JourneyLoop JourneyLoop

BAA Status & Compliance Roadmap

Business Associate Agreement tracking for HIPAA compliance

A Business Associate Agreement (BAA) is a legal contract required by HIPAA between a covered entity and any third-party vendor that may access, store, or process Protected Health Information (PHI). The BAA ensures that the vendor agrees to implement appropriate safeguards to protect PHI and comply with HIPAA requirements. Without a signed BAA, vendors cannot legally handle PHI.

Current BAA Status Summary

6
BAA Available
Vendors offer HIPAA BAAs
1
BAA Pending
Need to execute or upgrade
6
BAA Not Required
No PHI access configured

BAA Available - Ready for Execution

These vendors offer HIPAA-compliant BAAs and are ready to be signed when JourneyLoop begins handling PHI.

Heroku (Salesforce)
Application hosting platform (PaaS on AWS) - HIPAA-eligible on Enterprise/Private Spaces. SOC 2, ISO 27001, PCI DSS certified.
View Compliance ↗
Google Cloud Storage
File storage for transcripts and documents
View HIPAA Info ↗
OpenAI
AI content analysis and generation
View Privacy ↗
Google AI (Gemini)
Text-to-speech generation
View Compliance ↗
Google Calendar API
Calendar integration for scheduling
View HIPAA Info ↗
RecallAI
Session recording, transcription, and storage
HIPAA Compliant ↗
Next Steps: These vendors will have BAAs executed before JourneyLoop enables PHI handling. Heroku requires Enterprise or Private Spaces plans for HIPAA compliance and BAA execution. Google Cloud Platform BAAs are typically managed through their admin console with enterprise accounts. RecallAI became HIPAA compliant in 2025 and offers BAAs for healthcare applications.

BAA Pending - Need to Execute or Upgrade

This vendor has access to application data and will require BAA execution or plan upgrade before PHI handling begins.

Supabase
PostgreSQL database service - HIPAA add-on available on Team Plan (currently on Pro Plan)
Upgrade Required
Planned Q1 2026
Infrastructure Notes: Supabase offers HIPAA compliance as a paid add-on for Team Plan or above (see official documentation ↗). JourneyLoop plans to upgrade in Q1 2026 when funding is secured. Note that AWS infrastructure (which Heroku runs on) is covered by Heroku's BAA when using HIPAA-eligible Heroku plans (Enterprise or Private Spaces), so no separate AWS BAA is needed.
Priority: This BAA must be executed (or plan upgrade completed) before JourneyLoop can handle PHI. This is part of the vendor compliance requirements in our HIPAA roadmap.

BAA Not Required - PHI Excluded

These vendors are specifically configured to never receive PHI. They handle only non-sensitive data like billing information, public content, or anonymized metrics.

Stripe
Payment processing - billing data only
No PHI
Make.com
Email routing - notification content only
No PHI
Sentry
Error tracking - PII/PHI scrubbing enabled
No PHI
Firecrawl
Web scraping - public content only
No PHI
Serper
Search API - search queries only
No PHI
Redis Cloud
Task queue and caching - stores only database IDs (integers) for background jobs, never actual PHI content. Cache entries expire within 5 minutes.
No PHI
Technical Controls: Application-level filters and data scrubbing ensure these vendors never receive PHI, even inadvertently. This is verified through code review and testing.

Vendor Compliance Roadmap

Our phased approach to achieving full vendor HIPAA compliance and BAA coverage.

Phase 1: Vendor Identification

Complete

Comprehensive audit of all third-party vendors that process data. Categorized by data access level and identified which vendors require BAAs.

Phase 2: BAA Research & Availability

In Progress

Confirmed BAA availability for Heroku (requires Enterprise/Private Spaces plan), Google Cloud, OpenAI, RecallAI, and other major vendors. Supabase offers HIPAA compliance on Team Plan - upgrade to Team Plan and enable HIPAA add-on planned for Q1 2026 (pending funding).

Next Milestone: Supabase Team Plan upgrade targeted for Q1 2026 when funding is secured.

Phase 3: BAA Execution

Planned

Execute BAAs with all required vendors before enabling PHI handling. This includes upgrading Heroku to Enterprise/Private Spaces plan, upgrading Supabase to Team Plan with HIPAA add-on, and executing BAAs with AI processing vendors (OpenAI, Google AI, RecallAI).

Phase 4: Ongoing Vendor Management

Planned

Implement vendor review process, track BAA renewals, monitor vendor security posture, and update vendor list as integrations change.

Related Resources

HIPAA Considerations View Vendors by Category Complete Vendor List