Data Security & Compliance

Safeguards for AI voice agents and customer conversations.

Oratolabs is built to help businesses launch voice agents with tenant isolation, protected public endpoints, limited public data exposure, careful handling of sessions and leads, protected credentials, and HIPAA-aligned deployment support for US healthcare use cases.

Last updated: June 7, 2026

Oratolabs is built with security-focused controls for the platform areas described below. For regulated deployments, including US healthcare workflows, Oratolabs supports customer compliance reviews with tenant isolation, protected APIs, server-side secrets, webhook verification, PHI handling boundaries, and required business associate agreements where applicable.

Overview

Oratolabs combines managed hosting, authenticated workspaces, protected database access, server-side APIs, hosted voice infrastructure, and scheduling integrations to power public voice agents and business dashboards.

The platform is designed so public visitors can access published agent experiences while private workspace data remains protected behind authentication and server-side controls.

Data isolation

Business data is stored under per-user workspace paths such as agents, context, sessions, messages, analytics, and leads.
Workspace access rules restrict private reads and writes to the authenticated owner, approved users, or superadmin role.
Pending accounts are gated before workspace data access is allowed.

Public agent data exposure

Published agent pages read from the public agent collection, which is intentionally anonymous-readable. That collection should contain only the fields needed to render and start a public agent experience.

Private session trees, messages, leads, analytics, and tenant context remain outside anonymous client access.
Custom system prompts are not exposed through public agent documents.
Public link slugs and composite agent identifiers are validated before backend voice session preparation.

Voice/session handling

Voice conversations are prepared through backend endpoints. Server-side context assembly is used so public callers do not submit arbitrary system prompts or provider credentials.

Conversation sessions, transcripts, leads, and analytics are stored under the owning workspace.
Post-call transcript enrichment is handled by backend services, not anonymous client-side database writes.
Customers should define their own retention, consent, and disclosure practices for call recording and transcript use.

API and abuse protection

Public APIs use scoped rate limiting and validated request inputs.
Optional app attestation support can add browser/app verification for public fetch flows.
Dashboard-oriented APIs require authenticated bearer tokens.
Custom agent-page HTML is sanitized before rendering on public agent pages.

Webhook security

Provider post-call webhooks are verified with HMAC signatures before processing. Duplicate webhook payloads are deduplicated server-side to reduce repeated processing.

Unsigned or invalid webhook requests are rejected.
Webhook processing resolves hosted voice agent IDs to published agent records before writing session data.
Internal webhook dedupe records are not readable or writable from client-side app access.

Secrets and infrastructure

External API keys are configured through server-side secrets instead of hardcoded source values.
Hosting includes baseline browser security headers such as frame denial and content-type protection.
Public agent routes use a Content Security Policy tuned for hosted app, voice, booking, and app-attestation flows.

US healthcare and HIPAA review

For United States healthcare customers, Oratolabs supports HIPAA-aligned deployments when protected health information (PHI) is handled through approved configurations, applicable business associate agreements, and customer-specific privacy controls.

PHI workflows can be scoped to approved agent configurations, permitted PHI flows, retention needs, patient notices, and minimum necessary data collection.
HIPAA-aligned use includes confirming covered entity and business associate roles, business associate agreements where applicable, and subprocessor controls.
Where Oratolabs or a connected provider acts as a business associate, a written Business Associate Agreement (BAA) supports the regulated healthcare deployment path.
Relevant providers for review can include hosting, AI model, voice, transcription, analytics, booking, email, and webhook destinations connected to an agent.

Official HHS guidance explains that HIPAA applies to covered entities and business associates, and that business associate assurances are typically documented in writing. See HHS covered entities and business associates and HHS business associate guidance.

Healthcare and clinic agent boundaries

Clinic templates are designed for administrative assistance: clinic services, appointment preparation, availability, contact details, and booking support.

Clinic agents should not diagnose, prescribe, interpret symptoms, or replace licensed clinicians.
For urgent or severe symptoms, callers should be directed to local emergency services or the clinic directly.
US healthcare deployments can be configured with HIPAA, privacy, consent, retention, and PHI boundaries for protected or sensitive health information.

Current compliance posture and remaining work

Oratolabs maintains the safeguards described on this page for the platform capabilities we provide: tenant isolation, protected public APIs, controlled public data exposure, sanitized custom HTML, HMAC-verified webhooks, server-side secrets, and healthcare agent boundaries.

For regulated deployments, recommended implementation steps include HIPAA applicability confirmation, retention policy, subprocessor review, customer-specific privacy terms, app-attestation decisions, BAAs where applicable, and any required contractual agreements.