VAVUS
Get Started
HIPAA CompliantBAA AvailableAES-256 Encrypted

HIPAA-compliant AI for healthcare teams

Eliminate language barriers in clinical settings without compromising patient privacy. Real-time translation, SOAP note generation, medical STT, and encrypted messaging — with the security controls your compliance team requires.

Request BAAView Compliance Details
AES-256 Encryption6-Year Audit TrailBAA-BackedGDPR CompliantSOC 2
HIPAA Compliance

Security controls that eliminate compliance gaps

Every safeguard is architecturally enforced — not a checkbox policy that depends on user behavior.

8-Hour JWT Token Expiry

Session tokens expire every 8 hours compared to 30 days for personal accounts. Eliminates stale credential risk on shared clinical workstations.

15-Minute Idle Timeout

Automatic session lock after 15 minutes of inactivity. No unattended screens exposing patient data in exam rooms or nurse stations.

Zero PHI in Logs

Transcripts, translations, and personal health data never appear in application logs. Architecturally enforced at the code level, not policy-dependent.

AES-256-CBC Encryption

Audio files and all PHI encrypted at rest with AES-256-CBC. Encryption keys managed and rotated independently from data storage.

Secure File Deletion

Temporary files overwritten with random data before filesystem unlinking via secureDelete(). No residual PHI on disk after processing.

6-Year Audit Retention

Complete audit trail retained for 6 years via GCS lifecycle management and Cloud Logging. Meets HIPAA minimum retention requirements.

PHI Field Encryption in Streams

PHI fields encrypted within WebSocket streaming sessions. Data is protected in transit and at the application layer, not just the transport layer.

Root/Jailbreak Detection

Mobile apps detect rooted or jailbroken devices and restrict PHI access. Compromised devices cannot access healthcare features.

HIPAA RequirementHow Vavus Meets It
Access Controls (SS 164.312(a))
Role-based access, 8-hour token expiry, 15-minute idle lock, healthcare account type
Audit Controls (SS 164.312(b))
6-year audit log retention, tamper-evident logging, user action tracking, GCS lifecycle
Integrity Controls (SS 164.312(c))
AES-256-CBC encryption, secure file deletion, data integrity verification, key rotation
Transmission Security (SS 164.312(e))
TLS 1.2+ for all data in transit, encrypted WebSocket connections, PHI field encryption
Person Authentication (SS 164.312(d))
JWT-based authentication, TOTP two-factor, SSO integration, root/jailbreak detection
Data Backup (SS 164.308(a)(7))
Encrypted hourly backups, cross-region replication, tested recovery procedures
PHI Disclosure (SS 164.502)
Zero PHI in logs, architectural enforcement, no third-party data sharing, secure deletion
Business Associate Agreements
Digital BAA signing, status tracking in database, compliance dashboard, audit trail
Clinical Workflows

Purpose-built tools for clinical environments

From patient intake to discharge instructions — every clinical touchpoint gets AI-powered language support with HIPAA-grade security.

Patient Intake Forms

Drag-and-drop form builder with auto-translated labels. Create custom fields, validation rules, and multi-language patient intake forms. Collect responses directly in the platform.

  • Drag-and-drop creation
  • Custom fields & validation
  • Multi-language labels
  • Patient response collection

SOAP Note Summarization

Auto-generate Subjective, Objective, Assessment, and Plan notes from patient conversations. AI extracts structured clinical data from free-form dialogue.

  • Auto-structured output
  • Clinical vocabulary recognition
  • Editable before saving
  • EHR-ready format

Medical Speech Recognition

Deepgram Medical STT engine specialized for clinical vocabulary. Accurate transcription of drug names, procedures, anatomy terms, and medical abbreviations.

  • Clinical vocabulary model
  • Drug name accuracy
  • Medical abbreviations
  • Speaker diarization

Voice Profiles

Custom TTS voices for clinical consistency. Patients hear the same synthesized voice across all interactions, building familiarity and trust in translated communications.

  • Consistent voice identity
  • Multiple language support
  • Clinical tone calibration
  • Per-provider profiles

Offline Language Packs

Download language packs for areas with poor connectivity. Rural clinics and mobile health units maintain full translation capability without internet access.

  • Downloadable language packs
  • No internet required
  • Full STT/TTS offline
  • Auto-sync when connected

Document Translation

Translate medical documents including consent forms, discharge instructions, medication guides, and patient education materials while preserving formatting.

  • Consent forms
  • Discharge instructions
  • Medication guides
  • Format preservation
Healthcare Features

Everything a healthcare team needs

Conference rooms, diarized transcripts, encrypted messaging, and real-time call translation — all with compliance-grade audit logging.

Conference Rooms

Multi-provider consultation rooms with real-time translation. Multiple clinicians join a single session with a patient, each receiving translation in their preferred language.

Speaker Diarization

Conversation history identifies and labels speakers — doctor vs. patient vs. interpreter. Clear attribution in transcripts for accurate medical records.

Encrypted Provider Messaging

End-to-end encrypted messaging for provider-to-provider communication. Discuss patient cases with colleagues without PHI exposure risk.

Real-Time Call Translation

Live voice translation during patient consultations. Both parties speak naturally in their language while hearing translations in real time.

Comprehensive Audit Logging

Every action logged with user ID, timestamp, IP address, and action type. Tamper-evident records for compliance audits and incident investigation.

Healthcare Account Controls

Dedicated healthcare account type with specialized security controls, access restrictions, and compliance settings enabled by default.

Summary Templates for Healthcare

AI-generated summaries in clinically relevant formats from any conversation.

SOAP Notes

Subjective, Objective, Assessment, Plan structured clinical notes

Clinical Summary

Concise overview of patient encounter for chart documentation

Patient Education

Simplified explanations of diagnosis and treatment for patients

Meeting Minutes

Structured notes from care team meetings and case conferences

Key Points

Bullet-point extraction of critical information from conversations

Action Items

Follow-up tasks, referrals, and orders extracted from discussions

Security Architecture

Defense-in-depth, not security theater

Multiple independent security layers ensure that a single point of failure cannot expose patient data. Encryption, isolation, and audit at every level.

01

Encrypted Audio Pipeline

Audio streams encrypted in transit with TLS 1.2+ and at rest with AES-256-CBC. Encryption keys rotated independently of data storage. No unencrypted audio touches disk.

TLS 1.2+ in transit, AES-256-CBC at rest
02

Secure Deletion Protocol

All temporary files — audio recordings, transcripts, translations — overwritten with random data via secureDelete() before filesystem unlinking. Verified deletion, not just unlink.

secureDelete() overwrites before unlink
03

Immutable Audit Trail

Every access, modification, and deletion logged with user ID, timestamp, IP, and action type. Tamper-evident, retained 6 years via GCS lifecycle and Cloud Logging.

6-year retention, tamper-evident
04

Regional Data Residency

US-primary infrastructure with configurable data residency. PHI never leaves designated regions. Three-region deployment ensures availability without data sovereignty violations.

3-region GCP deployment
05

Session Security

8-hour JWT expiry for healthcare accounts with 15-minute idle timeout. Token revocation on logout, password change, and suspicious activity. No long-lived sessions.

8h expiry, 15min idle, revocation
06

Mobile Device Security

Root and jailbreak detection prevents PHI access on compromised devices. Certificate pinning, secure storage, and biometric authentication support on mobile platforms.

Root/jailbreak detection, cert pinning
Business Associate Agreement

BAA signing, tracked and auditable

Before any PHI touches our infrastructure, we execute a Business Associate Agreement. Digital BAA signing is built into the platform — your compliance team can verify coverage status at any time from organization settings.

  • Digital BAA signing built into the platform
  • BAA status monitoring in organization settings
  • Required for all healthcare account activation
  • Covers all Vavus AI services: translation, messaging, voice, STT
  • Aligned with HITECH Act breach notification requirements
  • Full audit trail of BAA execution and updates
Request BAATalk to Sales

Business Associate Agreement

Required for HIPAA-covered entities

OrganizationYour Healthcare Org
CoverageAll Vavus AI Services
Signing MethodDigital, in-platform
Effective DateUpon execution
Breach NotificationWithin 24 hours
Audit Log Retention6 years minimum
Status TrackingOrganization settings

BAA execution is tracked in our database with full audit trail. Your compliance officer can verify status and request documentation at any time via organization settings.

HIPAA Compliant

Eliminate compliance risk from your clinical workflow

Stop relying on consumer tools that put your organization at risk. Get a BAA-backed, HIPAA-compliant platform with medical STT, SOAP notes, intake forms, and encrypted messaging your compliance team will approve.

Request BAATalk to Sales

No credit card required. BAA executed before any PHI processing.