For healthcare · Business Associate Agreement

HIPAA-ready forms, done honestly.

Collect patient intake, screenings, and consent on TendForm — under a signed BAA, with patient data isolated in its own encrypted enclave and every access logged. Not marketing gloss: here's exactly how it works.

🔒

Isolated PHI enclave

HIPAA forms don't share a database with anything else. Their responses live in a separate, self-run Postgres cluster in its own locked-down namespace — one place, one credential set, one backup. Nothing else on TendForm touches it.

🧬

Encrypted per field

Every answer is sealed with authenticated AES-256 encryption before it's written, using a key held outside the database. Disks are encrypted too — so a stolen backup is ciphertext, not patient data.

📋

Every access is logged

Reading a patient response leaves a record: who, what, when, from where. There's no way to view PHI without an audit entry — that trail is the answer to “show me who touched this.”

🗄️

7-year, tamper-resistant retention

Audit logs and patient responses are archived to write-protected object storage that no application key can delete, and retained for seven years — beyond the six HIPAA requires, matching the longer windows many state medical-record laws expect — then expired automatically.

📝

Signed BAA

On the HIPAA plan we sign a Business Associate Agreement with you. Our infrastructure runs on a provider that has signed a BAA with us, on their HIPAA-covered services.

🚫

No ads, no tracking

HIPAA forms are never ad-supported and never edge-cached. Submissions go straight to the API over TLS. Analytics stay anonymous — no PHI ever reaches them.

How we do it

1. Isolation

A dedicated Postgres enclave (CloudNativePG on Kubernetes) with a default-deny network policy: only the app can reach it, only over TLS, never from the public internet. ePHI lives in exactly one place we can point to.

2. Encryption in depth

Envelope encryption on every PHI field (a per-record key wrapped by a master key kept out of the database), on top of provider disk encryption at rest and TLS in transit.

3. Access & audit

A least-privilege database role, database-level audit (pgaudit), and an application access log that records every read, export, and decryption of a response.

4. Backup & recovery

Continuous backups to object storage with a documented, monthly-tested restore drill — because under HIPAA, an untested backup isn't a backup.

Shared responsibility — the honest version

HIPAA compliance is never one vendor's checkbox. TendForm provides the safeguards — isolation, encryption, audit, retention — and signs a BAA. You, as the covered entity, are responsible for signing that BAA, configuring your forms, managing your staff's access, and running your own risk assessment. We self-assess annually using the free HHS Security Risk Assessment (SRA) Tool, and we'll share our architecture with your compliance team on request.

HIPAA, answered

Is TendForm HIPAA certified?

No product is — there is no official “HIPAA certification.” TendForm is HIPAA-ready: we sign a Business Associate Agreement and implement the Security Rule's technical safeguards (access control, audit, integrity, transmission security, encryption). Compliance is shared: you're responsible for configuring your forms correctly, controlling your own staff's access, and signing the BAA.

How do I turn on HIPAA mode?

Upgrade to the HIPAA plan, accept the BAA, then flip a form (or your whole account) into HIPAA mode. From that point its responses route into the encrypted enclave with full audit logging. Forms without HIPAA mode are unaffected.

Where does patient data actually live?

In a single, isolated Postgres enclave and its dedicated encrypted-archive buckets — separate from the rest of TendForm. That one-sentence answer is the point of the design: your compliance reviewer always knows exactly where ePHI is.

Can I get our access logs for an audit?

Yes. Every access to a patient response is recorded and retained for seven years. Account admins (and read-only auditors you designate) can query and export the access history.

Who are your sub-processors?

DigitalOcean (compute, Kubernetes, object storage — under a signed BAA on their HIPAA-covered services) and Cloudflare (edge/TLS for non-PHI marketing pages). HIPAA form submissions bypass the edge cache and go straight to the API.

Ready to collect PHI the right way?

Upgrade to the HIPAA plan, sign the BAA, and flip on HIPAA mode.

“HIPAA-ready” describes TendForm's safeguards and our willingness to sign a BAA. It is not a certification or legal advice. Compliance depends on how you configure and use the product.