Compliance & data governance
The entire Ambrose platform is HIPAA-safe by design. This page summarizes how we host, store, retain, and process data. See also our Privacy Policy, Terms, and Sub-processors.
HIPAA-safe by design
HIPAA safety is the foundation of the platform, not an add-on. Protected health information (PHI) passes through a PHI Rail that redacts and pseudonymizes it before it can reach any destination not covered by a Business Associate Agreement. Every agent, team, routine, integration, and call transcript runs on these same rails. (HIPAA has no formal “certification”; this describes the controls we operate.)
Tenant isolation
Each customer (agency) is a separate, isolated tenant. Isolation is enforced on every read and write, so one customer can never access another customer’s keys, data, conversations, files, or credits.
Hosting & data residency
Customer Data is cloud-hosted on Amazon Web Services (AWS) in the United States — in a PostgreSQL database and in Amazon S3 — encrypted in transit (TLS) and at rest. Primary regions are AWS US West (N. California) and AWS US East (Ohio). AWS and Amazon Bedrock hold SOC 2, ISO 27001, and HITRUST and are HIPAA-eligible; Ambrose builds on that infrastructure.
Data retention
We retain Customer Data for as long as the account is active and as needed to provide the service. Conversation, run, usage, and file records are kept for the life of the account unless the customer deletes them. PHI is handled under HIPAA and any applicable BAA. Customers may request export or deletion at any time.
Archival & removal
When a customer closes their account or requests removal, we delete that customer’s Customer Data from active systems within 30 days. Encrypted database backups are retained on a rolling 10-day cycle and age out automatically. Slack tokens and connected-integration credentials are revoked and removed as soon as the integration is disconnected.
The AI model (LLM)
Ambrose is powered by Claude (Anthropic), accessed through Amazon Bedrock by default or a customer’s own Anthropic API key.
- Tenancy: inference runs in Ambrose’s AWS tenancy via Bedrock, which does not store prompts/completions, does not train on them, and does not share them with model providers or other customers. Bring-your-own-key requests go to Anthropic under its commercial terms (no training on customer data).
- Residency: all inference runs in US AWS regions and is processed in-region; the model does not persist prompts or completions.
- Retention: the LLM is configured to retain no Customer Data; the resulting conversation is stored only in the customer’s isolated workspace under the retention policy above.
Sub-processors
We use a small set of sub-processors (AWS, Anthropic, Stripe, Slack) to deliver the service. The current list, with purpose and location, is maintained at hiambrose.com/sub-processors. Tools a customer connects themselves (e.g. GoHighLevel) process data only at the customer’s direction and are not Ambrose sub-processors.
Audit & access
Every AI call and every staged action is logged and attributable. Sensitive actions are previewed and require the customer’s approval before they run, and the assistant never deletes data.
Questions about compliance or a BAA? Contact us.