HIPAA & Confidentiality

Malika Media operates AI voice agents for dental offices and law firms — two industries with strict confidentiality and data protection obligations. This page describes our security posture, how we handle sensitive information, and what is available on request (including a Business Associate Agreement).

1. Healthcare clients (dental practices)

For dental clients in the United States, calls handled by our AI voice agent may involve protected health information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). When acting as a Business Associate to a covered entity, Malika Media will sign a Business Associate Agreement ("BAA") and process PHI only as permitted under the BAA and applicable law.

BAA available on request before any production traffic.
PHI minimization — we only collect what is required to complete the call task (booking, triage, message).
No use of PHI to train general-purpose AI models.

2. Legal clients (law firms)

Calls to law firms frequently contain information protected by attorney-client confidentiality and the work product doctrine. Our intake flows are designed to:

Disclose that the call is recorded and that no attorney-client relationship is formed by the call alone.
Run conflict-check questions before sensitive matter details are collected.
Restrict access to call recordings and transcripts to authorized firm personnel.

3. Encryption

In transit: all telephony signaling, audio streams, and API traffic use TLS 1.2+ or equivalent transport encryption.
At rest: recordings, transcripts, and metadata are stored with AES-256 encryption (or stronger) on managed cloud infrastructure.

4. Call recording, transcripts, and retention

Where enabled by a client, the AI voice agent may record and transcribe calls for quality, training, compliance, and service delivery. Default retention is 90 days for recordings and 365 days for transcripts and structured call data. Clients can request shorter retention windows in writing; healthcare clients with a BAA can configure retention to match their record-keeping policy.

Call recording and notice requirements vary by jurisdiction (including one-party and two-party consent rules). Clients are responsible for configuring appropriate disclosures and obtaining required consents.

5. Access controls

Role-based access for the Malika Media team; least-privilege principles.
Multi-factor authentication required for all administrative consoles.
Audit logging on access to recordings and transcripts.

6. Sub-processors

We use a small set of vetted sub-processors for telephony, hosting, AI inference, transcription, and analytics. A current sub-processor list is available on request and is provided to BAA-signed clients before any change. Sub-processors that handle PHI are themselves bound by written agreements that meet HIPAA Business Associate requirements.

7. PII minimization and de-identification

Where possible, we de-identify or aggregate data used for product improvement. Production data is not used to train general-purpose models. Internal evaluations of call quality are run on de-identified samples unless the client requests otherwise in writing.

8. Incident response

We maintain an incident response process covering detection, containment, notification, and remediation. Security incidents involving client data are reported to affected clients without unreasonable delay, and within any timeframes required by HIPAA, state breach-notification laws, or our contractual obligations.

9. What's NOT covered

The AI voice agent does not provide legal, medical, or clinical advice.
It does not establish an attorney-client relationship.
It is not a substitute for emergency services — emergency callers are routed per the client's escalation rules.

10. Requesting a BAA, sub-processor list, or security review

Email hello@malikamedia.com with your firm or practice name and the documents you need. We typically respond within two business days.

Ready to talk through your requirements? Book a demo or visit our contact page.