Security & Acceptable Use

Part I

Acceptable Use Policy

1. Permitted Uses

NightAI is designed for legitimate, appointment-based businesses that want to automate inbound call handling for their customers. Permitted uses include:

• Answering inbound calls from callers seeking appointments, service information, or customer support;
• Scheduling, rescheduling, or canceling appointments on behalf of your business;
• Providing appointment status confirmations to callers;
• Answering general FAQs about your business (hours, location, services offered) as configured in your AI agent prompt;
• Sending email confirmations with calendar invites (.ics files) to callers following a successful booking;
• Collecting caller name, phone number, email address, desired appointment date and time, and reason for visit — no other PII collection is intended or supported by the default configuration;
• Reviewing, managing, and exporting your appointment records via the NightAI dashboard.

All other uses are subject to the restrictions described in Section 2 of this policy.

2. Prohibited Uses

The following uses of the NightAI Service are strictly prohibited. Engaging in any prohibited use may result in immediate suspension or termination of your account without notice or refund.

Protected Health Information (PHI)

• Using the Service to process, store, or transmit Protected Health Information (PHI) as defined under HIPAA, without a valid Business Associate Agreement (BAA) with NightAI. NightAI does not currently offer BAAs and is not HIPAA-certified. See the Terms of Service, Section 8.

AI Disclosure and Impersonation

• Configuring the AI agent to claim it is a human being when directly and sincerely asked by a caller;
• Configuring the AI agent to impersonate a specific named individual (e.g., "Dr. Smith") in a way that would mislead callers into believing they are speaking with that person;
• Using the Service in any jurisdiction where AI voice agent deployment without disclosure is prohibited by law, without implementing the required disclosure in your greeting message.

Recording and Wiretapping

• Enabling call recording in your Twilio configuration without complying with all applicable federal, state, and local wiretapping, eavesdropping, and call recording laws;
• Failing to obtain required prior consent from callers in all-party consent jurisdictions before recording calls. The following US states require all-party consent to record a telephone call: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington;
• Using the Service to intercept, monitor, or record calls involving parties who have not consented to such recording as required by applicable law.

Outbound Dialing and Spam

• Using the Service or any associated Twilio phone number to place outbound telemarketing calls, robocalls, or unsolicited bulk calls without independent compliance with the Telephone Consumer Protection Act (TCPA), FTC Telemarketing Sales Rule, and all applicable state laws. NightAI's platform is designed for inbound call handling only;
• Using the Service to send unsolicited text messages (SMS/MMS) for marketing purposes without the recipient's prior express written consent as required by the TCPA;
• Using the Service to send spam, phishing messages, or any fraudulent communications.

Resale and Unauthorized Distribution

• Providing third parties access to the NightAI platform or your NightAI account credentials without separate written authorization from NightAI;
• Using a single NightAI account to operate AI agents on behalf of unrelated businesses without written authorization from NightAI.

Illegal or Harmful Activities

• Using the Service for any purpose that violates applicable law, regulation, court order, or third-party rights;
• Configuring the AI agent to deceive callers for fraudulent purposes, including phishing for financial information, impersonating government agencies, or facilitating scams;
• Using the Service in connection with illegal gambling, drug sales, weapons trafficking, or any other criminal activity;
• Attempting to reverse-engineer, decompile, or derive the source code of the NightAI platform or any of its sub-processors' services.

Technical Abuse

• Circumventing or attempting to circumvent any rate limits, access controls, authentication mechanisms, or security features of the Service;
• Using automated scripts, bots, or other tools to abuse the Service in ways that degrade performance for other users;
• Submitting false or misleading information during account registration or onboarding;
• Uploading malicious code, viruses, or any content that could harm the Service or other users.

3. Recording Consent Responsibility

NightAI strongly recommends that all Business Customers configure their AI greeting message to include a clear announcement that the call is handled by an AI system and, if the call may be recorded or monitored, that callers are informed of this at the start of the call. A suggested greeting approach:

This announcement serves two purposes: (1) it complies with AI disclosure requirements in jurisdictions that require them, and (2) it satisfies one-party or all-party consent requirements for call recording in many jurisdictions (though you should verify the specific requirements in your state and your callers' states with qualified legal counsel).

NightAI is not responsible for and will not indemnify you against any legal liability arising from your failure to obtain required recording consent. See the Terms of Service for indemnification obligations.

4. Violations and Enforcement

NightAI reserves the right, but is not obligated, to monitor use of the Service for compliance with this Acceptable Use Policy. Upon discovery or reasonable suspicion of a violation, NightAI may:

• Issue a warning and request that you correct the violating conduct;
• Temporarily suspend access to the Service while investigating;
• Immediately and permanently terminate your account without notice;
• Report the violating conduct to law enforcement or regulatory authorities;
• Pursue any available legal remedies.

No refunds for AUP violations: Accounts terminated for violations of this Acceptable Use Policy are not entitled to any refund of paid subscription fees, including fees for the current billing period. This applies regardless of whether the violation was intentional.

If you become aware of a potential violation of this policy by another NightAI user, please report it to [email protected].

---

Part II

Security Overview

NightAI implements technical and organizational security controls to protect Business Customer data and caller data processed through the Service. This overview describes those controls and our security practices. It is intended to help Business Customers make informed risk assessments about deploying NightAI in their environment.

5. Encryption

At Rest

Sensitive credentials stored in the NightAI database are encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode with authentication tags). This applies to:

• Your Twilio Account SID and Auth Token;
• Your OpenAI API key;
• Your ElevenLabs API key;
• Any other provider credentials you connect to your NightAI account.

The encryption key is stored separately from the encrypted data (via environment variable on the application server) and is never logged. Key rotation is supported: when rotating keys, the previous key can be configured as a fallback to ensure seamless decryption during the transition period.

In Transit

All data transmitted between your browser and NightAI's servers is protected using TLS 1.2 or higher. This includes the dashboard, API endpoints, and all web-facing services. Communication between NightAI's backend and third-party sub-processors (Twilio, OpenAI, ElevenLabs, SendGrid, Stripe) is also conducted over TLS.

Webhook Signature Validation

Inbound webhooks from Twilio are validated using Twilio's X-Twilio-Signature HMAC-SHA1 mechanism on every request. Requests that fail signature validation are rejected before any call processing occurs, preventing unauthorized webhook injection attacks.

6. Data Minimization

NightAI is designed to collect and retain only the data necessary to provide the Service:

• Redis 30-minute TTL: Active call session state (conversation history, collected fields, call phase) is stored in Redis with a hard 30-minute time-to-live (TTL). When the TTL expires, the data is automatically and permanently deleted from Redis. This data is never archived to persistent storage.
• No PII in application logs: NightAI's application logging is designed to avoid capturing personally identifiable information such as caller names, email addresses, or phone numbers in log streams.
• Call records: NightAI stores the fields needed for appointment booking plus post-call summaries/transcripts for QA and customer review. These records may contain caller-provided personal data and are treated as sensitive database records.
• No payment card storage: NightAI does not store credit card numbers, CVV codes, or full payment card data. All payment information is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification.

7. Access Controls

NightAI implements the following access control measures:

• API key encryption: Provider credentials are encrypted at rest (see Section 5) and are never returned in plaintext via API responses after initial submission;
• Role-based dashboard access: The NightAI dashboard enforces account-level isolation — Business Customers can only access data associated with their own account;
• Authentication: Business Customer accounts are protected by password-based authentication with session management. NightAI recommends using strong, unique passwords for your NightAI account;
• Infrastructure access: Access to NightAI's production database and application servers is restricted to authorized personnel on a need-to-know basis and is protected by key-based authentication;
• Twilio number isolation: Each business's AI agent is scoped to its configured Twilio phone number(s). Calls to other businesses' numbers are processed in separate account contexts.

8. Incident Response

NightAI maintains an incident response process for data security events. In the event of a confirmed data breach or material security incident:

• NightAI will investigate and contain the incident as promptly as possible upon discovery;
• Affected Business Customers will be notified within 72 hours of NightAI's determination that a material breach has occurred, including information about the nature of the breach, the data affected, and recommended protective steps;
• NightAI will cooperate with affected Business Customers in meeting their own regulatory breach notification obligations where applicable;
• A post-incident summary will be shared with affected customers upon completion of the investigation.

To report a suspected security incident affecting your account, or if you believe your account credentials have been compromised, contact [email protected] immediately. For account-level issues, also change your password and revoke any API keys that may have been exposed.

9. What We Don't Do

NightAI is committed to the following data use commitments:

• We do not sell personal data. Caller data, Business Customer data, and website visitor data are never sold to third parties or data brokers under any circumstances.
• We do not use caller data for advertising. Caller PII collected through the AI voice agent is used solely to provide the appointment scheduling service. It is never used for cross-context behavioral advertising, profiling, or marketing.
• We do not train AI models on caller data. NightAI does not train, fine-tune, or otherwise use caller conversational data to improve AI models. Caller conversations are transmitted to OpenAI's API for real-time inference only. Per OpenAI's current API usage policy, OpenAI does not use API submissions to train its models (verify with OpenAI's current policy).
• We do not store payment card numbers. NightAI does not retain credit card numbers, CVV codes, or raw payment data at any point. All payment processing is handled by Stripe.
• We do not offer HIPAA Business Associate Agreements. NightAI is not a HIPAA-covered entity and cannot currently enter into BAAs. Do not use NightAI for PHI under any circumstances. See Terms of Service, Section 8.
• We do not share data with sub-processors beyond what is necessary. Sub-processors receive only the minimum data required to perform their specific function (e.g., SendGrid receives only what is needed to send the confirmation email; OpenAI receives only the conversational content needed for the AI response).
• SMS capabilities are pending carrier registration. Outbound SMS confirmation and reminder features are pending completion of carrier registration verification (via Twilio). Until registration is confirmed, SMS messaging is not active. We will notify Business Customers when SMS is available and update this policy accordingly.

10. Responsible Disclosure

NightAI welcomes responsible disclosure of security vulnerabilities in our platform. If you discover a potential security vulnerability, we ask that you:

• Report the vulnerability to [email protected] as soon as possible, with sufficient detail to reproduce the issue;
• Allow NightAI a reasonable time to investigate and remediate the issue before public disclosure (we target a 90-day remediation window for critical vulnerabilities);
• Avoid accessing, modifying, or deleting data that does not belong to you during your research;
• Avoid actions that could disrupt service availability for other users.

NightAI commits to:

• Acknowledge receipt of your report within 3 business days;
• Keep you informed of the investigation and remediation progress;
• Not pursue legal action against researchers who disclose vulnerabilities in good faith in accordance with this policy;
• Credit researchers publicly (with their consent) upon remediation of confirmed vulnerabilities.

This Security Overview describes NightAI's current security practices as of the date above. Security practices evolve over time and this document will be updated to reflect material changes. NightAI has not undergone a formal SOC 2 audit as of this date; a SOC 2 Type II certification is on the product roadmap. Enterprise customers requiring formal security certifications should contact [email protected] to discuss current status and availability.