We're a managed service provider for medical aesthetic practices. That means HIPAA compliance, signed BAAs, and California 2026 regulatory alignment aren't features we charge extra for — they're the foundation of what we do. This page is for owners, operations leads, and attorneys who want to verify our posture before signing.
Claustro AI is built specifically for healthcare-adjacent practices. Every component of our infrastructure — voice processing, backend logic, telephony, communications — is selected and configured to support our clients' obligations as covered entities under HIPAA, and to align with California's January 2026 Medical Board updates.
A voice AI runs on a chain — voice engine, backend, telephony, communications. Each layer must be HIPAA-eligible and BAA-covered, or the chain breaks. Here's our full stack:
Voice infrastructure. Self-serve BAA via HIPAA-eligible tier. ISO 27001 certified, SOC 2 Type II compliant. Built-in safety guardrails and PII redaction.
Backend logic and data layer. HIPAA-eligible Pro plan with dedicated hardened infrastructure. HIPAA + BAA add-on activated. ISO 27001 certified.
HIPAA-eligible Programmable Voice, SMS, and SIP. Enterprise Edition with signed BAA. Industry-leading telephony reliability and compliance posture.
Internal documentation and communications. BAA-covered via Business Standard plan. Audit logging, 2FA enforcement, access controls.
A current sub-processor list — including any updates — is provided on request and incorporated into our client BAA.
TLS 1.2+ for all data movement between systems. No exceptions.
AES-256 encryption for all stored data. Applied across every layer of the stack.
Role-based access controls (RBAC) across all systems. Principle of least privilege enforced.
2FA mandatory for all internal team members on every system handling PHI.
Every call, every action, every data access logged. Retention per HIPAA Security Rule requirements.
Multi-tenant architecture with strict client data segregation. No commingling of PHI across clients.
California's Medical Board updates that went into effect January 2026 explicitly tightened the rules around AI in medical practice settings. Most voice AI vendors haven't read these. We've built our agent architecture around them.
The AI never recommends treatments to specific callers. Clinical questions route to consultation booking with a licensed provider.
Pricing for medical procedures is never quoted by the AI. All pricing routes through provider consultation per California guidance.
The AI does not generate or implement patient-specific orders. Orders remain the responsibility of supervising physicians.
California Invasion of Privacy Act-compliant recording disclosures on every call. Two-party consent properly handled.
Whether you choose us or someone else, these are the questions that separate compliance-conscious operators from everyone else. We'll answer all five honestly. Many vendors won't.
Can you send a sample BAA for our attorney to review? Under HIPAA, no BAA means no compliant data handling.
Voice platform, backend, telephony. Does each sub-processor have a BAA in place? Full chain, no gaps.
Which cloud provider, which region, what's the retention policy, how is data deleted on contract termination?
If a breach affects patients, how quickly are we notified? Industry standard is 24-72 hours. Anything longer is a yellow flag.
Are clinical recommendations explicitly blocked? Is pricing locked to your data? Or can the AI improvise?
Full compliance documentation — sub-processor list, BAA template, breach SOP, technical safeguards — for your attorney to review before you sign.
HIPAA isn't just technical safeguards. It requires administrative processes, documented policies, and ongoing operations. Here's what we maintain:
Annual security risk assessment with documented mitigations.
HIPAA training for all team members handling PHI. Refreshed annually.
Documented incident response and breach notification procedures. Tested.
Data backup, disaster recovery, and continuity plans for client operations.
We're happy to walk through our infrastructure, send our BAA template, or set up a call with your legal counsel. Compliance done right is a conversation, not a checkbox.