HIPAA Readiness

1. Our Commitment

HEXYL LTD (trading as "Hexyl AI") is committed to ensuring the confidentiality, integrity, and availability of all protected health information (PHI) processed through our platform. Unlike typical cloud AI providers, Hexyl is built from the ground up with a privacy-first architecture designed to support organisations in meeting their HIPAA obligations.

Our approach is simple: patient data never leaves your infrastructure. Our closed LLM technology processes all conversations locally, and no patient data is ever sent to external AI providers or used for model training. While HIPAA compliance requires organisational policies and procedures beyond technology alone, our platform provides the technical foundation to help you get there.

2. Closed LLM Architecture

The cornerstone of Hexyl's compliance strategy is our closed LLM architecture. This means:

• No external AI processing: All AI inference runs within our closed infrastructure. Patient conversations are never sent to OpenAI, Google, or any third-party AI provider by default.
• No training on your data: Your patient conversations, call recordings, and clinical data are never used to train or fine-tune AI models. Your data is yours alone.
• Configurable LLM fallback: If tenants choose to enable external LLM providers (Groq, DeepSeek, OpenAI) for enhanced responses, this is an explicit opt-in decision per tenant. Tenants can disable external LLM routing entirely.
• On-premise voice processing: Speech-to-text (Whisper) and text-to-speech (Piper) run locally within our infrastructure, ensuring voice data never traverses external networks.

3. Technical Safeguards

3.1 Encryption

• Data in transit: All communications are encrypted using TLS 1.2 or higher. API endpoints, webhook callbacks, and inter-service communication all use encrypted channels.
• Data at rest: Sensitive data including PHI is encrypted using AES-256 encryption. Database-level encryption is applied to all storage volumes.
• Key management: Encryption keys are managed through secure key management infrastructure with regular key rotation.

3.2 Access Controls

• Role-based access control (RBAC): The platform enforces granular, role-based permissions following the principle of least privilege. Users can only access data necessary for their role.
• Multi-tenant isolation: Each tenant's data is completely isolated using PostgreSQL schema-level separation, ensuring absolute data segregation between organisations.
• Authentication: Secure authentication with password hashing, session management, and support for email verification.

3.3 Audit Controls

• Comprehensive audit trails: All system actions including data access, modifications, user logins, and administrative changes are logged with timestamps, user identification, and action details.
• Audit log retention: Audit logs are retained for up to 24 months for security and compliance purposes.
• Activity monitoring: Continuous monitoring of system access patterns with automated alerts for anomalous activity.

3.4 Transmission Security

• Secure APIs: All API endpoints require authentication and use HTTPS. Webhook callbacks use cryptographic hash validation.
• Communication channels: Integrations with Twilio (voice/SMS), WhatsApp, and email providers use encrypted connections with provider-specific security measures.

4. Administrative Safeguards

4.1 Risk Assessment

We are building a risk management programme to identify potential vulnerabilities and threats to PHI. Our planned measures include:

• Regular vulnerability scanning and security audits
• Penetration testing of platform infrastructure
• Third-party security reviews
• Continuous monitoring and threat detection

4.2 Workforce Security

• Security awareness training for team members with access to PHI
• Background checks for personnel with system access
• Immediate access revocation upon role change or termination
• Regular review of access permissions and privileges

4.3 Incident Response

Our incident response procedures include:

• Detection and analysis: Automated monitoring systems to detect potential security incidents
• Containment: Immediate containment procedures to limit the scope of any breach
• Notification: Notification within 72 hours of a confirmed data breach, as required by both HIPAA and UK GDPR
• Post-incident review: Thorough investigation and remediation following any incident

5. Physical Safeguards

• Data centre security: Hosted on infrastructure with enterprise-grade physical access controls, surveillance, and environmental protections.
• UK data residency: Data is primarily processed and stored within the United Kingdom. Where data is transferred internationally, appropriate safeguards are in place as detailed in our Privacy Policy.
• Redundancy: Infrastructure includes redundancy and disaster recovery capabilities to ensure availability of PHI.

6. Business Associate Agreement (BAA)

Hexyl AI is prepared to enter into a Business Associate Agreement (BAA) with healthcare clients who require one. A BAA would cover:

• Permitted uses and disclosures of PHI
• Safeguards to prevent unauthorised use or disclosure
• Breach notification obligations and timelines
• Requirements for subcontractors handling PHI
• Return or destruction of PHI upon contract termination

To request a BAA or discuss compliance requirements, please contact us at legal@hexyl.ai.

7. Data Handling Practices

Data Type	Storage	Retention
Chat conversations	Encrypted database with tenant isolation	Per tenant configuration
Voice call recordings	Encrypted storage, local transcription	Per tenant retention policy, auto-purged
Patient/client records	Schema-isolated PostgreSQL with encryption	Duration of account + 12 months
Appointment data	Synced bidirectionally with CRM	Per tenant configuration
Audit logs	Append-only encrypted storage	Up to 24 months
AI model data	Tenant-specific, never shared	Duration of account

8. Voice and Chat AI Compliance

Hexyl's AI employees (Receptionist, Marketing Specialist, Patient Coordinator, Knowledge Assistant, and Reputation Manager) are designed with compliance built in:

• Chatbot (RASA): Processes patient messages using on-premise natural language understanding. No patient data is sent to external AI services.
• Voice AI: Call recordings are processed using Whisper (speech-to-text) and Piper (text-to-speech), both running locally within our infrastructure.
• Sentiment analysis: Automated analysis of patient feedback runs internally. Sentiment scores are generated without external data transmission.
• No-show prediction: Predictive models run on historical patterns within the tenant's own data. No cross-tenant data sharing occurs.
• Human handoff: When AI escalates to human staff, full conversation context is preserved within the secure platform, not transmitted externally.

9. Third-Party Sub-Processors

Where third-party services are used, we ensure each maintains appropriate compliance standards:

Service	Purpose	Data Handled
Twilio	Voice calls, SMS	Call metadata, message delivery (HIPAA eligible)
SendGrid / Amazon SES	Email delivery	Email addresses, notification content
Stripe / Global Payments	Payment processing	Billing data only (PCI DSS compliant)
Meta (WhatsApp Business)	Messaging channel	Message delivery metadata

External LLM providers (Groq, DeepSeek, OpenAI) are opt-in only and disabled by default. Tenants who require strict HIPAA compliance should keep external LLM routing disabled.

10. UK GDPR Alignment

In addition to HIPAA readiness, Hexyl AI is designed to align with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our data protection programme addresses both frameworks:

• Lawful basis for processing documented for all data types
• Data subject rights fully supported (access, rectification, erasure, portability)
• Data Protection Impact Assessments (DPIAs) conducted for high-risk processing
• 72-hour breach notification aligned with both HIPAA and UK GDPR requirements

For full details on our data protection practices, see our Privacy Policy.

11. Compliance Verification

We welcome compliance reviews from prospective and current clients. We can provide:

• Completed security questionnaires
• Architecture documentation and data flow diagrams
• Details of technical and administrative safeguards
• BAA execution upon request

12. Contact

For compliance inquiries, BAA requests, or to report a security concern: