BBAA Atlas

Is Retool HIPAA compliant?

Internal-tools platform · vendor site ↗

No BAAPHI with conditionsSOC 2 Type II
Will Retool sign a HIPAA BAA?
No — Retool does not sign a HIPAA Business Associate Agreement (BAA).
Retool does not sign HIPAA Business Associate Agreements for Retool Cloud; staff state 'Retool is not a HIPAA Business Associate or subcontractor,' and the customer supplement says customers should not submit, collect, or use PHI on Retool Cloud. Customers needing PHI are directed to the self-hosted deployment, where data stays in the customer's own infrastructure and Retool personnel have no access.
PHI eligibility
No PHI on Retool Cloud (no BAA). PHI is only feasible via the self-hosted deployment, where data never reaches Retool's systems and no Retool BAA is implicated.
SOC 2
SOC 2 Type II
Trust center
trust.retool.com
Sub-processors
Notes
Confirmed via Retool's official community forum (staff) and docs; HIPAA compliance for self-hosted is entirely the customer's responsibility.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Retool before storing PHI.

Get notified when this changes

We track Retool's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Retool

No — Retool does not sign a HIPAA Business Associate Agreement (BAA).

There is no BAA to request — Retool will not sign one. Retool does not sign HIPAA Business Associate Agreements for Retool Cloud; staff state 'Retool is not a HIPAA Business Associate or subcontractor,' and the customer supplement says customers should not submit, collect, or use PHI on Retool Cloud. Customers needing PHI are directed to the self-hosted deployment, where data stays in the customer's own infrastructure and Retool personnel have no access.

Need a vendor in this space that does? See which HIPAA compliant cloud infrastructure & hosting sign a BAA →

Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Retool before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Retool sign a HIPAA Business Associate Agreement (BAA)?
No — Retool does not sign a HIPAA Business Associate Agreement (BAA). Retool does not sign HIPAA Business Associate Agreements for Retool Cloud; staff state 'Retool is not a HIPAA Business Associate or subcontractor,' and the customer supplement says customers should not submit, collect, or use PHI on Retool Cloud. Customers needing PHI are directed to the self-hosted deployment, where data stays in the customer's own infrastructure and Retool personnel have no access.
Is Retool HIPAA compliant?
Retool is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). No PHI on Retool Cloud (no BAA). PHI is only feasible via the self-hosted deployment, where data never reaches Retool's systems and no Retool BAA is implicated.
Can you store PHI (protected health information) in Retool?
No PHI on Retool Cloud (no BAA). PHI is only feasible via the self-hosted deployment, where data never reaches Retool's systems and no Retool BAA is implicated.
Is Retool SOC 2 certified?
Retool reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Retool?
You can't — Retool does not sign a HIPAA Business Associate Agreement. Retool does not sign HIPAA Business Associate Agreements for Retool Cloud; staff state 'Retool is not a HIPAA Business Associate or subcontractor,' and the customer supplement says customers should not submit, collect, or use PHI on Retool Cloud. Customers needing PHI are directed to the self-hosted deployment, where data stays in the customer's own infrastructure and Retool personnel have no access.
What plan do I need to sign a BAA with Retool?
Retool does not offer a BAA on any plan, so no plan qualifies. Retool does not sign HIPAA Business Associate Agreements for Retool Cloud; staff state 'Retool is not a HIPAA Business Associate or subcontractor,' and the customer supplement says customers should not submit, collect, or use PHI on Retool Cloud. Customers needing PHI are directed to the self-hosted deployment, where data stays in the customer's own infrastructure and Retool personnel have no access.

Sources

Business Associate Agreement — Retool Forum
https://community.retool.com/t/business-associate-agreement/28063
Supports: Retool staff: not a HIPAA Business Associate; no PHI on Cloud; self-hosted recommendeddated: 2023-11-07
Security Practices | Retool Docs
https://docs.retool.com/legal/security
Supports: SOC 2 Type II alignment and the self-hosted security modeldated: 2025-07-30
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Retool before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plansAmazon Web Services (AWS)Signs a BAA

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →