BBAA Atlas

Is Cloudflare HIPAA compliant?

CDN & network security · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will Cloudflare sign a HIPAA BAA?
Sometimes — Cloudflare signs a HIPAA BAA only on specific plans or add-ons.
Cloudflare offers a HIPAA Business Associate Agreement but states it will only enter into BAAs with Enterprise customers, and the BAA is non-negotiable. Only services explicitly identified as covered in the executed BAA and order documents are in scope (e.g. CDN, WAF, Bot Management).
PHI eligibility
PHI may transit Cloudflare only for Enterprise customers who have executed a BAA, and only through the specific services named as covered in that BAA; ePHI should not be routed through Cloudflare without an executed Enterprise BAA covering the relevant services.
SOC 2
SOC 2 Type II
Trust center
cloudflare.com
Sub-processors
cloudflare.com
Notes
BAA is Enterprise-only and tied to specific covered services in the order/BAA. Cloudflare publishes a SOC 2 Type II report (Security, Confidentiality, Availability), available via dashboard under NDA; all plans now in scope.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Cloudflare before storing PHI.

Get notified when this changes

We track Cloudflare's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Cloudflare

Sometimes — Cloudflare signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    Cloudflare offers a HIPAA Business Associate Agreement but states it will only enter into BAAs with Enterprise customers, and the BAA is non-negotiable. Only services explicitly identified as covered in the executed BAA and order documents are in scope (e.g. CDN, WAF, Bot Management).
  2. 2
    Request the Business Associate Agreement
    Cloudflare lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may transit Cloudflare only for Enterprise customers who have executed a BAA, and only through the specific services named as covered in that BAA; ePHI should not be routed through Cloudflare without an executed Enterprise BAA covering the relevant services. Match your configuration to this scope before putting protected health information into Cloudflare.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Cloudflare before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Cloudflare sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Cloudflare signs a HIPAA BAA only on specific plans or add-ons. Cloudflare offers a HIPAA Business Associate Agreement but states it will only enter into BAAs with Enterprise customers, and the BAA is non-negotiable. Only services explicitly identified as covered in the executed BAA and order documents are in scope (e.g. CDN, WAF, Bot Management).
Is Cloudflare HIPAA compliant?
Cloudflare can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may transit Cloudflare only for Enterprise customers who have executed a BAA, and only through the specific services named as covered in that BAA; ePHI should not be routed through Cloudflare without an executed Enterprise BAA covering the relevant services.
Can you store PHI (protected health information) in Cloudflare?
PHI may transit Cloudflare only for Enterprise customers who have executed a BAA, and only through the specific services named as covered in that BAA; ePHI should not be routed through Cloudflare without an executed Enterprise BAA covering the relevant services.
Is Cloudflare SOC 2 certified?
Cloudflare reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Cloudflare?
Cloudflare lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with Cloudflare before storing PHI.
What plan do I need to sign a BAA with Cloudflare?
Cloudflare offers a HIPAA Business Associate Agreement but states it will only enter into BAAs with Enterprise customers, and the BAA is non-negotiable. Only services explicitly identified as covered in the executed BAA and order documents are in scope (e.g. CDN, WAF, Bot Management).

Sources

Cloudflare and US privacy law compliance
https://www.cloudflare.com/trust-hub/us-privacy-compliance/
Supports: Cloudflare will only enter into BAAs with Enterprise customers; consistent with HIPAA security requirements; no HHS HIPAA certification existsdated: undated
SOC 2 FAQs — Cloudflare
https://www.cloudflare.com/trust-hub/compliance-resources/soc-2/
Supports: Cloudflare has a SOC 2 Type II report (Security, Confidentiality, Availability); all plans in scopedated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Cloudflare before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plansAmazon Web Services (AWS)Signs a BAA

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →