BBAA Atlas

Is Hotjar HIPAA compliant?

Product analytics & session replay · vendor site ↗

No BAANot for PHISOC 2 Type II
Will Hotjar sign a HIPAA BAA?
No — Hotjar does not sign a HIPAA Business Associate Agreement (BAA).
Hotjar does not offer or sign a HIPAA Business Associate Agreement on any plan and does not include HIPAA in its compliance commitments; its published set is GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II. Because Hotjar captures session recordings and behavioral data, it can inadvertently collect PHI on healthcare sites, which makes the absence of a BAA a material risk.
PHI eligibility
Do not deploy Hotjar on pages that could capture PHI; with no BAA available it cannot be used in a HIPAA-compliant way.
SOC 2
SOC 2 Type II
Trust center
help.hotjar.com
Sub-processors
Notes
Verdict rests on Hotjar's own compliance listing omitting HIPAA plus consistent third-party reporting; Hotjar publishes no BAA. Confidence is medium pending an explicit first-party 'no BAA' statement.
Last verified 2026-05-31confidence: medium· Vendor terms change — confirm directly with Hotjar before storing PHI.

Get notified when this changes

We track Hotjar's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Hotjar

No — Hotjar does not sign a HIPAA Business Associate Agreement (BAA).

There is no BAA to request — Hotjar will not sign one. Hotjar does not offer or sign a HIPAA Business Associate Agreement on any plan and does not include HIPAA in its compliance commitments; its published set is GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II. Because Hotjar captures session recordings and behavioral data, it can inadvertently collect PHI on healthcare sites, which makes the absence of a BAA a material risk.

Need a vendor in this space that does? See which HIPAA compliant product & web analytics sign a BAA →

Before you sign — watch for
  • A signed BAA here does NOT clear you to deliberately store PHI — the vendor still restricts intentional PHI collection or how it may be used. Confirm the exact scope.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Hotjar before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Hotjar sign a HIPAA Business Associate Agreement (BAA)?
No — Hotjar does not sign a HIPAA Business Associate Agreement (BAA). Hotjar does not offer or sign a HIPAA Business Associate Agreement on any plan and does not include HIPAA in its compliance commitments; its published set is GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II. Because Hotjar captures session recordings and behavioral data, it can inadvertently collect PHI on healthcare sites, which makes the absence of a BAA a material risk.
Is Hotjar HIPAA compliant?
Hotjar is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). Do not deploy Hotjar on pages that could capture PHI; with no BAA available it cannot be used in a HIPAA-compliant way.
Can you store PHI (protected health information) in Hotjar?
Do not deploy Hotjar on pages that could capture PHI; with no BAA available it cannot be used in a HIPAA-compliant way.
Is Hotjar SOC 2 certified?
Hotjar reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Hotjar?
You can't — Hotjar does not sign a HIPAA Business Associate Agreement. Hotjar does not offer or sign a HIPAA Business Associate Agreement on any plan and does not include HIPAA in its compliance commitments; its published set is GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II. Because Hotjar captures session recordings and behavioral data, it can inadvertently collect PHI on healthcare sites, which makes the absence of a BAA a material risk.
What plan do I need to sign a BAA with Hotjar?
Hotjar does not offer a BAA on any plan, so no plan qualifies. Hotjar does not offer or sign a HIPAA Business Associate Agreement on any plan and does not include HIPAA in its compliance commitments; its published set is GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II. Because Hotjar captures session recordings and behavioral data, it can inadvertently collect PHI on healthcare sites, which makes the absence of a BAA a material risk.

Sources

Is Hotjar HIPAA compliant?
https://www.paubox.com/blog/hotjar-hipaa-compliant
Supports: States Hotjar will not sign a BAA and is not HIPAA compliant; lists SOC 2 Type II but no HIPAAdated: undated
Is Hotjar HIPAA Compliant? — Compliancy Group
https://compliancy-group.com/is-hotjar-hipaa-compliant/
Supports: Corroborates no BAA / not HIPAA compliantdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Hotjar before processing protected health information.

Check another vendor

FullStoryBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant product & web analytics
Browse all 105 vendors by category →