Legal · HIPAA

Business Associate Agreement

Ordalis offers a HIPAA-compliant Business Associate Agreement (BAA) for customers on the Business plan or above who process protected health information (PHI). The BAA is not clickwrap — each request is reviewed and counter-signed by Ordalis Security.

Version 2026-04-17 Applies to Business plan & above Governing law Delaware

1. What the BAA covers

The Ordalis BAA is a standard HIPAA BAA between your organization (a Covered Entity or upstream Business Associate) and Ordalis Inc. as a downstream Business Associate. It governs the use and disclosure of Protected Health Information processed through the Ordalis platform. Standard provisions include:

  • Permitted uses and disclosures of PHI, limited to what is necessary to provide the document-extraction service.
  • Safeguards matching the Ordalis security posture: encryption at rest and in transit, access controls, audit logging, retention controls, and incident response.
  • Reporting of use/disclosure not permitted, including breach notification within the HIPAA-prescribed timeframes.
  • Subcontractor flow-down obligations, so any Ordalis sub-processors touching PHI are bound by equivalent terms.
  • Return or destruction of PHI on termination, with a 30-day cancellable hold window for data-deletion requests.

2. Plan eligibility

The BAA is available to customers on the Business plan and above. If you're on a lower plan and need a BAA, upgrade to Business during or before the request — contact [email protected] if you have questions about the right tier for your workload.

3. How to request

  1. Sign in to Ordalis and upgrade your workspace to the Business plan or above.
  2. Visit the trust page and click Request BAA. You'll be asked for brief context (the downstream use case, PHI categories, any named covered entities).
  3. Ordalis Security reviews the request and returns a counter-signed BAA. While we formalize the BAA process, turnaround is on a best-effort basis — typically within a small number of business days for straightforward requests.
  4. For custom BAA language or expedited turnaround, contact [email protected] directly.
Request BAA on trust page Email security team

4. What PHI does Ordalis see?

Only the PHI you deliberately upload or submit via API. Ordalis does not scrape, enrich, or purchase additional PHI. Your documents are processed for extraction and then deleted on the retention schedule you configure (1 day to 10 years; 30-day cancellable hold on deletion requests).

5. No training on customer data

Ordalis does not train models on customer data. Third-party inference providers (Anthropic, OpenAI) used for extraction do not train on API traffic — see the trust page "No training on customer data" control. This commitment extends to PHI processed under the BAA.

6. Security controls

The technical and administrative safeguards referenced in the BAA are documented on the security page. Highlights: AES-256-GCM encryption at rest, TLS 1.2+ with HSTS, TOTP MFA (required for platform admins), OIDC SSO with JIT provisioning, workspace-scoped isolation, and tamper-evident chain-hash audit trail on every sensitive action.

7. Sub-processors that may process PHI

The up-to-date list is machine-readable at api.ordalis.io/v1/compliance/subprocessors and summarized on the trust page. You will be notified at least 30 days before any new sub-processor is added.

8. Questions

For BAA-specific questions, contact [email protected]. For broader contract-level negotiation or custom terms, contact [email protected].