BBAA Atlas

Is DigitalOcean HIPAA compliant?

Cloud infrastructure · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will DigitalOcean sign a HIPAA BAA?
Sometimes — DigitalOcean signs a HIPAA BAA only on specific plans or add-ons.
DigitalOcean presents a standard (generally non-negotiable) BAA. To run HIPAA workloads, customers must execute the BAA AND subscribe to Standard or Premium Support, and restrict ePHI to designated Covered Products (Droplets, Kubernetes, Spaces, Volumes, Load Balancers, Firewalls, VPC, Monitoring, Backups/Snapshots).
PHI eligibility
ePHI may only be processed, stored, or transmitted on DigitalOcean Covered Products, and only after executing the BAA and purchasing Standard or Premium Support.
SOC 2
SOC 2 Type II
Trust center
digitalocean.com
Sub-processors
Notes
HIPAA eligibility is recent (select Covered Products). A paid Standard/Premium Support plan is a hard prerequisite alongside the BAA. SOC 2 Type II confirmed on DigitalOcean's certification-reports page (Schellman auditor).
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with DigitalOcean before storing PHI.

Get notified when this changes

We track DigitalOcean's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with DigitalOcean

Sometimes — DigitalOcean signs a HIPAA BAA only on specific plans or add-ons.

Request routeBy request — via trust center or support
  1. 1
    Get on a qualifying plan
    DigitalOcean presents a standard (generally non-negotiable) BAA. To run HIPAA workloads, customers must execute the BAA AND subscribe to Standard or Premium Support, and restrict ePHI to designated Covered Products (Droplets, Kubernetes, Spaces, Volumes, Load Balancers, Firewalls, VPC, Monitoring, Backups/Snapshots).
  2. 2
    Request the Business Associate Agreement
    DigitalOcean provides the BAA on request. Open a request through DigitalOcean's trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    ePHI may only be processed, stored, or transmitted on DigitalOcean Covered Products, and only after executing the BAA and purchasing Standard or Premium Support. Match your configuration to this scope before putting protected health information into DigitalOcean.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with DigitalOcean before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does DigitalOcean sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — DigitalOcean signs a HIPAA BAA only on specific plans or add-ons. DigitalOcean presents a standard (generally non-negotiable) BAA. To run HIPAA workloads, customers must execute the BAA AND subscribe to Standard or Premium Support, and restrict ePHI to designated Covered Products (Droplets, Kubernetes, Spaces, Volumes, Load Balancers, Firewalls, VPC, Monitoring, Backups/Snapshots).
Is DigitalOcean HIPAA compliant?
DigitalOcean can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). ePHI may only be processed, stored, or transmitted on DigitalOcean Covered Products, and only after executing the BAA and purchasing Standard or Premium Support.
Can you store PHI (protected health information) in DigitalOcean?
ePHI may only be processed, stored, or transmitted on DigitalOcean Covered Products, and only after executing the BAA and purchasing Standard or Premium Support.
Is DigitalOcean SOC 2 certified?
DigitalOcean reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from DigitalOcean?
DigitalOcean provides the BAA on request. Open a request through DigitalOcean's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with DigitalOcean before storing PHI.
What plan do I need to sign a BAA with DigitalOcean?
DigitalOcean presents a standard (generally non-negotiable) BAA. To run HIPAA workloads, customers must execute the BAA AND subscribe to Standard or Premium Support, and restrict ePHI to designated Covered Products (Droplets, Kubernetes, Spaces, Volumes, Load Balancers, Firewalls, VPC, Monitoring, Backups/Snapshots).

Sources

HIPAA at DO — DigitalOcean Trust Platform
https://www.digitalocean.com/trust/hipaa-at-do
Supports: DigitalOcean signs a standard BAA; ePHI restricted to Covered Products; Standard/Premium Support required; request via Customer Success or Salesdated: undated
Trust Platform Certification Reports — DigitalOcean
https://www.digitalocean.com/trust/certification-reports
Supports: DigitalOcean maintains SOC 2 Type II and SOC 3 Type II (Schellman & Company)dated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with DigitalOcean before processing protected health information.

Check another vendor

Amazon Web Services (AWS)Signs a BAAGoogle Cloud Platform (GCP)Signs a BAAMicrosoft AzureSigns a BAAActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →