Trust Center

Security

Mykare AI’s security program is designed around industry-standard controls for healthcare SaaS platforms, with a focus on HIPAA Security Rule, DPDP Act, and SOC 2 Type II alignment.

Secure Infrastructure

• Hosted on leading cloud infrastructure with network segmentation, hardened services, automated backups, and disaster-recovery mechanisms appropriate for healthcare data.
• Use of secure connectivity, firewalls, and monitoring to protect environments from unauthorized access.
• Separation of production and non-production environments, with no real PHI used in development or testing.

Encryption & Data Protection

• Encryption of data in transit using modern TLS (TLS 1.2 or higher), and encryption of data at rest using strong industry-standard algorithms (AES-256 or equivalent).
• Strong key-management practices in line with cloud-provider and security best practices.
• Encrypted handling of voice recordings, transcripts, and conversation analytics generated by AI agents.

Access Control & Identity Management

• Role-based access controls (RBAC) and least-privilege principles for all internal and customer-facing systems.
• Strong authentication requirements, including multi-factor authentication and secure access workflows for Mykare AI personnel with production access.
• Quarterly access reviews and prompt deprovisioning for personnel changes.

Application & Vulnerability Management

• Secure development lifecycle (SSDLC) practices, including peer code review, dependency management, and automated testing.
• Regular vulnerability assessments and penetration testing (VAPT), with documented remediation processes.
• Use of security tooling to monitor and manage risks across the application stack and AI components.

Monitoring, Logging, and Incident Response

• Centralized logging of key application and infrastructure events, with monitoring for anomalies and potential security incidents.
• Documented incident-response procedures for triage, containment, investigation, remediation, and communication, including HIPAA Breach Notification Rule obligations and applicable U.S. state, GDPR, and DPDP Act breach-notification timelines.
• 24/7 monitoring of production systems and AI agent operations.

Compliance

Mykare AI serves hospitals and healthcare providers in the United States and across international markets, and operates as a HIPAA-aligned, cloud-based Business Associate and, where applicable, a Data Processor under the DPDP Act and GDPR.

HIPAA

• Mykare AI acts as a Business Associate to Covered Entities and other HIPAA-regulated Customers and signs a Business Associate Agreement (BAA) with every such Customer.
• Protected Health Information (PHI) is used only as permitted by HIPAA, the BAA, and Customer instructions; PHI is not used for Mykare AI’s own marketing or for third-party advertising.
• Our HIPAA program covers the Privacy Rule, Security Rule, and Breach Notification Rule, with administrative, physical, and technical safeguards as required by 45 C.F.R. Part 164, Subpart C.

DPDP Act, 2023 (India)

• For data of individuals located in India, Mykare AI acts as a Data Processor under India’s Digital Personal Data Protection Act, 2023, processing personal data only on behalf of and in accordance with Customer instructions.
• We maintain reasonable security safeguards as required by the DPDP Act and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

SOC 2 Type II (in progress)

• Mykare AI is in the process of aligning controls and evidence for SOC 2 Type II attestation and is building its security program around the applicable Trust Services Criteria (security, availability, and confidentiality).
• Once available, a SOC 2 Type II report or summary will be provided to enterprise Customers under appropriate confidentiality protections (typically a mutual NDA).

Other Regulatory Considerations

• Mykare AI monitors applicable U.S. federal and state healthcare and data-protection requirements (including the TCPA, state telemarketing and biometric privacy laws, U.S. State Privacy Laws, and Section 1557 of the ACA) and updates its practices as laws and regulations evolve.
• For Customers subject to the EU or UK GDPR, Mykare AI enters into a Data Processing Addendum incorporating the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement as applicable.
• For specific regulatory or contractual needs, Mykare AI works with Customers through the MSA/BAA/DPA process.

Privacy & Data Handling

Mykare AI maintains a separate Privacy Policy that describes in detail how we collect, use, and disclose information in connection with our Website and Services. Key principles for PHI and Customer data are summarized below.

Roles & Responsibilities

• For PHI and other patient data processed as part of the Services, Mykare AI acts as a Business Associate or Processor on behalf of the Customer, who remains the Covered Entity, Controller, or Data Fiduciary.
• For Website visitors and marketing contacts, Mykare AI acts as an independent Controller and processes limited business and technical data as described in the Privacy Policy.

Data Flows & Usage

• Mykare AI connects to hospital information systems, CRMs, telephony platforms, and messaging channels to deliver AI-powered patient interactions on behalf of Customers, including inbound and outbound voice and text agents for enquiries, lead qualification, appointment booking, international patient coordination, and patient feedback.
• PHI is accessed and used only to perform the contracted Services, for quality assurance, and for security and operational needs as allowed by the BAA and applicable law.
• Call recordings, transcripts, and structured outputs are written back into the Customer’s designated systems in accordance with the Customer agreement.

De-identification and Analytics

• When permitted by contract and law, Mykare AI may use de-identified or aggregated data for analytics, service improvement, and model refinement, consistent with HIPAA de-identification guidelines (Safe Harbor method under 45 C.F.R. § 164.514(b)(2) or Expert Determination under § 164.514(b)(1)).
• De-identified and aggregated data does not identify individual patients, users, or Customer organizations.
• Customers may opt out of the use of their data for model improvement by notice to support@mykare.ai.

Data Residency & Access

• Primary production infrastructure is hosted in the United States, with PHI stored in U.S. data centers by default. Regional hosting may be configured for specific Customers under the applicable agreement.
• Mykare AI may have engineering and support personnel outside the United States with carefully controlled and logged access, subject to confidentiality obligations and data-protection agreements, and in a manner consistent with Customer contracts and applicable law.
• Cross-border data transfers rely on the EU-U.S. Data Privacy Framework, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement, and DPDP-compliant transfer mechanisms, as applicable.

AI & Quality Assurance

Mykare AI uses multiple specialized AI agents, orchestrated workflows, and human oversight to deliver fast, accurate, and patient-safe communication services to hospitals and healthcare providers.

AI in Patient-Facing Workflows

• AI agents handle inbound and outbound voice and text interactions, including patient enquiries, lead qualification, appointment booking, guest relations, international patient coordination (visa letters, travel, currency, logistics), and post-treatment feedback.
• AI components are designed to operate only within the scope required to perform the configured workflows for each Customer, under strict access and security controls.
• Multi-agent orchestration, intent classification, emotion detection, language translation (20+ languages), and governance guardrails ensure consistent, on-brand, and policy-compliant patient interactions.

AI Disclosure & Synthetic Voices

• Where required by applicable law (including California Business and Professions Code § 17941 and the Colorado AI Act), our AI agents disclose at the beginning of an interaction that the individual is communicating with an automated AI assistant.
• Mykare AI uses synthetic, computer-generated voices for patient interactions. We do not knowingly use voices that imitate identifiable real persons (including clinicians, celebrities, or public figures), and our Customer agreements prohibit Customers from configuring the Services to do so.

Human Oversight & Quality Assurance

• AI outputs and conversations are subject to ongoing human review and quality checks as part of our governance program, including call analytics, sample review, and escalation procedures.
• Clinical, billing, immigration, and care decisions are made by the Customer’s qualified personnel, not by the AI. The Services support, but do not replace, professional judgment, and the Services do not constitute medical, legal, immigration, or insurance coverage advice.
• The Services have not been evaluated or cleared by the U.S. Food and Drug Administration as a medical device.

Model Improvement & Data Protection

• Mykare AI does not use PHI to train third-party foundation models for their own purposes.
• De-identified, aggregated, or non-PHI data may be used to improve Mykare AI’s own models and workflows when allowed by the MSA/BAA and applicable law. Customers may opt out as described in the Privacy Policy.

Subprocessors & Infrastructure Partners

Mykare AI works with carefully selected subprocessors and infrastructure partners to deliver the Services at scale and with high reliability.

These partners fall into categories such as:

• Cloud hosting and infrastructure for application servers, databases, and storage.
• Telephony, SIP, and PSTN connectivity providers for inbound and outbound voice agents.
• SMS and messaging providers for patient text communications.
• Speech recognition, transcription, and text-to-speech providers powering the voice agents.
• Large language model and natural-language-processing providers for AI orchestration.
• Translation services supporting multi-language patient interactions.
• Email delivery and operational notification services.
• Logging, monitoring, observability, and analytics platforms that help us monitor performance and reliability.
• Customer relationship management and customer-success tools for onboarding and service (no PHI processed).

Where a subprocessor may access or process PHI, Mykare AI requires contractual commitments and security controls appropriate for Business Associates, including data-protection obligations and, where applicable, HIPAA-aligned terms.

If you would like a current list of subprocessors with specific vendor names, or more detail on specific services, you can request it by contacting us at support@mykare.ai. Customers receive at least thirty (30) days’ notice of new subprocessors that handle PHI, in accordance with the BAA and DPA.

Documents & Agreements

Public versions of our key legal and compliance documents are linked below. Private or pre-populated copies are available on request to support@mykare.ai.

Contact & Reporting

If you have questions about Mykare AI’s security, privacy, or compliance practices, or wish to report a security concern, please contact:

If you believe you have discovered a security vulnerability affecting Mykare AI, please provide a description of the issue, steps to reproduce (without sharing PHI), and your contact details so we can follow up. We aim to acknowledge security reports within one (1) business day.