HIPAA Compliant SOC 2 Type II TLS 1.3 Encrypted AES-256 at Rest BAA Available
Last Updated: 04/14/2026

HIPAA built in.Not bolted on.

MapleVoice is designed for healthcare from the ground up. Every layer — call handling, transcription, data storage, and analytics — is engineered with HIPAA compliance as a foundational requirement, not an afterthought. A Business Associate Agreement (BAA) is required for any production use involving Protected Health Information.

Administrative Safeguards

Security officers, mandatory training, access controls, incident response, and sanction policies.

Physical Safeguards

SOC 2 / ISO 27001 certified data centers, badge access, full-disk encryption, and device controls.

Technical Safeguards

TLS 1.3 in transit, AES-256 at rest, MFA, immutable audit logs, and network segmentation.

HIPAA COMPLIANCE STATEMENT

Effective Date: 12/01/2025Last Updated: 04/14/2026

Maple54, operating under the brand name MapleVoice ("Company," "we," "us," or "our"), provides AI voice agent services to businesses across healthcare, legal, financial, and other regulated industries. This HIPAA Compliance Statement explains how MapleVoice supports Covered Entities and Business Associates that use our platform to handle calls involving Protected Health Information (PHI).

This page is intended as a disclosure of our compliance posture and operational practices. It does not replace the Business Associate Agreement (BAA) that must be executed between MapleVoice and any Customer that transmits, stores, or processes PHI through the platform.

By using MapleVoice in a HIPAA-regulated workflow, you agree that production use of the platform with PHI requires a signed BAA and adherence to the responsibilities described below.

1. COMPANY INFORMATION

  • Maple54 (operating as MapleVoice)
  • Phoenix, Arizona
  • HIPAA & Compliance Email: compliance@maplevoice.ai
  • Phone: (480) 650-9911
  • Website: www.maplevoice.ai

2. OVERVIEW OF OUR HIPAA POSTURE

MapleVoice offers HIPAA-compliant configurations designed to meet the requirements of the Health Insurance Portability and Accountability Act of 1996 and the HITECH Act of 2009, as amended, and the regulations promulgated thereunder, including the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the Security Rule (Subpart C of Part 164), and the Breach Notification Rule (Subpart D of Part 164).

When a Customer signs a Business Associate Agreement with MapleVoice, our platform is configured to operate within the administrative, physical, and technical safeguards required of a Business Associate under HIPAA.

3. BUSINESS ASSOCIATE AGREEMENT (BAA)

3.1 When a BAA Is Required

A signed BAA is required before any of the following in production use:

  • Voice agents answer calls on behalf of a healthcare provider, health plan, clearinghouse, or other Covered Entity
  • Voice agents place outbound calls to patients or plan members
  • Call transcripts, recordings, summaries, or metadata may contain PHI
  • Customer connects MapleVoice to an EHR, practice management system, scheduling system, or other system containing PHI

3.2 Executing a BAA

To request a BAA, contact compliance@maplevoice.ai. Our standard BAA is available for review prior to execution and follows the minimum required elements under 45 CFR § 164.504(e).

3.3 Permitted Uses and Disclosures

Under the BAA, MapleVoice may use and disclose PHI only as necessary to perform the services described in the Customer's subscription, as required by law, or as otherwise permitted by the BAA.

4. ADMINISTRATIVE SAFEGUARDS

MapleVoice implements administrative safeguards consistent with 45 CFR § 164.308, including:

  • Designated Security and Privacy Officers responsible for HIPAA compliance
  • Documented security policies, procedures, and incident response plans
  • Workforce training on HIPAA, security awareness, and acceptable use
  • Role-based access provisioning, review, and de-provisioning procedures
  • Risk assessments conducted at least annually
  • Sanction policies for workforce members who violate security or privacy policies
  • Contingency planning, data backup, and disaster recovery procedures
  • Business Associate Agreements executed with relevant sub-processors handling PHI

5. PHYSICAL SAFEGUARDS

MapleVoice relies on enterprise cloud infrastructure providers that maintain physical safeguards aligned with 45 CFR § 164.310, including:

  • SOC 2 Type II and ISO 27001 certified data centers
  • 24/7 physical security, surveillance, and controlled access to facilities
  • Environmental controls for power, cooling, and fire suppression
  • Secure media handling and destruction procedures
  • Workstation and device controls for workforce members with access to systems processing PHI

6. TECHNICAL SAFEGUARDS

MapleVoice implements technical safeguards consistent with 45 CFR § 164.312, including:

  • TLS 1.3 encryption in transit for all platform traffic
  • AES-256 encryption at rest for stored recordings, transcripts, and database records
  • Unique user identification, strong authentication, and multi-factor authentication for all MapleVoice personnel
  • Role-based access control (RBAC) limiting access to the minimum necessary
  • Comprehensive audit logging of access to PHI, with tamper-evident storage
  • Automatic session timeouts and re-authentication requirements
  • Regular vulnerability scanning and penetration testing
  • Secure software development lifecycle with code review and dependency scanning

7. AI PROCESSING OF PHI

7.1 Scope of AI Processing

MapleVoice uses speech-to-text, large language models, and text-to-speech technologies to operate AI voice agents. When PHI is present in a call, all AI processing is performed in HIPAA-aligned environments under the terms of the BAA.

7.2 No Training on Customer PHI

MapleVoice does not use Customer PHI to train general-purpose or shared AI models. Any model tuning that involves Customer data is limited to that Customer's own deployment and is governed by the BAA.

7.3 Sub-Processor AI Providers

Where MapleVoice uses third-party AI providers to deliver the Services, each such provider is contractually bound by a BAA or equivalent terms that restrict the use of PHI to service delivery and prohibit training on Customer data.

8. MINIMUM NECESSARY STANDARD

MapleVoice applies the Minimum Necessary Standard under 45 CFR § 164.502(b). Workforce access to PHI is limited to personnel whose job functions require it, and access is scoped to the minimum data necessary to perform the task at hand.

9. BREACH NOTIFICATION

9.1 Incident Response

MapleVoice maintains a documented incident response plan aligned with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and applicable state breach notification laws.

9.2 Notification to Customers

If MapleVoice discovers a breach of unsecured PHI, we will notify the affected Customer without unreasonable delay and no later than the timeframes required under the BAA and applicable law. The notification will include, to the extent known:

  • A description of what happened, including the date of the breach and the date of discovery
  • The types of PHI involved
  • Steps affected individuals should take to protect themselves
  • Steps MapleVoice is taking to investigate, mitigate, and prevent recurrence

9.3 Reporting Suspected Incidents

To report a suspected security incident, breach, or unauthorized disclosure, email security@maplevoice.ai immediately.

10. CUSTOMER RESPONSIBILITIES (COVERED ENTITIES AND BUSINESS ASSOCIATES)

The Customer is responsible for:

  • Executing a BAA with MapleVoice before using the platform with PHI in production
  • Determining whether specific workflows involve PHI and configuring the platform accordingly
  • Providing accurate, lawful call scripts and knowledge bases
  • Obtaining any required patient authorizations for contact, call recording, and AI-assisted interactions
  • Honoring patient opt-out and opt-out-of-contact requests
  • Maintaining the Customer's own HIPAA-compliant safeguards on systems that connect to MapleVoice
  • Training Customer workforce members who access the MapleVoice platform
  • Reviewing MapleVoice security configuration options and selecting those appropriate for the Customer's risk profile

11. PATIENT / INDIVIDUAL RIGHTS

Individuals whose PHI is processed through MapleVoice on behalf of a Covered Entity retain all rights under the HIPAA Privacy Rule, including the right to:

  • Access their PHI
  • Request amendments to their PHI
  • Request an accounting of certain disclosures
  • Request restrictions on use or disclosure
  • Request confidential communications
  • File a complaint

These rights are exercised through the Covered Entity. MapleVoice supports Customers in responding to such requests to the extent required under the BAA.

12. DATA RETENTION AND DISPOSAL

MapleVoice retains PHI only for the duration necessary to provide the Services or as required by the BAA, applicable law, or Customer instruction. Upon termination of the BAA and subject to legal retention requirements, MapleVoice will return or securely destroy PHI in a manner consistent with NIST SP 800-88 guidelines for media sanitization.

13. SUB-PROCESSORS

MapleVoice uses vetted sub-processors to deliver the Services. For HIPAA-regulated workflows, each sub-processor that may access PHI is bound by a BAA or equivalent contractual obligations. A current list of sub-processors is available on request at compliance@maplevoice.ai.

14. AUDITS AND CERTIFICATIONS

MapleVoice undergoes regular third-party assessments of its security and privacy controls, including:

  • SOC 2 Type II audits (aligned)
  • Annual HIPAA risk assessments
  • Penetration testing by independent security firms
  • Vulnerability scanning and remediation programs

Summary reports are available to qualified Customers and prospects under NDA.

15. TRAINING AND WORKFORCE

All MapleVoice workforce members who may access PHI complete HIPAA Privacy, Security, and Breach Notification training upon hire and at least annually thereafter. Training records are maintained for audit purposes.

16. LIMITATIONS AND EXCLUSIONS

MapleVoice is a technology platform and does not provide medical, legal, or clinical advice. MapleVoice is not a Covered Entity. This HIPAA Compliance Statement describes MapleVoice's operational practices and is not a warranty, guarantee, or representation that Customer's specific use of the platform is HIPAA-compliant. Customer's own policies, procedures, and workforce practices remain essential to overall HIPAA compliance.

17. CHANGES TO THIS STATEMENT

MapleVoice may update this HIPAA Compliance Statement from time to time to reflect changes in our practices, regulations, or guidance. Updates will be posted with a revised "Last Updated" date.

18. CONTACT

  • Maple54 (operating as MapleVoice)
  • Phoenix, Arizona
  • HIPAA & Compliance Email: compliance@maplevoice.ai
  • Security Incidents: security@maplevoice.ai
  • Phone: (480) 650-9911
  • Website: www.maplevoice.ai

For BAA requests, breach reports, or HIPAA-specific questions, please contact compliance@maplevoice.ai.

© 2026 Maple54, LLC — MapleVoice. All Rights Reserved.

Healthcare Customers

Need a BAA or compliance documentation?

Our compliance team can provide the Business Associate Agreement, SOC 2 summary reports, security documentation, and any other artifacts required by your privacy office.

compliance@maplevoice.ai(480) 650-9911