Compliance

BAA & HIPAA

Compass can serve as a Business Associate under HIPAA when you execute a Business Associate Agreement (BAA) with us. A BAA is available on Insights and Enterprise tiers.

What does the BAA cover?

Compass's obligations when handling Protected Health Information (PHI) on your behalf
Permitted uses and disclosures of PHI in the context of analytics and cohort reporting
Security safeguards: encryption at rest (AES-256) and in transit (TLS 1.2+)
Breach notification obligations (within 60 days of discovery)
Data return and destruction procedures on contract termination

How to sign the BAA

1Upgrade your workspace to Insights or Enterprise.
2Go to Settings → Compliance → Business Associate Agreement.
3Review the BAA and click "Sign via DocuSign." The agreement is countersigned within 1 business day.
4Your signed BAA is available for download from the same settings page.

Technical safeguards

Data encryption at restAES-256 via AWS RDS / S3

Data encryption in transitTLS 1.2+ enforced

Access controlsRole-based; tenant data is row-level isolated

Audit loggingAll data access logged and retained 12 months

InfrastructureAWS us-east-1 (SOC 2 Type II certified)

SubprocessorsSee Trust Center for full subprocessor list

Note: Compass is a HIPAA-eligible service but HIPAA compliance is a shared responsibility. Your workspace configuration, user access controls, and data handling practices also affect your compliance posture. Consult your compliance officer or legal counsel.

Questions about the BAA? legal@joincompass.ai or watch demo to discuss your compliance requirements.