Question / Description:
I'm trying to utilize Retool Self Hosted to become Hipaa Compliant and have a few questions about it. Seems like there are people using Retool that are both Hipaa and PCI.
What modifications are necessary to make Retool Self-Hosted HIPAA compliant (compared to what already is in the docs)?
How can I control Retool's access to my data and assure auditors that it remains unaccessed?
If Retool manages my authentication (not SSO), how does that communication work?
If Retool manages authentication (not using SSO), how is that communication handled?
For your questions about authentication, do you mean auth with username and password? Curious if you can share more details on your use case & potential concerns
What changes are needed for HIPAA compliance?
With Retool Self-Hosted, you control everything. To meet HIPAA needs:
Host it securely (e.g. AWS or GCP) inside your private network
Use HTTPS and encrypted storage
Turn on audit logs and control user access (RBAC)
Disable any Retool cloud features you don’t use
Make sure you sign a BAA with Retool if needed
How to control access to your data?
Since it’s self-hosted, Retool can’t access your data unless you let it.
Just block public access to your databases, use firewalls/VPNs, and turn off data sharing or cloud sync.
How does authentication work (if not using SSO)?
Retool stores passwords securely (hashed with bcrypt) in your setup.
Login happens over HTTPS, so it’s encrypted.
You can also add 2FA, session timeouts, and strong password rules.