Adding HIPAA docs, removing deprecated migration plan (#11729)

PipedreamHQ · May 6, 2024 · 768243d · 768243d
1 parent 61d9867
commit 768243d
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 63 deletions.
diff --git a/docs-v2/pages/_meta.json b/docs-v2/pages/_meta.json
@@ -70,9 +70,6 @@
  }
  }
  },
- "workspaces-and-credits-faq": {
- "display": "children"
- },
  "abuse": {
  "display": "children"
  },

diff --git a/docs-v2/pages/privacy-and-security/_meta.json b/docs-v2/pages/privacy-and-security/_meta.json
@@ -1,5 +1,6 @@
 {
  "index": "Privacy and Security",
  "best-practices": "Security best-practices",
+ "hipaa": "HIPAA compliance",
  "pgp-key": "PGP key"
 }
diff --git a/docs-v2/pages/privacy-and-security/hipaa.mdx b/docs-v2/pages/privacy-and-security/hipaa.mdx
@@ -0,0 +1,38 @@
+# HIPAA compliance
+
+Pipedream can [sign Business Associate Addendums (BAAs)](#signing-a-business-associate-addendum) for covered entities or business associates intending to pass PHI to Pipedream. We can also provide a third-party SOC 2 report detailing our HIPAA-related controls.
+
+## HIPAA-eligible services
+
+- [Workflows](/workflows)
+- [Event sources](/sources)
+- [Data stores](/data-stores)
+- [Destinations](/destinations)
+
+### Ineligible services
+
+Any service not listed in the [HIPAA-eligible services](#hipaa-eligible-services) section is not eligible for use with PHI under HIPAA. Please reach out to [Pipedream support](https://pipedream.com/support) if you have questions about a specific service.
+
+The following services are explicitly not eligible for use with PHI under HIPAA.
+
+- [v1 workflows](/migrate-from-v1) 
+- [File stores](/file-stores)
+
+## Your obligations as a customer
+
+If you are a covered entity or business associate under HIPAA, you must ensure that [you have a BAA in place with Pipedream](#signing-a-business-associate-addendum) before passing PHI to Pipedream. 
+
+You must also ensure that you are using Pipedream in a manner that complies with HIPAA. This includes:
+
+- You may only use [HIPAA-eligible services](#hipaa-eligible-services) to process or store PHI
+- You may not include PHI in Pipedream resource names, like the names of projects or workflows
+
+## Signing a Business Associate Addendum
+
+Pipedream is considered a Business Associate under HIPAA regulations. If you are a Covered Entity or Business Associate under HIPAA, you must have a Business Associate Agreement (BAA) in place with Pipedream before passing PHI to Pipedream. This agreement is an addendum to our standard terms, and outlines your obligations as a customer and Pipedream's obligations as a Business Associate under HIPAA.
+
+Please request a BAA by visiting [https://pipedream.com/support](https://pipedream.com/support).
+
+## Requesting information on HIPAA controls
+
+Please request compliance reports from [https://pipedream.com/support](https://pipedream.com/support). Pipedream can provide a SOC 2 Type II report covering Security controls, and a SOC 2 Type I report for Confidentiality and Availability. In 2025, Pipedream plans to include Confidentiality and Availability controls in our standard Type II audit.
diff --git a/docs-v2/pages/privacy-and-security/index.mdx b/docs-v2/pages/privacy-and-security/index.mdx
@@ -46,6 +46,10 @@ When you [delete your account](/user-settings/#delete-account), Pipedream delete
 
 If you need to delete data on behalf of one of your users, you can delete the event data yourself in your workflow or event source (for example, by deleting the events, or by removing the data from data stores). Your customer event data is automatically deleted from Pipedream subprocessors.
 
+### HIPAA
+
+Pipedream can sign Business Associate Addendum (BAAs) for customers intending to pass PHI to Pipedream. We can also provide a third-party SOC 2 report detailing our HIPAA-related controls. See our [dedicated HIPAA docs](/privacy-and-security/hipaa) for more details.
+
 ## Hosting Details
 
 Pipedream is hosted on the [Amazon Web Services](https://aws.amazon.com/) (AWS) platform in the `us-east-1` region. The physical hardware powering Pipedream, and the data stored by our platform, is hosted in data centers controlled and secured by AWS. You can read more about AWS’s security practices and compliance certifications [here](https://aws.amazon.com/security/).

diff --git a/docs-v2/pages/workspaces-and-credits-faq/_meta.json b/docs-v2/pages/workspaces-and-credits-faq/_meta.json
diff --git a/docs-v2/pages/workspaces-and-credits-faq/index.mdx b/docs-v2/pages/workspaces-and-credits-faq/index.mdx
diff --git a/docs-v2/vercel.json b/docs-v2/vercel.json
@@ -261,6 +261,10 @@
  {
  "source": "/docs/workflows/built-in-functions",
  "destination": "/docs/workflows/flow-control"
+ },
+ {
+ "source": "/docs/workspaces-and-credits-faq",
+ "destination": "https://pipedream.com/pricing"
  }
  ]
 }