Effective Date: November 1, 2025 Last Updated: November 1, 2025

1. Overview This document establishes the Health Insurance Portability and Accountability Act (HIPAA) compliance framework for Aloevoice.com ("Aloevoice," "We," "Us"). We provide Voice AI technologies and automation services that enable healthcare organizations ("Covered Entities") to automate patient interactions while maintaining compliance with federal regulations.

2. Commitment to Compliance Aloevoice.com is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with HIPAA and the HITECH Act. We operate as a Business Associate to our healthcare clients and adhere to the Security Rule, Privacy Rule, and Breach Notification Rule.

3. Shared Responsibility Model HIPAA compliance is a shared responsibility between Aloevoice and our Clients.

3.1 Aloevoice Responsibilities (Business Associate) We are responsible for the security of the Platform and the processing of data within our control:

Technical Safeguards: We implement encryption (TLS 1.2+ for transit, AES-256 for rest), access controls, and audit logs for all platform activities.

Sub-Processor Management: We maintain Business Associate Agreements (BAAs) with all underlying sub-processors that handle PHI (e.g., Voice AI providers, cloud infrastructure).

Data Retention: We retain all call logs, recordings, and transcripts for a minimum of six (6) years to comply with HIPAA documentation requirements.

Incident Response: We will notify affected Clients of any security incident or breach involving PHI without unreasonable delay and in no case later than sixty (60) days after discovery.

3.2 Client Responsibilities (Covered Entity) Clients are responsible for their use of the Platform and their internal compliance:

Patient Consent: Obtaining necessary patient authorizations and consents to use Voice AI and recording technologies.

Configuration: Configuring Voice AI agents to disclose their artificial nature and ensuring scripts/prompts comply with clinical guidelines.

Access Management: Ensuring only authorized personnel have access to the Aloevoice dashboard and securing their login credentials.

Minimum Necessary: Limiting the PHI disclosed to Voice AI agents to the minimum necessary to achieve the intended purpose.

4. Technical & Physical Safeguards

Encryption: All voice data and transcripts are encrypted in transit and at rest.

Access Control: Access to PHI is restricted to authorized personnel based on the principle of least privilege. Multi-Factor Authentication (MFA) is available and encouraged.

Audit Trails: We maintain detailed logs of who accessed PHI and when, which are available for review upon request.

Physical Security: Our infrastructure is hosted by top-tier cloud providers (e.g., AWS, GCP) that maintain SOC 2 Type II and ISO 27001 certifications.

5. Business Associate Agreements (BAA)

Client BAA: We require all healthcare clients dealing with PHI to execute our standard Business Associate Agreement (BAA) prior to processing any sensitive data.

Sub-Processor BAAs: Aloevoice has executed BAAs with our critical downstream vendors (including Voice AI providers and cloud hosts) to ensure the chain of trust is unbroken.

6. Data Retention & Destruction

Retention: As per HIPAA requirements, we retain relevant compliance documentation and records of PHI processing for six (6) years.

Destruction: Upon termination of service (and after the mandatory retention period), we securely destroy or anonymize PHI in accordance with NIST 800-88 guidelines.

7. Incident Reporting If you suspect a security incident or breach involving Aloevoice services, please contact us immediately:

- Email: [email protected]

- Address: Golden Ratio International Inc., dba Aloevoice.com Attn: Privacy Officer 39 Brighton 6th Ct Brooklyn, NY 11235