Is the AI chatbot HIPAA compliant?

Yes for healthcare clients. AgentScott uses a two-layer architecture: a client-side PHI interceptor that blocks protected health information before it leaves the browser, plus Claude running on AWS Bedrock with a signed Business Associate Agreement.

Is the chatbot GDPR and CCPA compliant?

Yes. Data minimization, access and deletion rights, and clear disclosure are built into every deployment.

Is a Business Associate Agreement available?

Yes. AgentScott executes a BAA with healthcare clients prior to any work beginning. AWS also signs a BAA covering the Bedrock AI processing layer.

Are the websites ADA accessible?

Yes. Every website AgentScott builds meets ADA/WCAG 2.1 AA accessibility standards.

Trust & security

Compliance, built in from the start

AgentScott supports businesses in regulated industries with a privacy-first architecture, signed agreements where the law requires them, and security practices applied to every deployment.

// Healthcare · Finance · Legal · E-commerce · Education

Coverage

Frameworks we design for

One privacy-first foundation, mapped to the rules each industry answers to.

[ HEALTHCARE ]

HIPAA

We sign a Business Associate Agreement (BAA) before any protected health information is handled, and deploy chatbots in a configuration designed to avoid retaining PHI.

[ PRIVACY ]

GDPR & CCPA

Data minimization, access and deletion rights, and clear disclosure — detailed in our Privacy Policy.

[ PAYMENTS ]

PCI-DSS

We never collect or store card data in chatbots. Payments are routed to PCI-compliant processors, never handled by the AI.

[ ACCESS ]

ADA / WCAG 2.1 AA

Every website we build meets accessibility standards so all users, and assistive technology, can use it.

How it works

What happens to sensitive info given to the chatbot

When configured for HIPAA, the chatbot is built so that protected and personal information is processed in the moment and never written to stored conversation logs.

FIG.01 — ZERO-RETENTION PROCESSING (HIPAA CONFIGURATION)

Redaction is a deterministic application-layer step that runs before any log is written and before the message reaches the AI, not a chatbot prompt instruction (which cannot reliably control logging). In a standard (non-HIPAA) deployment, redacted transcripts may be retained to improve the chatbot. The HIPAA configuration above is enabled per-client and requires a signed BAA with both AgentScott and the underlying AI provider.

Always on

Security practices on every deployment

[ 01 ]

Encryption in transit

All connections use TLS. Data is protected the moment it leaves the browser.

[ 02 ]

No training on your data

Your content and conversations are never used to train any AI model.

[ 03 ]

Least-privilege access

Only the systems and people required to run your service can access it.

[ 04 ]

Signed agreements

BAAs for HIPAA, DPAs for GDPR — executed before any regulated data is touched.

[ 05 ]

Data minimization

We collect only what’s needed, and retain it only as long as necessary.

[ 06 ]

You stay in control

Request export or deletion of your data at any time.

Regulated industry?

Let’s talk about your requirements

Tell us which frameworks you answer to and we’ll map a compliant deployment, including a BAA where HIPAA applies.

Book a compliance call → Privacy Policy