Secure Connection
OAuth 2.0 scoped tokens with automatic expiry. Your credentials never exposed to front-end systems or third parties.
Tokens expire in 1 hour
Enterprise-Grade Security
Your Patient Data Never
Touches Our Servers
No PHI storage. No credit card handling. No compliance nightmares keeping you up at 2 AM. We automate your reminders and follow-ups — your sensitive data stays exactly where it belongs: in your systems.
Zero HIPAA burden • Zero PCI scope • Zero liability transfer
TLS 1.3 Encryption
SOC 2 Aligned
Ungated Docs (No Email)
Need to loop in IT or compliance? The Security Overview PDF answers procurement questions in plain English — no hoops, just answers.
Data Philosophy
Your data never leaves your building.
We just knock on the door.
When a breach hits the news, someone's holding patient data they shouldn't have. That's never us. Your client records — names, phone numbers, appointment history — stay locked in your EHR, your CRM, your systems. We connect via secure API, grab what we need for that one reminder, and let go.
No second database. No copies sitting on a server in some data center. We're a real-time relay — which means if the worst happens, there's nothing on our side to steal.
API Call
Data Returns
Zero HIPAA scope. Zero PCI-DSS scope.
We intentionally avoid touching Protected Health Information or payment card data. Your compliance officer can sleep — there's nothing to audit on our end.
What We Do
- Automate reminders, follow-ups & scheduling workflows
- Connect via OAuth 2.0 + TLS 1.3 encryption in transit
- Provide full audit trails and operational logs
What We Don't
- Store PHI, medical records, or diagnosis data
- Handle credit cards or payment information
- Gate compliance docs behind email capture
This page is built to forward. Clear boundaries, clear architecture, instant documentation.
Radical Transparency
Exactly what we see — and what we don't.
This is the screenshot your IT team forwards to legal. Plain-English boundaries, zero hand-waving.
4
Fields Accessed
Minimum needed for automation
5
Categories Blocked
PHI, payments, and more
| Data Type | Access | Why / Why Not |
|---|---|---|
| What We Access 4 | ||
|
|
Yes |
Personalize messages so they don't read like a robot wrote them.
|
|
|
Yes |
Send SMS reminders and follow-ups. TCPA consent rules apply.
|
|
|
Yes |
Trigger confirmations, reminders, and reschedule workflows.
|
|
|
Yes |
Make messages context-aware: what, where, when.
|
| What We Block 5 | ||
|
|
No |
Stays in your PMS/EHR. Not required for reminders.
|
|
|
No |
We don't automate clinical decisions. Not needed.
|
|
|
No |
Stays with your payment processor. Zero PCI scope.
|
|
|
No |
Never requested. Never transmitted. Never stored.
|
|
|
No |
Not part of scheduling or reminder workflows.
|
The 4 fields we do access are encrypted in transit (TLS 1.3) and never stored. Data flows through in real time, powers your automation, and returns to your system.
TLS 1.3 Encryption
OAuth 2.0 Access
Ungated Documentation
system_architecture.md
Data passes through.
Nothing is stored.
Real-time API processing with zero persistence layer. Your systems stay the source of truth — we're just the messenger.
Live
Your Systems
PMS • CRM • EHR
Details
Your Data Stays Here
- Patient records remain in your PMS/EHR
- Payment data stays with your processor
- We only request what's needed for automation
Shockwave AI
Real-Time Processing
Details
Processing Engine
- In-memory processing only
- Data discarded after each request
- Average response time: 120ms
Your Clients
SMS • Voice • Email
Details
Delivery Channels
- SMS via Twilio (A2P 10DLC compliant)
- Voice via AI-powered agents
- Email with full personalization
OAuth 2.0
OAuth 2.0 Authorization
Scoped access tokens with automatic expiry. Your credentials never leave your systems.
Request
TLS 1.3
TLS 1.3 Encryption
All data encrypted in transit. Industry-leading protocol with forward secrecy.
Delivery
API Request Example
// Appointment reminder trigger POST /v1/automations/reminder Authorization: Bearer sk_live_xxx Content-Type: application/json { "patient_id": "ref_to_your_system", "appointment_time": "2025-01-15T14:30:00Z", "channel": "sms" }
// Confirmation - data not stored { "status": "delivered", "message_id": "msg_abc123", "delivered_at": "2025-01-15T14:30:02Z", "data_retained": false }
Scoped access tokens with automatic expiry. We request only the permissions needed — revoke anytime from your dashboard.
Latest encryption standard with forward secrecy. All data encrypted in transit — nothing readable if intercepted.
Stateless request/response architecture. Each call is independent — no session data, no server-side storage.
No Storage Layer
Process in memory, discard on completion. No shadow databases, no data lakes, no backup copies sitting on a server.
Zero data retention
Instant Revocation
Revoke API access anytime from your admin panel. Connection severed immediately — no waiting, no ticket, no call.
< 60 second disconnect
Plain English: We automate the communication layer. We don't become your system of record.
4 Active Frameworks
Last audited: October 2025
Zero breaches since launch
Live Compliance Status
$50K fines happen.
Not on our watch.
One misrouted text message. One unsecured voicemail. That's all it takes for a TCPA violation . We handle the communication compliance so you never get that letter.
Active Compliance Frameworks
GDPR
EU Data Privacy
Compliant
See what this protects
EU Patient Data Protection
Got patients traveling from Europe? Their data rights travel with them. We enforce data minimization, purpose limitation, and right-to-erasure—so a German tourist's appointment data gets the same protection as someone in Berlin.
Cross-border patient comms handled correctly
CCPA
California Privacy
Compliant
See what this protects
California Consumer Rights
California's privacy laws have teeth—up to $7,500 per intentional violation. We handle data access requests, honor deletion demands within 45 days, and never sell patient information. Period.
Automated right-to-delete workflows
TCPA
SMS/Call Consent
Compliant
See what this protects
The $1,500 Per-Text Killer
TCPA violations cost $500-$1,500 per unsolicited text. Class actions have bankrupted practices. We track consent at the phone-number level, enforce quiet hours (8am-9pm local), and process opt-outs in under 10 seconds.
A2P 10DLC registered + carrier-verified
SOC 2
Security Audit
In Progress
See timeline
Enterprise-Grade Audit Trail
Multi-location DSOs and hospital systems require SOC 2 Type II before procurement approves a vendor. We're building the documentation and controls they need—no shortcuts, no false claims.
Target certification: Q2 2026
SOC 2 Type II Certification
65%
Documentation & controls audit phase
Est. Q2 2026
Why "In Progress" is honest: Other vendors claim certifications they don't have. We show you real-time status because enterprise buyers verify—and we pass.
Compliance Burdens We Eliminate
HIPAA
Medical Records
Not Applicable
Why we're out of scope
Zero PHI, Zero Scope
We schedule appointments. We don't touch diagnoses, treatment plans, or medical history. Your EHR handles PHI—we handle "Tuesday at 3pm works." No Business Associate Agreement needed. No shared audit burden.
No BAA required from your side
PCI-DSS
Payment Cards
Not Applicable
Why we're out of scope
Zero Cardholder Data
We never see credit card numbers. Not the CVV, not the expiration, not even the last four digits. Your payment processor is already PCI compliant—adding us doesn't expand your audit scope by a single checkbox.
Zero PCI scope expansion
What This Actually Saves You
HIPAA and PCI audits aren't cheap. Annual penetration testing, staff training, policy documentation, vendor assessments—it compounds. By staying out of scope, you skip:
40+
Hours/year in audits
$15K+
Annual compliance costs
0
BAAs to negotiate
Typical AI vendor:
"Sign this 40-page BAA"
Us: "Not needed—here's why"
Procurement FAQ
The 6 questions that kill vendor deals.
Every vendor review dies in the same place: data, access, breach response. Here's exactly what your compliance team needs to hear—formatted for copy-paste into questionnaires.
Questions reviewed:
0/6
Short answer: None. We process scheduling data in real-time via API and immediately discard it. No patient names, phone numbers, or appointment details persist on our servers after the transaction completes.
Zero persistent patient data = zero breach exposure
We maintain action audit logs (timestamps of "SMS sent", "call initiated") for 90 days per our retention policy. These logs contain no PHI, no message content, no patient identifiers—only action metadata required for debugging and compliance reporting.
Data flow: Your PMS → API request → Real-time processing → Response → Immediate discard. No intermediate storage.
See DPA
Helpful?
TLS 1.3 everywhere, no exceptions. All API connections enforce modern encryption. We reject downgrade attempts to older TLS versions. OAuth 2.0 tokens authenticate every request—no API keys in URLs.
A+ rating on SSL Labs security scan
Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256. Certificate pinning available for enterprise deployments. HSTS enforced with 1-year max-age.
Authentication: OAuth 2.0 with short-lived tokens (1hr expiry), refresh token rotation, and scope-based permissions per integration endpoint.
Security overview
Helpful?
Three vendors, all SOC 2 certified: Twilio (SMS/Voice), OpenAI (language processing), AWS (hosting). That's the complete list. No shadow vendors, no offshore processing, no surprises in your security review.
30-day advance notice on subprocessor changes
Twilio: SMS/voice delivery only. No message storage beyond delivery confirmation. HIPAA-eligible tier not required (we send no PHI).
OpenAI: GPT-4o-mini for intent classification. Zero data retention agreement in place. Prompts contain no patient identifiers.
AWS: us-east-1 region. VPC-isolated. No data leaves US infrastructure.
Full list
Helpful?
No browsing, no exports, no access. Our engineers cannot query your patient database. API credentials are scoped to specific actions (read appointment slots, trigger SMS)—never bulk data access. You can revoke our access in under 60 seconds.
Principle of least privilege enforced
Scoped permissions per integration: appointments.read, availability.read, notifications.send. No patients.list, no records.export, no admin access to your PMS.
Access revocation: Update OAuth credentials in your PMS, our access terminates immediately. No "pending disconnect" period.
Access policy
Helpful?
Nothing to exfiltrate. Since we don't store patient data, a breach of our systems yields no PHI, no patient records, no contact lists. The realistic risk is service disruption—we maintain automated failover and commit to 24-hour notification of any security incident.
24-hour breach notification SLA in DPA
Incident response: Automated alerting → On-call engineer (15min SLA) → Containment → Client notification → Post-mortem within 7 days.
Breach scope reality: Attackers gain access to action logs (timestamps only), API credentials (rotated immediately), infrastructure config. No patient data exists to steal.
IR plan
Helpful?
Simple: there's nothing to delete. Since we don't store patient data, deletion requests have nothing to act on. We'll confirm "no persistent records exist" in writing and coordinate with your system of record for any audit log questions.
72-hour response to data subject requests
Request workflow: You receive DSR → Forward to us → We confirm no data stored → Provide written confirmation within 72 hours → You complete response to data subject.
Audit logs: Action timestamps retained 90 days, then automatically purged. These contain no PII and are not subject to DSR requirements.
Privacy policy
Helpful?
Security Documentation
Forward-ready docs.
No email gate.
Deal stuck on legal/IT? Grab the PDFs and keep momentum. Zero forms, zero spam, zero waiting.
3 Documents
Ungated Access
Updated Monthly
GDPR Ready
Data Processing Agreement
Complete DPA covering data flows, subprocessor list, retention policies, and your rights under GDPR/CCPA.
Security & Privacy Overview
Technical summary of our architecture, encryption standards, access controls, and operational safeguards.
Why We Don't Need HIPAA
One-page explainer: API-only architecture + no PHI storage = no HIPAA scope for your compliance team.
Security Team Available Now
Ready to pass procurement?
Stop chasing vendors for security docs. Walk into your next review with every answer ready—or skip the meeting entirely with our self-serve pack.
GDPR Compliant
TCPA Compliant
SOC 2 In Progress
Pre-filled vendor questionnaire
DPA + Security Overview PDF
Subprocessor list with DPAs
15-20 min calls only
Zero sales pitch
NDA available on request
40+ practices passed vendor review on first submission with our docs.