BBAA Atlas

Is Customer.io HIPAA compliant?

Marketing automation · vendor site ↗

Signs a BAAPHI with conditionsSOC 2 Type II
Will Customer.io sign a HIPAA BAA?
Yes — Customer.io will sign a HIPAA Business Associate Agreement (BAA).
Customer.io's documentation states customers can request to execute a BAA with Customer.io and describes HIPAA-eligible messaging (e.g., HIPAA-eligible SMS). It is SOC 2 Type II and ISO 27001 certified. The docs recommend not transmitting PHI directly in message bodies, instead sending links to a secure portal where users log in to access health information.
PHI eligibility
PHI eligible under a signed BAA, but Customer.io advises keeping clinical PHI out of message bodies and pointing recipients to a secure portal; the BAA is arranged via a Customer.io rep rather than self-serve.
SOC 2
SOC 2 Type II
Trust center
customer.io
Sub-processors
Notes
Docs note HIPAA guidance was updated in 2025; the HIPAA standards page was last updated 2026-03-23. Plan-tier requirement is not stated publicly.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Customer.io before storing PHI.

Get notified when this changes

We track Customer.io's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Customer.io

Yes — Customer.io will sign a HIPAA Business Associate Agreement (BAA).

Request routeBy request — via trust center or support
  1. 1
    Confirm your account is covered
    Customer.io's documentation states customers can request to execute a BAA with Customer.io and describes HIPAA-eligible messaging (e.g., HIPAA-eligible SMS). It is SOC 2 Type II and ISO 27001 certified. The docs recommend not transmitting PHI directly in message bodies, instead sending links to a secure portal where users log in to access health information.
  2. 2
    Request the Business Associate Agreement
    Customer.io provides the BAA on request. Open a request through Customer.io's trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI eligible under a signed BAA, but Customer.io advises keeping clinical PHI out of message bodies and pointing recipients to a secure portal; the BAA is arranged via a Customer.io rep rather than self-serve. Match your configuration to this scope before putting protected health information into Customer.io.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Customer.io before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Customer.io sign a HIPAA Business Associate Agreement (BAA)?
Yes — Customer.io will sign a HIPAA Business Associate Agreement (BAA). Customer.io's documentation states customers can request to execute a BAA with Customer.io and describes HIPAA-eligible messaging (e.g., HIPAA-eligible SMS). It is SOC 2 Type II and ISO 27001 certified. The docs recommend not transmitting PHI directly in message bodies, instead sending links to a secure portal where users log in to access health information.
Is Customer.io HIPAA compliant?
Customer.io can be used in a HIPAA-compliant way: it signs a Business Associate Agreement (BAA), which HIPAA requires before you process PHI with a vendor. PHI eligible under a signed BAA, but Customer.io advises keeping clinical PHI out of message bodies and pointing recipients to a secure portal; the BAA is arranged via a Customer.io rep rather than self-serve.
Can you store PHI (protected health information) in Customer.io?
PHI eligible under a signed BAA, but Customer.io advises keeping clinical PHI out of message bodies and pointing recipients to a secure portal; the BAA is arranged via a Customer.io rep rather than self-serve.
Is Customer.io SOC 2 certified?
Customer.io reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Customer.io?
Customer.io provides the BAA on request. Open a request through Customer.io's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with Customer.io before storing PHI.
What plan do I need to sign a BAA with Customer.io?
Customer.io's documentation states customers can request to execute a BAA with Customer.io and describes HIPAA-eligible messaging (e.g., HIPAA-eligible SMS). It is SOC 2 Type II and ISO 27001 certified. The docs recommend not transmitting PHI directly in message bodies, instead sending links to a secure portal where users log in to access health information.

Sources

HIPAA compliance and privacy regulations | Customer.io Docs
https://docs.customer.io/journeys/hipaa-standards/
Supports: Customer.io will execute a BAA; recommends portal links instead of PHI in messagesdated: 2026-03-23
Customer.io Security Qualifications | Customer.io Docs
https://docs.customer.io/accounts-and-workspaces/security-certifications/
Supports: SOC 2 Type II and ISO 27001 certificationsdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Customer.io before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansKlaviyoNo BAAAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant email marketing & automation
Browse all 105 vendors by category →