BBAA Atlas

Is PostHog HIPAA compliant?

Product analytics · vendor site ↗

BAA on select plansPHI eligible
Will PostHog sign a HIPAA BAA?
Sometimes — PostHog signs a HIPAA BAA only on specific plans or add-ons.
PostHog signs a BAA, but only for PostHog Cloud customers on the Boost, Scale or Enterprise package; a standard BAA is self-serve via PostHog's BAA generator, while custom BAAs require the Enterprise package. Self-hosted/Hobby is not recommended for HIPAA.
PHI eligibility
PHI may be stored/processed in PostHog Cloud (product analytics, session replay, feature flags, experiments) under a signed BAA; anonymizing data is offered as an alternative to a BAA.
SOC 2
Not publicly confirmed
Trust center
posthog.com
Sub-processors
Notes
BAA is gated to the Boost/Scale/Enterprise packages on PostHog Cloud.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with PostHog before storing PHI.

Get notified when this changes

We track PostHog's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with PostHog

Sometimes — PostHog signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    PostHog signs a BAA, but only for PostHog Cloud customers on the Boost, Scale or Enterprise package; a standard BAA is self-serve via PostHog's BAA generator, while custom BAAs require the Enterprise package. Self-hosted/Hobby is not recommended for HIPAA.
  2. 2
    Request the Business Associate Agreement
    PostHog lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may be stored/processed in PostHog Cloud (product analytics, session replay, feature flags, experiments) under a signed BAA; anonymizing data is offered as an alternative to a BAA. Match your configuration to this scope before putting protected health information into PostHog.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with PostHog before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does PostHog sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — PostHog signs a HIPAA BAA only on specific plans or add-ons. PostHog signs a BAA, but only for PostHog Cloud customers on the Boost, Scale or Enterprise package; a standard BAA is self-serve via PostHog's BAA generator, while custom BAAs require the Enterprise package. Self-hosted/Hobby is not recommended for HIPAA.
Is PostHog HIPAA compliant?
PostHog can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may be stored/processed in PostHog Cloud (product analytics, session replay, feature flags, experiments) under a signed BAA; anonymizing data is offered as an alternative to a BAA.
Can you store PHI (protected health information) in PostHog?
PHI may be stored/processed in PostHog Cloud (product analytics, session replay, feature flags, experiments) under a signed BAA; anonymizing data is offered as an alternative to a BAA.
Is PostHog SOC 2 certified?
We could not confirm a public SOC 2 report for PostHog. SOC 2 is separate from a HIPAA BAA — confirm both directly with PostHog.
How do I request a HIPAA BAA from PostHog?
PostHog lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with PostHog before storing PHI.
What plan do I need to sign a BAA with PostHog?
PostHog signs a BAA, but only for PostHog Cloud customers on the Boost, Scale or Enterprise package; a standard BAA is self-serve via PostHog's BAA generator, while custom BAAs require the Enterprise package. Self-hosted/Hobby is not recommended for HIPAA.

Sources

PostHog & HIPAA compliance — Docs
https://posthog.com/docs/privacy/hipaa-compliance
Supports: BAA offered on Boost/Scale/Enterprise; PHI eligible under BAAdated: undated
BAA — PostHog
https://posthog.com/baa
Supports: PostHog will sign a BAA on requestdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with PostHog before processing protected health information.

Check another vendor

AmplitudeSigns a BAAMixpanelBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAA

See all HIPAA compliant product & web analytics
Browse all 105 vendors by category →