Apex Tools AI
Book a call
Security & compliance

Built for practices that handle patient data.

Apex Tools AI is designed around HIPAA obligations. A Business Associate Agreement is available, data is encrypted in transit and at rest, and practice data is never used to train outside models.

HIPAA-aware BAA available AES-256-GCM at rest HSTS / TLS in transit North American data residency

HIPAA and the BAA

Apex Tools AI acts as a Business Associate to each practice. A Business Associate Agreement is executed before any patient data is handled, and the terms of that BAA govern the data.

Encryption in place

Integration tokens and keys are encrypted with AES-256-GCM at the application layer before storage. Data in transit is forced over HTTPS with HSTS.

Where data lives

Account records, configuration, transcripts, and credentials reside in Cloudflare D1 databases hosted within North American cloud regions.

Technical safeguards

How the data is protected.

Password protection

User passwords are hashed with PBKDF2-SHA256 using a minimum of 100,000 iterations and a separate per-user salt. Plain-text passwords are never stored.

Application cryptography

Integration tokens and keys are encrypted via AES-256-GCM before being written to storage. Primary keys are held separately in isolated Cloudflare Secret managers.

Transport security

All traffic is served over HTTPS and enforced with HTTP Strict Transport Security (HSTS), which prevents connections from silently downgrading.

No external model training

Call recordings and transcripts run and improve each practice's own assistant. Practice data is not used to train third-party foundation models.

Data retention

Kept only as long as needed.

Call transcripts & audio recordings
90 days by default, or a shorter window where a practice’s BAA requires it
Customer account information
Duration of the subscription, plus 90 days after cancellation
Financial records (billing history)
7 years, to meet IRS and Florida Department of Revenue requirements
Sub-processors

The vendors behind the service.

A short list of infrastructure providers supports the service. Each is bound by its own data-protection commitments.

Cloudflare, Inc.

Edge hosting, encrypted cloud storage, and the D1 databases that hold account records, call logs, and tokens.

Vapi, Inc.

Real-time voice infrastructure that powers the bilingual phone receptionist.

Stripe, Inc.

Subscription billing. Card and bank details are handled by Stripe and are never stored by Apex Tools AI.

Florida call-recording notice

Florida is an all-party consent state for call recording. A practice using Apex Tools AI is responsible for providing the appropriate caller notice or consent, and Apex Tools AI helps configure a compliant greeting during onboarding. This page summarizes the controls in plain language; the Privacy Policy and each signed BAA are the controlling documents.

Before you commit

Need a BAA to move forward?

Share a few details about the practice and a Business Associate Agreement follows, along with answers to any security questions.

Request a BAA Call the demo line

BAA available on request · 30-day money-back · Live in about five business days