Is Canva HIPAA compliant?
No BAANot for PHISOC 2 Type II
Will Canva sign a HIPAA BAA?
No — Canva does not sign a HIPAA Business Associate Agreement (BAA).
Canva's Trust & Security Portal lists SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA and VPAT, but makes no mention of HIPAA or a Business Associate Agreement. Canva does not sign BAAs and is not positioned for PHI.
PHI eligibility
Use Canva only for non-PHI content (brand assets, de-identified visuals, general patient education without identifiers). Do not include patient names, person-linked clinical images, or any PHI in designs or comments.
SOC 2
SOC 2 Type II
Trust center
Sub-processors
—
Notes
Canva's own Trust & Security Portal confirms SOC 2 Type 2 and lists no HIPAA/BAA — strong indirect evidence of no BAA offering (absence from a published compliance list rather than an explicit refusal statement). Confidence medium for that reason.
Get notified when this changes
We track Canva's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.
How to request and sign a BAA with Canva
No — Canva does not sign a HIPAA Business Associate Agreement (BAA).
There is no BAA to request — Canva will not sign one. Canva's Trust & Security Portal lists SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA and VPAT, but makes no mention of HIPAA or a Business Associate Agreement. Canva does not sign BAAs and is not positioned for PHI.
Need a vendor in this space that does? See which HIPAA compliant docs & collaboration tools sign a BAA →
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Canva before you rely on it. This is cited public information, not legal advice.
Frequently asked questions
Does Canva sign a HIPAA Business Associate Agreement (BAA)?
No — Canva does not sign a HIPAA Business Associate Agreement (BAA). Canva's Trust & Security Portal lists SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA and VPAT, but makes no mention of HIPAA or a Business Associate Agreement. Canva does not sign BAAs and is not positioned for PHI.
Is Canva HIPAA compliant?
Canva is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). Use Canva only for non-PHI content (brand assets, de-identified visuals, general patient education without identifiers). Do not include patient names, person-linked clinical images, or any PHI in designs or comments.
Can you store PHI (protected health information) in Canva?
Use Canva only for non-PHI content (brand assets, de-identified visuals, general patient education without identifiers). Do not include patient names, person-linked clinical images, or any PHI in designs or comments.
Is Canva SOC 2 certified?
Canva reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Canva?
You can't — Canva does not sign a HIPAA Business Associate Agreement. Canva's Trust & Security Portal lists SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA and VPAT, but makes no mention of HIPAA or a Business Associate Agreement. Canva does not sign BAAs and is not positioned for PHI.
What plan do I need to sign a BAA with Canva?
Canva does not offer a BAA on any plan, so no plan qualifies. Canva's Trust & Security Portal lists SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA and VPAT, but makes no mention of HIPAA or a Business Associate Agreement. Canva does not sign BAAs and is not positioned for PHI.
Sources
https://trust.canva.com/
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Canva before processing protected health information.
Check another vendor
See all HIPAA compliant docs & collaboration tools →
Browse all 105 vendors by category →