We are committed to security, compliance, and transparency. This page provides information about our certifications, controls, and resources.
Compliance
Data supported
- PII
- Health data
- Contact data
Subprocessors
- Cloud infrastructure, security, data storage & LLM Services
GoogleGoogle provides cloud infrastructure, security and data storage, and LLM services we use in our platform.
- Maps & PlacesGoogle Maps
Google Maps Platform (including the Maps JavaScript API and Places API) processes location and address data that users enter or select. This lets us show addresses on maps and associate users with the geographic locations they provide.
- Cloud infrastructure & data storage
AWSAWS provides cloud infrastructure and secure data storage for our services.
- Payments
StripeBackend of payment infrastructure of applicable users.
- Communications
TwilioTwilio provides communication APIs for sending messages. Service provides MFA with SMS integration. SMS based 2FA is no longer possible for users that don't already have it enabled.
- Cloud infrastructure
SupabaseSupabase provides our database, authentication, and backend infrastructure.
- LLM Services
ElevenLabsElevenLabs provides voice and speech AI used for audio features in our product.
- LLM Services
OpenAIOpenAI provides LLM services that we use to power AI features in our product.
- Application monitoring
SentryWe use Sentry for application monitoring, error tracking, and—where enabled—session replay so we can diagnose failures and improve reliability. Events may include technical context and identifiers needed to investigate incidents.
- CRM & marketing
HubSpotWe use HubSpot for CRM, marketing automation, and support workflows—including syncing contact and deal data and handling support requests—so we can manage customer relationships and operational communications.
- Speech & audio AI
AssemblyAIWe use AssemblyAI to transcribe and analyze audio from calls (including features such as speaker diarization) so authorized staff can review conversations and improve service quality.
- Transactional email
SendGridWe use SendGrid to deliver transactional emails on our behalf—such as notifications, invitations, and operational messages—to users and contacts.
- Accounting integration
Intuit (QuickBooks Online)For customers who connect QuickBooks Online, we use Intuit's services to synchronize accounting and billing-related data with their connected QuickBooks company.
- Cellular IoT connectivity
HologramWe use Hologram only for clients who rely on cellular connectivity for their devices. It provides SIM and cellular network connectivity management for those deployments—not for all users or all devices.
Incident response
Incident response overview
Amical AI's incident response plan is built on a modern, highly secure, and automated cloud-native infrastructure designed for rapid detection, immediate containment, and end-to-end data integrity.
1. Secure architecture and prevention (security by design)
Environment isolation: Our infrastructure is hosted on AWS in Canada. Production and staging are strictly isolated in dedicated AWS accounts, with centralized access management enforced through AWS SSO. Immutable infrastructure (compute): Applications run on managed Kubernetes clusters (Amazon EKS) on EC2 instances using Bottlerocket, a locked-down Linux distribution optimized for containers. Administrator SSH access is disabled by design, reducing OS-level compromise risk. Secrets management: Passwords and API keys are never stored in the codebase. Sensitive credentials are managed through AWS Secrets Manager and securely injected into containers at runtime.
2. Detection and observability
Proactive monitoring: Our observability, logging, and alerting stack is centralized in Datadog. We use Datadog Watchdog to automatically identify anomalies in performance, security posture, and infrastructure behavior. Automated alerting: When Watchdog or custom monitors detect anomalies (for example error spikes, unusual traffic patterns, or unexpected behavior from US-based subprocessors such as Twilio or ElevenLabs), critical alerts are immediately escalated to the engineering team for rapid investigation.
3. Containment and recovery (GitOps approach)
Instant deployment and rollback: Infrastructure is defined as code and versioned in GitHub. CI is managed through GitHub Actions, and CD is managed by Argo CD with Helm charts. In the event of a compromised application version or container image, Argo CD can trigger an immediate rollback to a known healthy state. Third-party flow isolation: If a vulnerability or breach is detected at a subprocessor, API communications can be rapidly disabled through centralized environment controls to isolate and contain the incident.
4. Data integrity and backup (hybrid policy)
Telephony data (Amazon RDS): The database used for call flows and metadata is backed up automatically once per day with a retention period of 30 days. Application administration data (Supabase): Client configuration and administration data is backed up every 5 minutes with a retention period of 7 days. Audio file storage (Amazon S3): Recordings are stored securely with an automated lifecycle policy that transitions older files to Amazon Glacier for archival. Data is retained for up to 7 years. Upon explicit client deletion request, data is purged immediately and permanently from S3 buckets.
5. Communication and notification (SLA)
Client transparency: In the event of a confirmed security incident affecting an operator's data, Amical AI notifies designated client administrators without undue delay, and no later than 48 hours after breach confirmation. Post-incident reporting: After resolution of a critical incident, a detailed post-mortem report is made available to the client, including root cause, potentially affected data, and corrective actions deployed through our CI/CD pipelines.