Case study · B2B SaaS (Conversation Intelligence, HIPAA)

Healthcare Conversation Intelligence, HIPAA-compliant on AWS

The challenge

Organizations whose business depends on customer conversations face the same three failures everywhere: conversations sit in silos across telephony, video, and messaging; there's no systematic analysis at scale, so sentiment shifts and compliance risks go undetected; and leaders coach from gut feel instead of data. This healthcare conversation intelligence platform set out to fix all three, a platform their subscribers could safely run their conversations through. Doing it meant a HIPAA-compliant AWS foundation from day one (many subscribers are in regulated industries), data partitioned at storage, compute, and identity layers, per-customer encryption keys with rotation, capacity for 10,000 concurrent calls + 100,000+ messages + 10,000+ videos on a 99.9% uptime SLA, subscriber self-management of integrations, and Infrastructure-as-Code with compliance checks in CI/CD.

What we built

The platform end-to-end on AWS. The HIPAA-compliant landing zone was stood up via the Infinitra HIPAA Compliance Accelerator, with isolation discipline layered on top: DynamoDB tenant_id partition keys, per-tenant S3 prefixes and KMS encryption context, Lambda tenant context from JWT claims, Cognito custom:tenant_id, and IAM policies conditioned on tenant_id. The end-to-end caller-desk audio pipeline runs through Amazon API Gateway to an ingestion Lambda to tenant-isolated S3 to Amazon Transcribe to DynamoDB to Amazon Bedrock summarization at 95%+ accuracy, decoupled asynchronously through Amazon SQS to handle 10K concurrent calls. Designated tenant-isolated S3 storage for external-platform messages and videos with sub-2-second CloudFront retrieval. A React SPA self-management portal lets subscribers configure their own telephony, messaging, and video integrations. Security and compliance posture: per-customer KMS CMKs with rotation, GuardDuty + Security Hub (HIPAA standard), EventBridge to SNS automated incident response, all infrastructure deployed via AWS CDK with cdk-nag and Checkov compliance checks in CI/CD.

Why this matters

The customer can onboard new subscribers into the platform without worrying about data-leak risk between them, isolation is enforced at the infrastructure layer, not by policy. Per-customer KMS keys with automatic rotation give each subscriber cryptographic independence and a clear story for compliance audits. The HIPAA Compliance Accelerator delivered a Well-Architected, NIST 800-66 R2-aligned foundation on day one. The CDK + cdk-nag + Checkov toolchain keeps the compliance posture intact as the customer evolves the platform. The caller-desk pipeline runs at 95%+ Bedrock summarization accuracy on Transcribe output, with capacity for 10,000 concurrent calls ready for the platform's subscribers to scale into.

HIPAA-compliant conversation intelligence on AWS. Caller-desk pipeline at 95%+ summarization accuracy, designed to scale to 10K concurrent calls, NIST 800-66 R2 controls.