HIPAA + BAA
Real BAA. Real encryption. Real US data residency.
Independent medical and dental practices need a Business Associate Agreement (BAA) before AI handles patient calls. Here's exactly what we provide, what we don't, and how to get the BAA executed at signup.
What FilterMyCalls includes for HIPAA-covered practices
Business Associate Agreement (BAA)
Included at Group and Enterprise tiers. Available on request for Starter customers whose use case requires it. Executed via click-through at signup or via wet-signed PDF if your compliance officer prefers.
Encryption at rest
AES-256 on every database, every storage volume, every call recording. Managed by Railway (our infra provider) with KMS-rooted keys.
Encryption in transit
TLS 1.2+ on every API endpoint. SRTP on every voice call leg. Telnyx (our carrier) is HIPAA-eligible and has its own BAA with us.
US-only data residency
All call audio, transcripts, and account data live in US-based data centers (AWS us-east, Railway US). No cross-border transfer. No EU data routing.
Audit log
Immutable record of every action: who routed a call, who exported the call list, who invited a member, who changed routing rules. Retained for 1 year (Group) or 2 years (Enterprise). Exportable to CSV for your compliance reviews.
Role-based access controls
Admin, member, read-only roles per Org. Magic-link auth (no shared passwords). Session timeout configurable per practice.
Data deletion + portability
Cancel anytime → 90-day retention grace period → automatic full purge. Export your full call history + transcripts to CSV any time from the dashboard.
Vendor + sub-processor disclosure
Telnyx (carrier), Stripe (billing), Resend (transactional email), Railway (compute + storage), Cloudflare (edge + DNS). All US-based, all under their own enterprise SLAs. List updated whenever sub-processors change.
What we don't claim (yet) — full transparency
Industry pages full of trust badges are common. We'd rather tell you the truth up front. Here's what we're working toward but haven't shipped yet:
SOC 2 Type I
In plan for late 2026 with a public audit firm. We have the internal controls documentation and access logs that a SOC 2 audit reviews — but we don't have the auditor's letter yet. If SOC 2 is a hard gate for your IT, the cleanest path is to start the trial, prove product fit, then add us officially when our cert lands.
HITRUST CSF
Not pursued. HITRUST is overkill for independent practices in our customer profile (3–15 providers). If you're a hospital system that needs HITRUST, we're not the right fit yet.
State-by-state telehealth registration
FilterMyCalls is not a telehealth provider — we're a phone receptionist for the practice. We don't deliver clinical care. But if a call captured by FMC informs clinical decisions, you (the covered entity) remain the responsible party for telehealth rules. Same as any other call answering service.
Custom contracts / MSAs
Available at Enterprise tier on request. Not available for Starter or Group customers (we use the standard BAA + Terms of Service to keep things consistent and fast).
How to get the BAA
Click-through at signup
The BAA is presented during checkout. Click-accept and an executed copy is emailed to your contact + stored in your dashboard.
Start Group trial →On request
Starter tier has the same infrastructure. We provide the BAA on request — email us and we'll send the executed PDF.
Request the BAARead it first
Want your compliance officer to review the BAA before you sign up? Reply to support@filtermycalls.com and we'll send the draft PDF. No signup needed.
Email for the draftCounterparty
LTI Group LLC, a Wyoming-registered limited liability company.
EIN 87-2788006.
Sheridan, WY 82801
United States
Notice + escalation
For BAA-specific notices, breach notifications, or compliance questions: support@filtermycalls.com
Breach notifications follow the timelines required by HIPAA §164.410. The full incident response runbook is documented and available on request to executed-BAA customers.
Ready to start? See pricing · Start free trial · Book a demo