BBAA Atlas

Is Auth0 HIPAA compliant?

Authentication & identity · vendor site ↗

BAA on select plansPHI with conditions
Will Auth0 sign a HIPAA BAA?
Sometimes — Auth0 signs a HIPAA BAA only on specific plans or add-ons.
Auth0 (owned by Okta) identifies itself as a Business Associate under HIPAA / HITECH and states in its docs that 'Auth0 can provide its Business Associate Agreement to you upon request.' HIPAA-aligned use is gated to eligible Enterprise subscriptions and explicitly excludes Azure deployments. A signed BAA is mandatory before any ePHI touches the service.
PHI eligibility
ePHI may be processed only under a signed BAA on an eligible Enterprise plan (not on Azure deployments); minimize PHI carried in user profiles and tokens.
SOC 2
Not publicly confirmed
Trust center
auth0.com
Sub-processors
Notes
Auth0 docs state HIPAA compliance is not available on Azure deployments and the BAA is provided on request to eligible Enterprise customers.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Auth0 before storing PHI.

Get notified when this changes

We track Auth0's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Auth0

Sometimes — Auth0 signs a HIPAA BAA only on specific plans or add-ons.

Request routeBy request — via trust center or support
  1. 1
    Get on a qualifying plan
    Auth0 (owned by Okta) identifies itself as a Business Associate under HIPAA / HITECH and states in its docs that 'Auth0 can provide its Business Associate Agreement to you upon request.' HIPAA-aligned use is gated to eligible Enterprise subscriptions and explicitly excludes Azure deployments. A signed BAA is mandatory before any ePHI touches the service.
  2. 2
    Request the Business Associate Agreement
    Auth0 provides the BAA on request. Open a request through Auth0's trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    ePHI may be processed only under a signed BAA on an eligible Enterprise plan (not on Azure deployments); minimize PHI carried in user profiles and tokens. Match your configuration to this scope before putting protected health information into Auth0.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Auth0 before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Auth0 sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Auth0 signs a HIPAA BAA only on specific plans or add-ons. Auth0 (owned by Okta) identifies itself as a Business Associate under HIPAA / HITECH and states in its docs that 'Auth0 can provide its Business Associate Agreement to you upon request.' HIPAA-aligned use is gated to eligible Enterprise subscriptions and explicitly excludes Azure deployments. A signed BAA is mandatory before any ePHI touches the service.
Is Auth0 HIPAA compliant?
Auth0 can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). ePHI may be processed only under a signed BAA on an eligible Enterprise plan (not on Azure deployments); minimize PHI carried in user profiles and tokens.
Can you store PHI (protected health information) in Auth0?
ePHI may be processed only under a signed BAA on an eligible Enterprise plan (not on Azure deployments); minimize PHI carried in user profiles and tokens.
Is Auth0 SOC 2 certified?
We could not confirm a public SOC 2 report for Auth0. SOC 2 is separate from a HIPAA BAA — confirm both directly with Auth0.
How do I request a HIPAA BAA from Auth0?
Auth0 provides the BAA on request. Open a request through Auth0's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with Auth0 before storing PHI.
What plan do I need to sign a BAA with Auth0?
Auth0 (owned by Okta) identifies itself as a Business Associate under HIPAA / HITECH and states in its docs that 'Auth0 can provide its Business Associate Agreement to you upon request.' HIPAA-aligned use is gated to eligible Enterprise subscriptions and explicitly excludes Azure deployments. A signed BAA is mandatory before any ePHI touches the service.

Sources

Data Privacy and Compliance — Auth0 Docs
https://auth0.com/docs/secure/data-privacy-and-compliance
Supports: Auth0's statement that it is a Business Associate and provides its BAA on request; HIPAA not available on Azure deploymentsdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Auth0 before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plansAmazon Web Services (AWS)Signs a BAA

See all HIPAA compliant identity & SSO providers
Browse all 105 vendors by category →