BBAA Atlas

Is Shopify HIPAA compliant?

E-commerce platform · vendor site ↗

No BAANot for PHI
Will Shopify sign a HIPAA BAA?
No — Shopify does not sign a HIPAA Business Associate Agreement (BAA).
Shopify's Acceptable Use Policy lists 'uploading Protected Health Information subject to HIPAA' as a business activity not supported by the platform, and prohibits using the Services to collect, store, or process any PHI subject to HIPAA. Shopify does not offer a BAA for its core commerce platform.
PHI eligibility
Do not put PHI anywhere in Shopify (products, customer records, order notes, metafields, files). Health-adjacent retail without patient-linked health data is acceptable; anything touching PHI must be routed to a separate BAA-covered system.
SOC 2
Not publicly confirmed
Trust center
Sub-processors
Notes
Shopify's official AUP explicitly names PHI subject to HIPAA as an unsupported activity. SOC 2 not verified from a primary source, so marked unknown.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Shopify before storing PHI.

Get notified when this changes

We track Shopify's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Shopify

No — Shopify does not sign a HIPAA Business Associate Agreement (BAA).

There is no BAA to request — Shopify will not sign one. Shopify's Acceptable Use Policy lists 'uploading Protected Health Information subject to HIPAA' as a business activity not supported by the platform, and prohibits using the Services to collect, store, or process any PHI subject to HIPAA. Shopify does not offer a BAA for its core commerce platform.

Need a vendor in this space that does? See which HIPAA compliant payments & billing software sign a BAA →

Before you sign — watch for
  • A signed BAA here does NOT clear you to deliberately store PHI — the vendor still restricts intentional PHI collection or how it may be used. Confirm the exact scope.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Shopify before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Shopify sign a HIPAA Business Associate Agreement (BAA)?
No — Shopify does not sign a HIPAA Business Associate Agreement (BAA). Shopify's Acceptable Use Policy lists 'uploading Protected Health Information subject to HIPAA' as a business activity not supported by the platform, and prohibits using the Services to collect, store, or process any PHI subject to HIPAA. Shopify does not offer a BAA for its core commerce platform.
Is Shopify HIPAA compliant?
Shopify is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). Do not put PHI anywhere in Shopify (products, customer records, order notes, metafields, files). Health-adjacent retail without patient-linked health data is acceptable; anything touching PHI must be routed to a separate BAA-covered system.
Can you store PHI (protected health information) in Shopify?
Do not put PHI anywhere in Shopify (products, customer records, order notes, metafields, files). Health-adjacent retail without patient-linked health data is acceptable; anything touching PHI must be routed to a separate BAA-covered system.
Is Shopify SOC 2 certified?
We could not confirm a public SOC 2 report for Shopify. SOC 2 is separate from a HIPAA BAA — confirm both directly with Shopify.
How do I request a HIPAA BAA from Shopify?
You can't — Shopify does not sign a HIPAA Business Associate Agreement. Shopify's Acceptable Use Policy lists 'uploading Protected Health Information subject to HIPAA' as a business activity not supported by the platform, and prohibits using the Services to collect, store, or process any PHI subject to HIPAA. Shopify does not offer a BAA for its core commerce platform.
What plan do I need to sign a BAA with Shopify?
Shopify does not offer a BAA on any plan, so no plan qualifies. Shopify's Acceptable Use Policy lists 'uploading Protected Health Information subject to HIPAA' as a business activity not supported by the platform, and prohibits using the Services to collect, store, or process any PHI subject to HIPAA. Shopify does not offer a BAA for its core commerce platform.

Sources

Shopify Acceptable Use Policy
https://www.shopify.com/legal/aup
Supports: Lists uploading Protected Health Information subject to HIPAA as a business activity not supported by the Shopify platformdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Shopify before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plansAmazon Web Services (AWS)Signs a BAA

See all HIPAA compliant payments & billing software
Browse all 105 vendors by category →