BBAA Atlas

Is Webflow HIPAA compliant?

Website builder & CMS · vendor site ↗

No BAANot for PHISOC 2 Type II
Will Webflow sign a HIPAA BAA?
No — Webflow does not sign a HIPAA Business Associate Agreement (BAA).
Webflow's security page states plainly that 'Webflow is not HIPAA compliant by default and is not designed to store or process protected health information.' The page makes no offer of a Business Associate Agreement and notes most marketing / informational sites fall outside HIPAA; for regulated use cases it suggests pairing Webflow with a separate compliant backend. Webflow holds SOC 2 Type II, ISO 27001/27017/27018, and PCI-DSS, but no BAA.
PHI eligibility
Do not store PHI in Webflow; it is suitable only for public, non-PHI marketing and informational content, and any PHI collection requires a separate HIPAA-compliant tool.
SOC 2
SOC 2 Type II
Trust center
webflow.com
Sub-processors
Notes
No BAA on any plan, including Enterprise. Third-party HIPAA form tools are common workarounds but are separate vendors.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Webflow before storing PHI.

Get notified when this changes

We track Webflow's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Webflow

No — Webflow does not sign a HIPAA Business Associate Agreement (BAA).

There is no BAA to request — Webflow will not sign one. Webflow's security page states plainly that 'Webflow is not HIPAA compliant by default and is not designed to store or process protected health information.' The page makes no offer of a Business Associate Agreement and notes most marketing / informational sites fall outside HIPAA; for regulated use cases it suggests pairing Webflow with a separate compliant backend. Webflow holds SOC 2 Type II, ISO 27001/27017/27018, and PCI-DSS, but no BAA.

Need a vendor in this space that does? See which HIPAA compliant website builders & CMS sign a BAA →

Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Webflow before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Webflow sign a HIPAA Business Associate Agreement (BAA)?
No — Webflow does not sign a HIPAA Business Associate Agreement (BAA). Webflow's security page states plainly that 'Webflow is not HIPAA compliant by default and is not designed to store or process protected health information.' The page makes no offer of a Business Associate Agreement and notes most marketing / informational sites fall outside HIPAA; for regulated use cases it suggests pairing Webflow with a separate compliant backend. Webflow holds SOC 2 Type II, ISO 27001/27017/27018, and PCI-DSS, but no BAA.
Is Webflow HIPAA compliant?
Webflow is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). Do not store PHI in Webflow; it is suitable only for public, non-PHI marketing and informational content, and any PHI collection requires a separate HIPAA-compliant tool.
Can you store PHI (protected health information) in Webflow?
Do not store PHI in Webflow; it is suitable only for public, non-PHI marketing and informational content, and any PHI collection requires a separate HIPAA-compliant tool.
Is Webflow SOC 2 certified?
Webflow reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Webflow?
You can't — Webflow does not sign a HIPAA Business Associate Agreement. Webflow's security page states plainly that 'Webflow is not HIPAA compliant by default and is not designed to store or process protected health information.' The page makes no offer of a Business Associate Agreement and notes most marketing / informational sites fall outside HIPAA; for regulated use cases it suggests pairing Webflow with a separate compliant backend. Webflow holds SOC 2 Type II, ISO 27001/27017/27018, and PCI-DSS, but no BAA.
What plan do I need to sign a BAA with Webflow?
Webflow does not offer a BAA on any plan, so no plan qualifies. Webflow's security page states plainly that 'Webflow is not HIPAA compliant by default and is not designed to store or process protected health information.' The page makes no offer of a Business Associate Agreement and notes most marketing / informational sites fall outside HIPAA; for regulated use cases it suggests pairing Webflow with a separate compliant backend. Webflow holds SOC 2 Type II, ISO 27001/27017/27018, and PCI-DSS, but no BAA.

Sources

Security | Webflow
https://webflow.com/security
Supports: First-party statement that Webflow is not HIPAA compliant and not designed to store / process PHI; lists SOC 2 Type II and ISO certifications, no BAAdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Webflow before processing protected health information.

Check another vendor

ActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plansAmazon Web Services (AWS)Signs a BAA

See all HIPAA compliant website builders & CMS
Browse all 105 vendors by category →