Statement of Scope
Sytel Limited provides hosted dialer and telephony services that connect to customers’ on-premises systems. The service transmits and stores only call metadata and audio recordings.
Sytel does not collect, process, or store any individually identifiable health information as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), nor does it perform functions that make it a Business Associate.
Basis for Non-BAA Status
- No PHI handled: Sytel receives only telephone numbers and call recordings that do not contain names, account numbers, or health-related data.
- No linkage to patient identity: Recordings are stored with reference IDs known only to the client (the Covered Entity or Business Associate).
- Hosted on AWS: All data resides on Amazon Web Services infrastructure, which maintains its own SOC 2 Type II and HIPAA-eligible environment certifications.
- Contractual limitation: The Softdial Cloud™ Subscription Agreement expressly prohibits the storage of financial or sensitive consumer data unless specifically encrypted by the client.
- Security alignment: Sytel applies encryption in transit and at rest, MFA for administrators, tenant isolation, and incident-response procedures consistent with SOC 2 and ISO 27001.
Conclusion
Sytel operates entirely outside the scope of HIPAA Business Associate requirements.
If requested, Sytel will sign a short addendum confirming that (a) no PHI is processed and (b) clients remain solely responsible for ensuring PHI is not introduced into call recordings or associated metadata.
Contact
Data Protection Officer — dpo@sytel.com
Find out more about Sytel’s policies for Security, Privacy and Compliance.
