How Our AI Support Actually Works

Behind the scenes

How Our AI Support Actually Works

IT Insights  ·  June 2026

We’ve had enough clients ask us directly — “wait, so is it a robot or a person?” — that we figured a transparent post was worth writing. Here’s exactly what Klaravex AI is, what it does, what it doesn’t do, and when a human takes over.

What Klaravex AI is

Klaravex AI is our AI-powered first-response and triage layer. It’s built on large language model technology, trained on our specific processes and knowledge base, and integrated with our ticketing and monitoring systems. It’s available 24/7 and responds in seconds.

Klaravex AI is not a chatbot with canned responses. It understands context, can ask clarifying questions, walk through multi-step troubleshooting, and escalate with full context when a human needs to step in. But it is also — and we’re direct about this — a software system with clear limitations.

What Klaravex AI does well

Klaravex AI handles these well

  • 24/7 first response on any support request
  • Common fixes — password resets, printer issues, M365 access problems
  • Triage: gathering the right context before a human touches the ticket
  • Answering knowledge base questions and policy questions
  • Monitoring alerts — initial triage and response to system events
  • Walking users through step-by-step guides interactively
Klaravex AI doesn’t do these

  • Pretend to be human — Klaravex AI always identifies as an AI
  • Make unilateral security decisions (firewall changes, account terminations)
  • Give legal or financial advice
  • Handle novel situations without a human confirmation loop
  • Replace judgment for complex or high-stakes decisions

The human handoff

Every ticket Klaravex AI can’t resolve — or that hits a defined complexity threshold — escalates to a human engineer. The escalation is seamless from the client’s side: the thread continues, and the engineer has full context from Klaravex AI’s triage work.

What the handoff looks like in practice

Client submits a ticket. Klaravex AI responds immediately, asks clarifying questions, and gathers diagnostics.

If Klaravex AI resolves it, the ticket closes with a summary. If not, it escalates with a full context brief: issue description, steps tried, system state, and urgency assessment.

The engineer picks up exactly where Klaravex AI left off — no re-explaining the problem from scratch.

For critical issues (active outage, suspected breach, ransomware), Klaravex AI flags for immediate human escalation and a human is paged within minutes.

“Is this cheaper because a robot does it?”

We hear this question a lot, usually with a hint of skepticism. Here’s the honest answer: yes, AI-assisted support is more efficient — but not because we’re cutting corners. It’s because the economics of common IT issues work differently than complex ones.

The majority of IT support tickets are variations of the same 50 problems. Password reset. Printer not connecting. MFA prompt not working. Teams audio not working on a call. These issues are well-understood and have consistent solutions. Klaravex AI handles these in minutes at any hour. A human engineer doing the same work at 2am is an expensive allocation of skilled time.

What this means in practice: our human engineers spend their time on work that genuinely requires judgment — complex migrations, security incidents, architectural decisions, edge cases. Clients get faster resolution on routine issues and more capable human attention when it matters. That’s not a worse service. That’s a better one.

For a full explanation of how Klaravex AI is built and trained, see How Our AI Works.

See what AI-assisted IT support looks like for your team

We’ll walk you through how Klaravex AI would handle your specific environment — no commitment required.

Get a Free IT Assessment →

Microsoft 365 vs Google Workspace for a 20-Person Firm

IT Insights

Microsoft 365 vs Google Workspace for a 20-Person Firm

IT Insights  ·  June 2026

Picture a 20-person professional services firm — an accounting practice, a small law firm, a marketing agency. No dedicated IT staff. A mix of personal Gmail accounts and one shared Microsoft 365 subscription that somehow became the default. And a decision looming: standardize on something, or keep limping along.

Here’s the honest answer, and then the nuance.

The recommendation

Bottom line

For most US professional services firms — accounting, legal, consulting, financial — Microsoft 365 Business Premium is the right call. Stronger compliance tools, better parity with the Office apps your clients and counterparts already use, and a single vendor relationship that scales as you add users and complexity.

The compliance gap is the decisive factor for regulated industries. M365 Business Premium at $22/user/month gives you Intune for device management, Defender for Business, Azure AD P1 for Conditional Access, and Purview for data protection. Google Workspace has a compliance story, but it requires more configuration and third-party tools to reach the same posture. For a firm that handles client financial data or legal matters, that gap matters.

The second factor is Office app parity. If your team uses Excel seriously — financial models, complex reporting, pivot tables — the web version of Excel in Sheets will cause daily friction. For light spreadsheet use it’s fine. For a 20-person firm doing serious work in Excel, it’s a recurring problem.

When Google Workspace wins

With that said, M365 is not universally right. Google Workspace is clearly the better fit when:

  • You’re a design or creative agency — Google’s real-time collaboration is genuinely better for document-heavy creative workflows
  • You’re a nonprofit — Google for Nonprofits provides free Business Starter access, and the budget savings are real
  • Your team is tech-forward and browser-first — if everyone lives in Chrome and prefers Google Docs’ simplicity, fighting that preference has a real productivity cost
  • You’re already deeply integrated with Google Analytics, Ads, or GCP — a unified Google identity simplifies admin and SSO

The migration reality

One of the biggest objections to standardizing on M365 is migration complexity. Here’s the honest picture: for a 20-person firm with no shared server infrastructure, migration is a weekend project if planned properly. Microsoft provides free tooling (MMAT) that handles email, contacts, and calendar from Gmail to Outlook in bulk. The bigger work is usually decommissioning old personal accounts and getting 20 people to change their habits — but that’s a people problem, not a technical one.

The migration is also cheaper than the ongoing cost of running a mixed environment. Every additional month of mixed accounts is additional security risk (personal accounts with no IT oversight), additional support overhead, and additional confusion about which account is “official.”

The “we’ll just run both” trap

Don’t run both permanently.

The most expensive outcome of this decision is indecision. Running M365 for some things and Gmail for others permanently doubles license costs, creates data residency confusion, complicates offboarding, and means your IT or MSP is managing two environments instead of one. Pick one. Run the migration. The short-term disruption is far cheaper than the long-term overhead of a split environment.

There’s a legitimate temporary use case for running both during a planned migration, or in an M&A scenario where you’ve acquired a team on a different platform. But “we couldn’t decide” is not a reason to run both.

Make the call based on your work type, your compliance needs, and — honestly — what your team will actually adopt. Then standardize, migrate cleanly, and be done with it.

Ready to standardize your firm’s IT?

We handle M365 migrations for 10–100-person firms without the weekend-long disruptions. Scoped, planned, and done right the first time.

Get a Free IT Assessment →

What HIPAA Actually Requires of a Small Medical Practice

IT Readiness

What HIPAA Actually Requires of a Small Medical Practice

IT Insights  ·  June 2026

Most small medical practices either over-engineer HIPAA compliance — building elaborate binders and paying consultants $20,000 for a 5-provider office — or they under-engineer it and hope no one notices. The reality is somewhere in between, and the core requirements are significantly simpler than the consulting industry makes them sound.

This post covers what actually matters for a small practice, what the most common violations look like in the real world, and what HIPAA readiness concretely looks like for a practice with 2–10 providers.

The 3 things that matter most

1
A written Security Risk Analysis

The Security Risk Analysis (SRA) is the single most cited gap in HIPAA audits. It’s a documented assessment of where PHI lives in your environment, what the risks to that data are, and what you’re doing to mitigate them. It does not have to be a 200-page document. For a small practice, a clear, honest 10-15 page analysis covering your EHR, email, workstations, backups, and physical access is sufficient — but it must be written down, signed, and dated.

2
Access controls and audit logging

Every person who touches PHI should have their own individual login — no shared accounts. Your EHR should log who accessed which records and when. You should be able to answer “who looked at Patient X’s chart on Tuesday?” in under 5 minutes. This is a core HIPAA Technical Safeguard, and it’s also how you detect insider threats and unauthorized access early.

3
A signed BAA with every vendor that touches PHI

A Business Associate Agreement (BAA) is a contract that makes your vendors legally responsible for protecting PHI. Every vendor that handles, stores, or transmits PHI — your EHR, your email provider (if you use it for patient communication), your cloud backup provider, your IT support company — needs a signed BAA with you. Most major vendors (Microsoft, Google, AWS) offer BAAs at the Business tier or above. Fax services, transcription services, and billing companies are common gaps.

Common violations in small practices

These are the HIPAA gaps we see most frequently when reviewing small medical practices — not theoretical risks, but patterns that show up repeatedly:

  • Using personal Gmail or Yahoo for patient communications — neither service signs a BAA at the consumer tier
  • No MFA on EHR access — a stolen laptop credential is an open door to your entire patient record system
  • Shared login credentials among clinical staff — “everyone uses the front desk password” makes audit logging meaningless
  • No formal breach notification procedure — when something happens, you have 60 days to notify affected patients and HHS; without a plan, you’ll miss it
  • Workstations without screen locks or automatic timeout — unattended workstations in exam areas are a physical safeguard violation

What HIPAA readiness looks like for a 5-provider practice

Forget the binder. Here’s what concrete readiness actually looks like:

1

Complete and document a Security Risk Analysis. Map where PHI lives — EHR, email, shared drives, physical records, backups. Assess risks. Document mitigations. Review annually and after any major change.

2

Enforce individual accounts and MFA on every system that touches PHI. No shared logins. Enable MFA on your EHR, email, and remote access. Confirm your EHR audit logging is turned on.

3

Inventory your vendors and collect signed BAAs. Go through every vendor that handles patient data. Get signed BAAs on file. This includes your IT company, cloud backup, secure messaging platform, and transcription service.

4

Write a breach notification procedure. It doesn’t need to be long. It needs to say who is responsible for detecting a breach, who decides whether to notify, and what the notification process is within the required timeframes.

5

Train staff annually. Document it. HIPAA requires workforce training. A 30-minute annual session covering phishing, proper data handling, and breach reporting — with attendance logged — satisfies this requirement.

What about the fines?

HIPAA fines range from $100 to $50,000 per violation, up to $1.9M per violation category per year. The scary headline numbers ($5M+ settlements) are for large health systems with willful neglect over years — not small practices with a single incident and a documented compliance program.

The Office for Civil Rights (OCR) has historically been more lenient with small practices that have made good-faith efforts to comply. The fine risk is real, but it’s proportional. A practice that has completed its SRA, trains staff, and signs BAAs is in a fundamentally different position than one that has done nothing. The single biggest risk factor in enforcement actions is documented evidence of willful neglect — ignoring known gaps.

Note: This is informational content only, not legal advice. HIPAA compliance involves legal obligations that vary by practice type, state, and specific circumstances. Consult a healthcare attorney for guidance specific to your situation.

Ready to get your practice HIPAA-ready?

We help small medical practices complete their Security Risk Analysis, configure compliant IT environments, and get BAAs in place — without the consultant markup.

Get a Free IT Assessment →