@vocatively.app

Ready to see it in action?

Start your free trial — BAA included, no credit card required.