BOOTS AGENT AI COMPLIANCE PLAYBOOK

We commit to meeting or exceeding the highest applicable standards in:

- Privacy Laws: GDPR, CCPA/CPRA, U.S. AI/privacy laws

- Accessibility: ADA/WCAG 2.1 Level AA

- AI Ethics: NIST AI Risk Management Framework

- Industry Standards: HIPAA, PCI DSS, BIPA

We only partner with vendors who meet:

- SOC 2 Type II or ISO 27001 certification

- TLS 1.2+ encryption in transit

- AES-256 encryption at rest

- Data Processing Agreements

- Data in U.S., EU, or compliant regions

We collect only what’s necessary and store only as long as needed:

- May Collect: Name, phone, email, booking details, inquiry type

- Will Not Collect: Medical history, card numbers, IDs, biometrics

- Retention: Chat logs deleted after 90 days; backups deleted within 30 days of contract end

All bots must:

- Display AI disclosure

- Ask for explicit consent for sensitive data

- Offer opt-out instructions

Data is encrypted in transit and at rest, never sold, stored only as needed, and AI use is always disclosed.

HIPAA-ready for health clients.

6. Incident Response Plan

If breach occurs:

1. Identify & contain

2. Assess impact

3. Notify within legal timelines

4. Remediate & document

Review vendor certs, test bot consent flows, verify encryption, delete expired records, check for new laws, update

policies

Annual policy update, train team on data handling, AI ethics, incident response, client privacy Q&A;

Display Trust Center link, security/compliance badges, and AI disclosures in all bots and communications