HIPAA Safeguards & BAA Information

Last updated: February 22, 2026

GetDemand.ai maintains safeguards aligned with the Health Insurance Portability and Accountability Act (HIPAA) to protect any Protected Health Information (PHI) that may be processed through the Platform. This page outlines our HIPAA-related practices and your responsibilities as a covered entity or business associate.

1. Scope

GetDemand.ai is primarily a B2B sales intelligence platform for manufacturers and exporters. While the Platform is not designed to process clinical health data, some customers in the healthcare supply chain (medical device manufacturers, pharmaceutical distributors, healthcare equipment suppliers) may handle information subject to HIPAA.

Our HIPAA safeguards apply when customers use the Platform to manage contacts, communications, or pipeline data that contains or could reasonably contain PHI.

2. Business Associate Agreement (BAA)

For eligible customers who require HIPAA-related contractual support, we may offer a Business Associate Agreement (BAA) that defines our obligations as a business associate under HIPAA. The BAA covers:

  • Permitted uses and disclosures of PHI
  • Safeguards we implement to protect PHI
  • Breach notification obligations and timelines
  • Return or destruction of PHI upon contract termination
  • Obligations for subcontractors who may access PHI

To request a BAA, contact compliance@getdemand.ai. BAAs may be available for eligible customers on Enterprise plans after use-case review.

3. Administrative Safeguards

  • Security officer: a designated security officer oversees HIPAA-related safeguards and security policies.
  • Workforce training: team members with access to customer data receive training on HIPAA requirements and data handling procedures.
  • Access management: access to systems containing customer data is granted on a least-privilege basis and reviewed quarterly.
  • Incident response: documented procedures for identifying, reporting, and mitigating security incidents involving PHI. Covered entities are notified within 60 days of a confirmed breach, as required by the HIPAA Breach Notification Rule.
  • Risk assessments: periodic risk assessments evaluate threats to the confidentiality, integrity, and availability of PHI.

4. Technical Safeguards

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest. All database backups are encrypted.
  • Access controls: role-based access control (RBAC), multi-factor authentication available, and automatic session timeout.
  • Audit controls: logging of access to customer data, including who accessed what data and when.
  • Integrity controls: mechanisms to ensure data is not improperly altered or destroyed.
  • Transmission security: all API communications and data transfers use encrypted channels.

5. Physical Safeguards

GetDemand.ai operates as a cloud-based platform. Physical security is managed by our infrastructure providers:

  • AWS (via Vercel and Supabase): infrastructure providers publish their own security attestations (for example SOC reports and ISO certifications) and offer environments that can support HIPAA use cases depending on configuration and plan.
  • No on-premises servers: we do not maintain physical servers. All data is stored in cloud infrastructure with enterprise-grade physical security.

6. Subcontractor Obligations

Third-party service providers who may process PHI on our behalf are bound by agreements that include HIPAA-related data protection requirements where applicable:

  • Supabase: database and authentication provider; BAA availability depends on plan and configuration.
  • Vercel: hosting provider; enterprise offerings may support HIPAA use cases depending on plan and deployment design.
  • AI providers (OpenAI, Anthropic): API-based processing with zero data retention policies. Data is not used for model training.

7. Your Responsibilities

As a covered entity or business associate using GetDemand.ai, you are responsible for:

  • Determining whether data you upload or process through the Platform constitutes PHI.
  • Requesting a BAA before processing PHI through the Platform.
  • Configuring access controls and permissions for your team members appropriately.
  • Reporting any suspected security incidents involving PHI to security@getdemand.ai.
  • Ensuring your own organization's HIPAA compliance policies are followed when using the Platform.

8. Limitations

GetDemand.ai is designed for B2B sales intelligence, not clinical healthcare workflows. The Platform should not be used as a primary system for storing, managing, or transmitting clinical health records, medical imaging, or patient treatment data. If your use case involves significant PHI processing, please contact us to discuss whether the Platform is appropriate for your needs.

9. Contact

For HIPAA-related inquiries, BAA requests, or to report a security concern:

  • Compliance: compliance@getdemand.ai
  • Security: security@getdemand.ai
  • General: contact@getdemand.ai