Business Associate Agreement

Does Retool sign Business Associate Agreements with customers that deal in Protected Health Information (PHI)?

Hi Sherwood!

Retool's self-hosted offering presents a secure and compliant solution for building internal tools, catering to organizations handling sensitive data like PHI. While Retool is not a HIPAA Business Associate or subcontractor, self-hosted customers maintain full control over their deployment, securely contained within their infrastructure and behind their firewall. As further outlined in Retool's Security Practices Page, customer data is not transferred to or stored by Retool for self-hosted deployments. Customers maintain the autonomy to select data sources for querying and control access, ensuring that any PHI usage remains elective and limited. Robust permissioning and audit logs equip admins with visibility into the Retool platform, enabling effective compliance monitoring.

And more specifically, here's our section on healthcare customers:

Customer acknowledges that Retool is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced "HIPAA") and accordingly, Customer is solely responsible for complying with any obligations thereunder. With respect to any online, cloud-based versions of the Services, Customer should not submit, collect or use any "protected health information" as defined in 45 CFR §160.103 ("PHI"). Customer agrees that we cannot support and have no liability for PHI received from Customer, notwithstanding anything to the contrary herein.

Let me know if you have any further questions!