Security, privacy, and architecture

Trust needs a visible operating model.

This page separates Norwyn platform controls, customer-configured settings, shared production responsibilities, and commitments that must be made in writing.

Read every control in the right context.

A platform safeguard, a configured setting, a customer responsibility, and a contractual promise are different things.

Platform control

A safeguard implemented and operated within the Norwyn service.

Deployment setting

A privacy, retention, event, or agent option that must be explicitly configured.

Customer responsibility

A policy, approval, system, or response path that remains under the healthcare organization’s control.

Contractual

A promise that belongs in the signed order form, DPA, or security schedule.

Architecture

One call, four responsibility zones.

Norwyn coordinates the approved voice workflow, integrations, reporting, and operational controls while keeping each system boundary visible.

01

Caller

Calls the healthcare organization’s number and receives the approved AI and recording disclosure.

02

Voice processing

Handles telephony, real-time voice interaction, agent execution, and configured call artifacts.

03

Norwyn layer

Applies approved workflows, manages configuration, verifies events, and presents operational outcomes.

04

Healthcare systems

Receive permitted appointment actions, handoffs, reports, or connected-system updates.

The exact hosting regions, processing locations, telecommunications routes, integrations, and transfer paths are recorded for each production deployment.

Privacy

Know what can move through the system.

Call content can reveal sensitive personal information even when the workflow is administrative. Inventory and minimization happen before configuration.

Call media

Audio and recording artifacts when recording is enabled.

Conversation content

Transcripts, summaries, knowledge retrieval, and approved dynamic context.

Operational records

Phone identifiers, timestamps, duration, routing, outcome, and analysis fields.

Action data

Appointment details or connected-system results required by the approved workflow.

Retention

No production agent without a retention decision.

Every deployment needs a written schedule for recordings, transcripts, summaries, metadata, connected-system records, deletion, and legal exceptions.

RecordingsConfigured by deployment

Enable only where the approved call purpose and notice require them.

Transcripts and analysisPurpose limited

Keep only the information required for the agreed operational outcome.

Required recordCustomer profile

Purpose, data categories, period, deletion path, export needs, and legal exceptions.

Connected systemsSeparate controls

Downstream copies follow their own access, retention, and deletion requirements.

Access and safeguards

Controls are a chain, not a badge.

Each item below needs evidence in the Norwyn environment, customer configuration, connected systems, or contract before it can be treated as complete.

Credentials

API credentials stay on trusted server-side systems, are scoped by environment, and require a documented rotation and revocation process.

Production requirement

Access

Workspace roles, unique accounts, least privilege, review cadence, and restrictions on raw transcript or recording access.

Platform control + customer responsibility

Event integrity

Connected events must be authenticated, invalid requests rejected, and retries handled without duplicating actions.

Platform control

Minimization

Collect only the fields needed for the approved administrative journey. Avoid clinical details when a scheduling outcome requires less.

Production requirement

Retention

Select a documented retention period and privacy mode before activation. Deletion and legal-hold exceptions belong in the retention schedule.

Deployment setting + contractual

Response

Incident ownership, evidence preservation, containment, customer notice, and recovery steps must be assigned and tested.

Production requirement + contractual

Response and continuity

Design the exception path before launch.

01

Call safety

Emergency and clinical-risk language follows a customer-approved message and immediate human or emergency-services path.

02

Service failure

Define telecommunications, platform, integration, and internal fallback behavior, plus who monitors and communicates an interruption.

03

Security event

Assign intake, triage, containment, evidence, customer notification, regulatory analysis, recovery, and post-incident review.

04

Responsible disclosure

A dedicated security contact, safe-harbor language, severity method, and response expectations must be published before production.

Security review

Bring your questionnaire and one real call flow.

We will map the data, systems, roles, retention, access, and handoffs that your deployment actually needs.

Request the review