Pipedream supports HIPAA compliance
At Pipedream, we're building a powerful platform for running serverless workflows. Security is a core part of that. We issue annual SOC 2 Type 2 reports and third-party pen tests. We've shipped access controls for projects and connected accounts. You can run workflows in dedicated VPCs, specific to your workspace. And we continue to implement more controls that protect customer data.
Now, Pipedream supports HIPAA workloads for Enterprise customers, allowing you to processing protected health information (PHI) in workflows and other services.
Requesting a Business Associate Agreement
Pipedream is considered a Business Associate under HIPAA regulations. If you're a Covered Entity or Business Associate under HIPAA, you must have a Business Associate Agreement (BAA) in place with Pipedream before passing PHI to Pipedream. This agreement is an addendum to our standard terms, and outlines your obligations as a customer and Pipedream's obligations as a Business Associate under HIPAA.
Enterprise customers can request a BAA by visiting our Help Center and selecting the Privacy and security questions category:
Once we receive your request, we'll send you a BAA to review and sign.
If you're not on our Enterprise plan and want to learn more about HIPAA support, reach out to our Sales team at sales@pipedream.com.
We're also undergoing a third-party audit of HIPAA controls, and can provide a SOC 2 report detailing those controls upon completion. Please visit our Help Center to request that.
Covered Pipedream Services
Most Pipedream services are eligible for HIPAA, including:
- Workflows (v2 and v3)
- Event Sources
- Data Stores
- Destinations
However, some services are not HIPAA-eligible:
For the most up to date service eligibility, please visit our HIPAA documentation.
Additional Security Controls
Pipedream also gives you rich control over the security of your resources, especially those handling PHI. See our docs on security best-practices to learn more.
Securing connected accounts and secrets
You can restrict which workspace members have access to your connected accounts with Access Controls. Only people that have access to connected accounts can edit workflow steps linked to that account.
You can also add environment variables to projects. When you classify an env var as a secret, its value won't be shown again after save.
Securing workflows
If your workflows process especially-sensitive data, you can limit the data you log, or even disable logging completely. Your workflows will still process events as normal, but Pipedream won't retain logs or step exports tied to those executions.
We also recommend you authorize incoming events, and audit any third-party packages you use in custom code.
Securing connections to external resources
If you connect to sensitive resources like databases, you should restrict access via firewall or other network-level controls.
In Pipedream, you can create a VPC specific to your workspace and assign your workflows to it. This will give you a dedicated, static IP address that you can whitelist on your firewall.
Reach out
If you'd benefit from a BAA, have any questions about our security controls, or want to learn more about Pipedream, reach out. We'd love to talk.