ordalis.io
Sign inStart free
ProductSolutionsDevelopersPricingTrust
Sign inStart free
Legal · HIPAA

Business Associate Agreement

Ordalis offers a HIPAA-compliant Business Associate Agreement (BAA) for customers processing protected health information (PHI). Auto-eligible on the Firm plan and above; available on Team and Starter by request after a counter-signed BAA. The BAA is not clickwrap — each request is reviewed and counter-signed by Ordalis Security.

Version 2026-04-22Auto-eligible on Firm & EnterpriseAvailable by request on Starter, TeamGoverning law Utah

1. What the BAA covers

The Ordalis BAA is a standard HIPAA BAA between your organization (a Covered Entity or upstream Business Associate) and Ordalis LLC as a downstream Business Associate. It governs the use and disclosure of Protected Health Information processed through the Ordalis platform. Standard provisions include:

  • Permitted uses and disclosures of PHI, limited to what is necessary to provide the document-extraction service.
  • Safeguards matching the Ordalis security posture: encryption at rest and in transit, access controls, audit logging, retention controls, and incident response.
  • Reporting of use/disclosure not permitted, including breach notification within the HIPAA-prescribed timeframes.
  • Subcontractor flow-down obligations, so any Ordalis sub-processors touching PHI are bound by equivalent terms.
  • Return or destruction of PHI on termination, with a 30-day cancellable hold window for data-deletion requests.

2. Plan eligibility

BAA eligibility is a workspace-level entitlement, set by Ordalis after BAA execution. Workspaces on the Firm and Enterprise plans are auto-granted eligibility on subscription. Starter and Team workspaces with a real PHI use case can request the BAA via sales — eligibility is granted after counter-signing. The Free plan is not eligible. Contact sales@ordalis.io if you have questions about the right tier for your workload.

3. How to request

  1. If you're on Firm or Enterprise, BAA eligibility is auto-granted on plan transition — you can immediately switch your workspace AI routing policy to baa_only in workspace settings.
  2. If you're on Starter or Team, contact sales@ordalis.io with brief context (the downstream use case, PHI categories, any named covered entities). Ordalis Security reviews the request, counter-signs the BAA, and grants the workspace eligibility.
  3. Turnaround is typically within a small number of business days for straightforward requests. For custom BAA language or expedited turnaround, contact security@ordalis.io directly.

4. What PHI does Ordalis see?

Only the PHI you deliberately upload or submit via API. Ordalis does not scrape, enrich, or purchase additional PHI. Your documents are processed for extraction and then deleted on the retention schedule you configure (1 day to 10 years; 30-day cancellable hold on deletion requests).

5. No training on customer data

Ordalis does not train models on customer data. All AI inference runs on Cloudflare Workers AI (Gemma 4, Nemotron 3, Kimi K2.5/K2.6) — PHI never leaves the Cloudflare network boundary, and Workers AI does not train on customer prompts. BAA-scope workspaces are additionally routed through the zero-retention Cloudflare AI Gateway so prompt/response bodies aren't stored for debugging. See the trust page "No training on customer data" control.

6. Security controls

The technical and administrative safeguards referenced in the BAA are documented on the security page. Highlights: AES-256-GCM encryption at rest, TLS 1.2+ with HSTS, TOTP MFA (required for platform admins), OIDC SSO with JIT provisioning, workspace-scoped isolation, and tamper-evident chain-hash audit trail on every sensitive action.

7. Sub-processors that may process PHI

The up-to-date list is machine-readable at api.ordalis.io/v1/compliance/subprocessors and summarized on the trust page. You will be notified at least 30 days before any new sub-processor is added.

8. Questions

For BAA-specific questions, contact security@ordalis.io. For broader contract-level negotiation or custom terms, contact legal@ordalis.io.