diff --git a/fern/assistants/dynamic-variables.mdx b/fern/assistants/dynamic-variables.mdx index 5846351cc..b785885b1 100644 --- a/fern/assistants/dynamic-variables.mdx +++ b/fern/assistants/dynamic-variables.mdx @@ -162,9 +162,9 @@ You are a helpful assistant, talking with a customer via {{transport.conversatio {%- endif -%} ``` -## HIPAA and Zero Data Retention mode +## Zero Data Retention mode -When HIPAA mode or Zero Data Retention is enabled for your organization or assistant, Vapi does not store any call data, including variable values. This means: +When Zero Data Retention is enabled for your organization or assistant, Vapi does not store any call data, including variable values. This means: - Variable values passed via `variableValues` are processed during the call but **not persisted** after the call ends - Call logs, recordings, and transcriptions are not stored @@ -172,6 +172,4 @@ When HIPAA mode or Zero Data Retention is enabled for your organization or assis This ensures compliance with privacy requirements while still allowing you to personalize conversations with dynamic variables. - -For more information on enabling HIPAA compliance and understanding data retention policies, see the [HIPAA Compliance](/security-and-privacy/hipaa) documentation. - +For more information, see [Zero Data Retention (ZDR)](/security-and-privacy/zero-data-retention). diff --git a/fern/assistants/structured-outputs-quickstart.mdx b/fern/assistants/structured-outputs-quickstart.mdx index cf4d7474f..df7c8ef3e 100644 --- a/fern/assistants/structured-outputs-quickstart.mdx +++ b/fern/assistants/structured-outputs-quickstart.mdx @@ -1,6 +1,7 @@ --- title: Structured outputs quickstart subtitle: Get started with structured data extraction in 5 minutes +description: Set up structured data extraction from calls in a few minutes. Create a schema, link it to an assistant, test extraction, and configure HIPAA-safe storage settings. slug: assistants/structured-outputs-quickstart --- @@ -655,7 +656,7 @@ When accessing via API, this data is nested inside the structured output object ### Understanding the default behavior -When your organization or assistant has HIPAA mode enabled (`hipaaEnabled: true`): +When your organization or assistant has HIPAA mode enabled: - **Structured outputs are NOT stored** - Results are generated but not persisted in Vapi's systems - **Limited visibility** - You cannot view outputs in the Dashboard's Call Logs or Insights - **Privacy first** - This ensures sensitive data is not retained diff --git a/fern/assistants/structured-outputs.mdx b/fern/assistants/structured-outputs.mdx index b7a53ea8e..d93d43cb9 100644 --- a/fern/assistants/structured-outputs.mdx +++ b/fern/assistants/structured-outputs.mdx @@ -1,6 +1,7 @@ --- title: Structured outputs subtitle: Extract structured data from conversations using AI-powered analysis +description: Extract structured, schema-defined data from voice calls using AI-powered analysis. Covers field types, extraction timing, limitations, and HIPAA storage behavior. slug: assistants/structured-outputs --- @@ -761,14 +762,9 @@ if (data.result === null) { ## HIPAA compliance -**Important for HIPAA-enabled organizations:** +**Important for HIPAA-enabled organizations:** When HIPAA mode is enabled, structured outputs are generated normally but **not stored** by default, to protect PHI. You can still receive them via webhooks during the call. -If your organization has HIPAA compliance enabled (`hipaaEnabled: true`), structured outputs are **disabled by default** to protect PHI (Protected Health Information). - -To use structured outputs with HIPAA compliance: -- Contact the Vapi team to enable structured outputs -- Ensure you understand the implications for PHI handling -- Follow all HIPAA compliance best practices when extracting sensitive health data +To store a specific structured output that doesn't contain PHI, see [HIPAA Compliance & Storage Settings](/assistants/structured-outputs-quickstart#hipaa-compliance-storage-settings) for the full walkthrough and safe/unsafe use cases. ## Limitations diff --git a/fern/customization/transcriber-fallback-plan.mdx b/fern/customization/transcriber-fallback-plan.mdx index 19466ca4c..4c1b4db88 100644 --- a/fern/customization/transcriber-fallback-plan.mdx +++ b/fern/customization/transcriber-fallback-plan.mdx @@ -1,6 +1,7 @@ --- title: Transcriber fallback configuration subtitle: Configure fallback transcribers that activate automatically if your primary transcriber fails. +description: Configure fallback transcribers so calls keep working if your primary speech-to-text provider fails. Covers automatic fallback, manual fallback, and HIPAA-compliant provider options. slug: customization/transcriber-fallback-plan --- @@ -83,7 +84,7 @@ Manual fallbacks give you full control over which providers Vapi tries, and in w - If HIPAA or PCI compliance is enabled on your account or assistant, only **Deepgram** and **Azure** transcribers will be available as fallback options. + If HIPAA compliance is enabled on your account or assistant, only [HIPAA-compliant transcribers](/security-and-privacy/hipaa#hipaa-compliant-providers) **Deepgram**, **Azure**, and **Soniox**, will be available as fallback options. ### Configure via API @@ -195,7 +196,7 @@ Each transcriber provider supports different configuration options. Expand the a - **Combine both** for maximum reliability—manual fallbacks run first, auto fallback catches anything they miss. - Use **different providers** for manual fallbacks to protect against provider-wide outages. - Consider **language compatibility** when selecting fallbacks—ensure all fallback transcribers support your required languages. -- For **HIPAA/PCI compliance**, ensure all fallbacks are compliant providers (Deepgram or Azure) and review data routing implications before enabling auto fallback. +- For **HIPAA compliance**, ensure all fallbacks are [compliant providers](/security-and-privacy/hipaa#hipaa-compliant-providers) (Deepgram, Azure, or Soniox) and review data routing implications before enabling auto fallback. ## FAQ diff --git a/fern/enterprise/plans.mdx b/fern/enterprise/plans.mdx index 4f60a8ff0..675fe1cdd 100644 --- a/fern/enterprise/plans.mdx +++ b/fern/enterprise/plans.mdx @@ -6,7 +6,7 @@ slug: enterprise/plans If you're building a production application on Vapi, we can help you every step of the way from idea to full-scale deployment. -#### Enterprise Plans include: +#### Enterprise Plans can include, depending on your negotiated contract: - Unlimited concurrency and higher rate limits - Reserved capacity on our weekly deployment cluster diff --git a/fern/security-and-privacy/data-flow.mdx b/fern/security-and-privacy/data-flow.mdx index 444af65ce..c56d57614 100644 --- a/fern/security-and-privacy/data-flow.mdx +++ b/fern/security-and-privacy/data-flow.mdx @@ -1,6 +1,7 @@ --- title: Data Flow subtitle: Understand how data flows through Vapi when using custom storage and custom models +description: How data flows through Vapi's voice pipeline. What's processed in real time, what's stored by default, and how custom storage or custom model servers change where data lives. slug: security-and-privacy/data-flow --- @@ -127,7 +128,7 @@ Vapi runs proprietary real-time models that make conversations feel natural. The | **Filler Injection** | Adds natural speech patterns ("um", "like", "so") | -Orchestration models process data in real-time but do **not persist** the audio or intermediate results. All processing is **ephemeral**. Only final transcripts and call logs are stored (unless HIPAA mode is enabled). +Orchestration models process data in real-time but do **not persist** the audio or intermediate results. All processing is **ephemeral**. Only final transcripts and call logs are stored. ### 4. Language Model (LLM) @@ -338,15 +339,15 @@ The **Orchestration Layer** (endpointing, interruption detection, emotion detect | Artifact | Default Location | Custom Storage Supported | HIPAA Mode | |----------|-----------------|--------------------------|------------| -| **Call Recordings** | Vapi | ✅ Yes | Not stored on Vapi | -| **Transcripts** | Vapi | ✅ Yes | Not stored on Vapi | -| **Call Logs** | Vapi | ✅ Yes | Not stored on Vapi | +| **Call Recordings** | Vapi | ✅ Yes | ✅ Yes | +| **Transcripts** | Vapi | ✅ Yes | ✅ Yes | +| **Call Logs** | Vapi | ✅ Yes | ✅ Yes | | **Product Usage Metrics** | Vapi | ❌ No | Vapi only | | **System Logs** | Vapi | ❌ No | Vapi only | | **Structured Outputs** | Vapi | ✅ Yes (via webhook) | Configurable | -**HIPAA Mode Important Notice:** When HIPAA mode is enabled (`hipaaEnabled: true`) and no custom storage is configured, Vapi will **not store** call recordings or transcripts. This data will be lost after the call ends. To retain call data in HIPAA mode, you **must** configure a custom storage bucket. +**HIPAA Mode Storage:** When HIPAA mode is enabled, call recordings, transcripts, and call logs are stored by default in Vapi's private HIPAA-compliant storage. Configuring custom storage is optional. It redirects storage to your own infrastructure instead of Vapi's, but is not required to retain data. See [HIPAA Compliance](/security-and-privacy/hipaa). --- @@ -358,8 +359,8 @@ Even with maximum custom configuration, certain data passes through Vapi's orche | Data Type | Processing | Retention | |-----------|-----------|-----------| | Raw audio streams | Real-time routing to Transcriber/Voice | **Ephemeral** (not stored) | -| Transcribed text | Orchestration analysis, LLM routing | Call logs (unless HIPAA) | -| LLM responses | Filler injection, Voice routing | Call logs (unless HIPAA) | +| Transcribed text | Orchestration analysis, LLM routing | Call logs | +| LLM responses | Filler injection, Voice routing | Call logs | | Emotion metadata | Passed to LLM context | **Ephemeral** | | Call signaling | SIP/WebSocket management | Metadata only | @@ -393,15 +394,11 @@ Even with maximum custom configuration, certain data passes through Vapi's orche - No custom server setup required - - - Enable `hipaaEnabled: true` - - **Important:** Configure custom storage to retain call recordings and transcripts - - Use only HIPAA-compliant providers (Deepgram, Azure, OpenAI, Anthropic, ElevenLabs) + + - Enable HIPAA mode for your organization in the Dashboard + - Custom storage is optional; call recordings, transcripts, and logs are retained by default in Vapi's private HIPAA-compliant storage + - Use only HIPAA-compliant providers. See [HIPAA compliant providers](/security-and-privacy/hipaa#hipaa-compliant-providers) - See [HIPAA Compliance](/security-and-privacy/hipaa) - - - Without custom storage configured, HIPAA mode will result in **no call recordings or transcripts being stored**. Data will be lost after call completion. - diff --git a/fern/security-and-privacy/hipaa.mdx b/fern/security-and-privacy/hipaa.mdx index 562b7e8f3..ffff1cd0a 100644 --- a/fern/security-and-privacy/hipaa.mdx +++ b/fern/security-and-privacy/hipaa.mdx @@ -1,39 +1,56 @@ --- title: HIPAA Compliance subtitle: Learn how to ensure privacy when using Vapi's voice assistant platform. +description: HIPAA on Vapi. Enable organization-wide compliance mode, use approved LLM, voice, and transcriber providers, and control how call recordings and logs are stored. slug: security-and-privacy/hipaa --- - ## Introduction to Privacy at Vapi At Vapi, we are committed to delivering exceptional voice assistant services while upholding the highest standards of privacy and data protection for our users. We understand the importance of balancing service quality with the need to respect and protect personal and sensitive information. Our privacy policies and practices are designed to give you control over your data while benefiting from the full capabilities of our platform. ## Understanding HIPAA Compliance Basics -The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling the `hipaaEnabled` configuration in Vapi's voice assistant platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards. +The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. ## Understanding Default Settings -By default, Vapi records your calls and stores logs and transcriptions. This practice is aimed at continuously improving the quality of our service, ensuring that you receive the best possible experience. However, we recognize the importance of privacy and provide options for users who prefer more control over their data. +By default, Vapi records your calls and stores logs and transcriptions. This practice is aimed at continuously improving the quality of our service, ensuring that you receive the best possible experience. However, we recognize the importance of privacy and provide options for users who prefer more control over their data. ## Opting for Privacy: The HIPAA Compliance Option -For users prioritizing privacy, particularly in compliance with the Health Insurance Portability and Accountability Act (HIPAA), Vapi offers the flexibility to opt out of our default data recording settings. Choosing HIPAA compliance through our platform ensures that you can still use our voice assistant services without compromising on privacy requirements. +For users prioritizing privacy, particularly in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Choosing HIPAA compliance through our platform ensures that you can still use our voice assistant services without compromising on privacy requirements. ## Enabling HIPAA Compliance -HIPAA compliance can be ensured by enabling the `hipaaEnabled` configuration in your assistant settings. This simple yet effective setting guarantees that no call logs, recordings, or transcriptions are stored during or after your calls. An end-of-call report message will be generated and stored on your server for record-keeping, ensuring compliance without storing sensitive data on Vapi's systems. +HIPAA compliance can be ensured by turning on HIPAA compliance in the Dashboard. This simple yet effective setting guarantees that your call logs, recordings, or transcriptions are stored in a HIPAA compliant manner during or after your calls. -To enable HIPAA compliance, set hipaaEnabled to true within your assistant's configuration: +To enable HIPAA compliance: -```JSON -{ - "hipaaEnabled": true -} -``` + + + HIPAA mode requires an Enterprise subscription or a separately purchased HIPAA add-on. Contact your account team to confirm which applies to your organization. + + + + + Vapi requires a signed BAA before you enable HIPAA mode. Contact [security@vapi.ai](mailto:security@vapi.ai) to start this process. + + + + + In the Vapi Dashboard, go to **Organization > Settings > Billing & Add-Ons** and turn on HIPAA. This is an organization-level setting. It applies to every assistant in your organization, with no per-assistant exception, and it cannot be enabled through the API. -Note: The default value for hipaaEnabled is false. Activating this setting is a proactive measure to align with HIPAA standards, requiring manual configuration adjustment. + + + + Update any assistant using a non-compliant LLM, voice, or transcriber provider. See [HIPAA compliant providers](/security-and-privacy/hipaa#hipaa-compliant-providers) for the full list. Vapi rejects configuration changes that select a non-compliant provider while HIPAA mode is on. Your call records, transcripts, and logs are then stored in a HIPAA compliant manner. + + + + +HIPAA mode and Zero Data Retention (ZDR) are mutually exclusive. Disable one before enabling the other. See [Zero Data Retention (ZDR)](/security-and-privacy/zero-data-retention). + ## HIPAA Compliant providers @@ -44,7 +61,11 @@ When enabling HIPAA compliance, only HIPAA compliant providers may be chosen. - **OpenAI** - **Azure OpenAI** - **Anthropic** +- **Anthropic Bedrock** +- **Anthropic Vertex** - **Google** +- **Custom LLM** +- **Baseten** - **Together AI** ### Voice Providers (TTS) @@ -59,7 +80,8 @@ When enabling HIPAA compliance, only HIPAA compliant providers may be chosen. ### Transcription Providers (STT) - **Azure** -- **Deepgram** +- **Deepgram** +- **Soniox** # FAQs @@ -71,7 +93,7 @@ When enabling HIPAA compliance, only HIPAA compliant providers may be chosen. This feature is particularly useful for businesses and organizations in the healthcare sector or any entity that handles sensitive health information and must comply with HIPAA regulations. - Yes, users can toggle the `hipaaEnabled` setting as needed. However, we recommend carefully considering the implications of each option on your data privacy and compliance requirements. + Yes, your organization can toggle HIPAA mode on or off from the Dashboard as needed. Consider the implications carefully first: turning HIPAA mode off applies to your entire organization, not just one assistant. @@ -82,7 +104,7 @@ When enabling HIPAA compliance, only HIPAA compliant providers may be chosen. When using Vapi with PHI, you may only pass PHI through the `/call` endpoint. All other endpoints in the API Reference should not contain PHI. For example, you should not put PHI in an `/assistant` prompt or in a `/phone-number` label. The restriction applies to all configuration endpoints where data would be stored on Vapi's platform. - No, there are no designated "HIPAA-safe endpoints." Instead, when `hipaaEnabled` is turned on, Vapi will only use HIPAA-compliant services (such as Azure OpenAI) for processing PHI through the pipeline. The voice pipeline (STT → LLM → TTS) can process PHI when properly configured, but Vapi does not store this data. + No, there are no designated "HIPAA-safe endpoints." Instead, when HIPAA mode is turned on, Vapi will only use HIPAA-compliant services (such as Azure OpenAI) for processing PHI through the pipeline. The voice pipeline (STT → LLM → TTS) can process PHI when properly configured, but Vapi does not store this data outside its HIPAA-compliant storage. @@ -90,7 +112,7 @@ When enabling HIPAA compliance, only HIPAA compliant providers may be chosen. - Enable `hipaaEnabled` at the organization level. This ensures that all appropriate compliance measures are in place across your Vapi implementation. You can also toggle HIPAA-compliance at the assistant-level by setting `Assistant.compliancePlan.hipaaEnabled=true` in your configuration. + Enable HIPAA mode at the organization level, from the Vapi Dashboard. This is the only way to enable HIPAA compliance, and it applies to every assistant in your organization. There is no per-assistant HIPAA setting. No. Even when using your own HIPAA-compliant provider keys, it remains your responsibility not to store PHI via Vapi's endpoints. The model keys are a separate concern from the storage of PHI on Vapi's platform. You must both use HIPAA-compliant keys AND ensure you're not storing PHI on Vapi. @@ -144,7 +166,7 @@ When HIPAA mode is enabled, Vapi does not store structured outputs by default. T **Via API:** When creating a structured output: - ```json +```json { "name": "Appointment Booked", "type": "ai", @@ -156,16 +178,16 @@ When HIPAA mode is enabled, Vapi does not store structured outputs by default. T "forceStoreOnHipaaEnabled": true } } - ``` +``` When updating a structured output: - ```json +```json { "compliancePlan": { "forceStoreOnHipaaEnabled": true } } - ``` +``` **IMPORTANT:** Only set `forceStoreOnHipaaEnabled: true` if you are certain your structured output does NOT extract PHI or sensitive data. Your organization is responsible for ensuring compliance. Misuse could result in BAA violations. @@ -175,27 +197,27 @@ When HIPAA mode is enabled, Vapi does not store structured outputs by default. T - - Enable `hipaaEnabled` at the organization level + - Enable HIPAA mode at the organization level, from the Dashboard - Ensure that PHI only passes through the call pipeline and is not stored in configuration - Use HIPAA-compliant accounts with all third-party providers (STT, LLM, TTS) - - Be mindful of test/demo assistants where compliance might be turned off for testing purposes - never use these with real PHI - - Remember that with HIPAA compliance enabled, Vapi won't store logs, recordings, or transcriptions + - Never use real PHI in an organization that has not enabled HIPAA mode, including for testing or demos + - Remember that call recordings, transcripts, and logs are still stored, in Vapi's private HIPAA-compliant storage, unless you configure your own storage - Yes, but be extremely careful. If you have test or demo assistants where HIPAA compliance is turned off for testing purposes, ensure you never intermingle these with real PHI. It's safest to enable HIPAA compliance at the organization level to avoid accidental misconfigurations. + No. HIPAA mode is enabled at the organization level and applies to every assistant in that organization. There is no way to exclude a specific assistant. If your organization has not enabled HIPAA mode, none of your assistants are HIPAA-compliant, regardless of any other configuration. Never use real PHI until HIPAA mode is enabled for your organization. Under the Business Associate Agreement (BAA), you agree: 1. Not to introduce PHI onto Vapi's platform through its API or dashboard except as permitted 2. To use HIPAA-compliant accounts with external providers when providing keys - 3. To only use HIPAA-compliant providers that Vapi has signed BAA with when not providing keys. This includes OpenAI, Azure, Google, Anthropic, Deepgram, ElevenLabs, Cartesia, and PlayHT. For updated list, check security.vapi.ai + 3. To only use HIPAA-compliant providers that Vapi has signed a BAA with when not providing keys. See [HIPAA compliant providers](/security-and-privacy/hipaa-providers) for the current list. 4. To use the platform in accordance with all BAA requirements ## Retrieving Call Artifacts from Private Storage -For HIPAA-enabled organizations, call recordings and logs are stored in a private bucket and cannot be downloaded directly from the URLs returned in webhooks or API responses. To retrieve recordings, call logs, or other artifacts, call the Vapi API with your Private API Key — see [Retrieve call artifacts](/security-and-privacy/retrieve-call-artifacts) for the full list of endpoints and example requests. +For HIPAA-enabled organizations, call recordings and logs are stored in a private bucket and cannot be downloaded directly from the URLs returned in webhooks or API responses. To retrieve recordings, call logs, or other artifacts, call the Vapi API with your Private API Key, see [Retrieve call artifacts](/security-and-privacy/retrieve-call-artifacts) for the full list of endpoints and example requests. This retrieval method is the same for HIPAA and non-HIPAA organizations alike. ## Need Further Assistance? diff --git a/fern/security-and-privacy/retrieve-call-artifacts.mdx b/fern/security-and-privacy/retrieve-call-artifacts.mdx index 49949f83b..3c30851b0 100644 --- a/fern/security-and-privacy/retrieve-call-artifacts.mdx +++ b/fern/security-and-privacy/retrieve-call-artifacts.mdx @@ -1,6 +1,7 @@ --- title: Retrieve call artifacts subtitle: Download recordings and call logs from Vapi's private storage using authenticated, short-lived URLs. +description: How to download call recordings and logs from Vapi's private storage using your Private API Key and short-lived, authenticated redirect URLs. slug: security-and-privacy/retrieve-call-artifacts ---