TRUST & COMPLIANCE

How we handle your data, your patients’ data, and the rules that apply to both.

We touch phone calls, SMS, customer records, and review pipelines. The rules vary by jurisdiction and by industry — so we’ve built our practice to match the strictest plausible regime, not the loosest. Below is what we sign, what we’re working toward, and who else is in the supply chain.

Frameworks

What we’ve signed, certified, and verified.

SOC 2 Type II — in progress

Audit cycle started Q1 2026, expected completion Q4 2026. We’re running the controls now — access reviews, change management, incident response, vendor risk — and the auditor will issue the report on schedule. Letter of engagement available on request to qualified prospects.

HIPAA — BAA on request

For chiro, physio, dental, med-spa, optometry, and any engagement where Protected Health Information enters our systems, we sign a Business Associate Agreement before kickoff. Our default infrastructure (Twilio, HighLevel, AWS) supports HIPAA-eligible configurations.

PIPEDA — aware

For Canadian clients we follow Personal Information Protection and Electronic Documents Act requirements: consent on collection, transparency about cross-border data flow, breach notification, and the right of access. We disclose if a sub-processor is US-based and how that affects your privacy posture.

GDPR — aware

For European engagements (currently by referral only) we apply GDPR-equivalent practices: lawful basis, data subject rights, processor agreements, and EU data residency where required. Standard Contractual Clauses included in our DPA.

CASL / TCPA — baked in

Our SMS and email systems enforce Canadian Anti-Spam Legislation and US Telephone Consumer Protection Act consent requirements before any outbound message. Express consent capture, easy unsubscribe, and audit trail are part of the default configuration.

Industry advertising rules

CVO · AVMA · CCO · College of Physiotherapists · APTA · ACA · provincial dental colleges · HRAI · ACCA · PHCC. We know the rules each regulator imposes on review solicitation, before/after photos, testimonials, and incentivization — and we configure your sequences to respect them.

Data residency

Where your data lives, by default.

For US-based clients: data resides in US AWS regions (us-east-1 primary, us-east-2 backup). For Canadian clients with PIPEDA or provincial-health-data requirements: we configure ca-central-1 (Montreal) primary with Canadian-resident backup. For European-referral engagements: eu-west-1 (Ireland) primary. Twilio numbers are always local to your area code regardless of where data is stored.

Cross-border data flow is disclosed in our Data Processing Addendum, which is part of every Run-It engagement. If your regulator requires data to stay in-country (some Canadian provincial health authorities do), we configure for that on the Pilot.

Sub-processors

Who else handles your data.

We’re an operator on top of best-in-class infrastructure. The full sub-processor list, with each vendor’s purpose, certifications, and data location, is shared as part of the Data Processing Addendum on engagement. Headline vendors:

  • Twilio — voice, SMS, call recording. SOC 2 Type II, HIPAA-eligible.
  • HighLevel — CRM, automation, AI receptionist primitives. HIPAA-eligible workspace.
  • AWS — primary infrastructure. SOC 2, HIPAA-eligible, region-flexible.
  • Cloudflare — web edge, security, DDoS, redirect rules. SOC 2 Type II.
  • OpenAI / Anthropic — LLM inference under enterprise / API agreements with no-training-on-data clauses.
  • Synthflow / Vapi / Retell — voice AI primitives, evaluated per-engagement.
  • n8n — workflow orchestration. Self-hosted on AWS where required.
  • Stripe — engagement billing only; never touches client customer data.

Incident response

If something goes wrong.

We notify you within 24 hours of confirming a security incident affecting your engagement. We have a documented incident response plan with severity classification, containment steps, and forensics capture. For HIPAA-covered engagements we follow the Breach Notification Rule timelines (60 days). Drills run quarterly.

For security disclosures, email security@agniai.store. We aim to respond within one business day.

Geography & team

Where we are. Where we work.

Our team is based in Toronto, Canada. We serve clients across Canada and the United States in production today. We take engagements in Europe by referral. We invoice in USD by default; Canadian clients can opt into CAD. Twilio numbers are local to your area code regardless of where the team is.

Agni AI Store is a service of Agni Consulting. The legal entity that signs your engagement is Agni Consulting (Ontario, Canada).

Questions about compliance?

Email hello@agniai.store or book the audit and we’ll address compliance scoping on the call.

Book the audit → About Agni