Security & compliance
Healthcare runs on trust.
Here is exactly how Voxoth handles data, consent and clinical boundaries — in plain language, no legalese.
Scope
Non-clinical by design
Voxoth never diagnoses, triages severity, counsels or prescribes — this is enforced in the product's architecture, not just its instructions. Any question that reads as clinical (symptoms, dosage, urgency) is transferred to your staff immediately, and emergency keywords trigger a clear escalation script. The agent handles patient access — booking, reminders, information — and nothing else.
Consent
Consent & AI disclosure on every call
Every call opens with an AI disclosure and a recording-consent step; both events are logged with timestamps. Callers who decline are routed to your staff. On the marketing site, our waitlist form captures explicit, timestamped consent before we ever contact you.
Data
DPDP-ready data handling
We follow the Digital Personal Data Protection Act's principles: collect the minimum, use it only for the stated purpose, retain it only as long as needed, and honour access and erasure requests. The marketing site collects business lead data only — never patient data.
Encryption
Encryption everywhere
Data is encrypted in transit (TLS) and at rest. Call recordings live in an encrypted bucket with retention controls; access is role-scoped and audited. Passwords are hashed with argon2; API access uses short-lived, rotating tokens.
Isolation
Tenant isolation
Each clinic's data is scoped to its organization at every layer — application, repository and database (row-level security). Cross-tenant access is architecturally blocked, and our test suite proves it on every release.
Telecom
Telecom compliance (India)
Outbound calling follows TRAI norms: DLT registration, quiet-hours enforcement, consent gating at dial time, and immediate, permanent opt-outs — spoken, via keypad, or from the dashboard.
Questions about our data practices? Write to hello@voxoth.com, or read the privacy policy.