RevDesk’s HIPAA posture
If your business handles Protected Health Information (PHI), you sign one Business Associate Agreement — with RevDesk. We’ve already executed BAAs with the subprocessors in our stack that require them. You don’t need to chase individual provider BAAs; we handle that upstream. Once your BAA is on file, we sethipaa_enabled on your workspace. That flag activates real runtime controls (described below), not just a contractual posture.
Our subprocessor BAA status
We use several third-party services to deliver RevDesk. Here’s where each one stands today — informational only; you don’t act on this list.| Service | Role | RevDesk’s BAA status |
|---|---|---|
| Tier-1 carrier (voice, SMS, SIP trunking) | Carrier | Conduit Exception — the carrier transmits PHI but doesn’t access message content, so no BAA is required. Encryption in transit and at rest, access controls, and audit logging still apply. |
| LiveKit (real-time audio) | Media transport | Executed. |
| Vapi (voice AI orchestration) | AI assistant runtime | Executed under Vapi’s enterprise HIPAA tier. We pass hipaaEnabled=true to every assistant owned by a HIPAA-enabled workspace. |
| Vercel (hosting) + Vercel Blob (recording storage) | Platform | Executed under Enterprise BAA. |
| Managed Postgres | Data store | Executed with our managed Postgres provider. |
| OpenAI / Anthropic (LLM) | AI inference | BAA-eligible enterprise tier — we route HIPAA workspaces to BAA-covered model paths and block fallback to non-BAA providers. |
| Deepgram (STT) | Transcription | Executed. |
| Stripe | Billing | Executed. We avoid putting PHI in invoice descriptions or metadata regardless. |
compliance@revdesk.com and we’ll provide it.
How to request a BAA from RevDesk
- Email
support@revdesk.comwith subject “HIPAA BAA Request”. - Include:
- Your legal entity name
- The workspace or team that will handle PHI
- Your primary compliance contact (name + email)
- What happens next:
- We respond within 2 business days with our standard BAA.
- For customers who can sign as-is: same-day workspace activation once the BAA is countersigned.
- For customers needing legal markup: we route through our counsel; typical close in 5–10 business days.
- After signing: We record execution on your workspace (
baaSignedAt) and fliphipaa_enabled = true. The runtime controls below take effect immediately.
What hipaa_enabled does
A workspace with hipaa_enabled: true enforces the following at runtime:
- Voice AI provider HIPAA mode — every AI assistant we create on your behalf is provisioned with the upstream provider’s HIPAA setting enabled, routing inference through BAA-covered paths only.
- Recording disclosure locked on — you cannot save a custom assistant greeting that omits the “this call is recorded” disclosure. Our default greetings include it in 40+ languages.
- Recording retention capped —
recordingRetentionDayscannot exceed 30, andrecordingEnabledcannot be turned off. - LLM routing prefers BAA-covered model providers; fallback to non-BAA providers is blocked.
- Integration installs gated — third-party apps that handle PHI but don’t have a subprocessor BAA on file (e.g., certain CRM and messaging integrations) are blocked from being installed on the workspace. The full list is shown in the integrations directory with a HIPAA notice.
- Audit log — every compliance-relevant mutation (flag flips, BAA recording, retention changes, blocked installs) is recorded.
baaSignedAt is set, which requires a fully executed BAA on our side.
Security baseline RevDesk always provides
Regardless of whetherhipaa_enabled is set:
- TLS 1.3 in transit, AES-256 at rest.
- Encrypted credential storage (
REVDESK_ENCRYPTION_KEY). - Row-level access control — every API query runs through
buildOwnershipFilterwhich scopes results to the authenticated principal’s org/team visibility. - Audit log on every mutation via tRPC middleware.
- Breach notification procedures per § 164.410.
compliance@revdesk.com.