HIPAA, BAA, SOC 2, and Security Requests

Last Updated: April 12, 2026

Customer-Facing Guide

What this article covers

This article gives the product/security basics customers often ask for. It is not legal advice and it is not a substitute for a formal compliance review.

High-level answers

• Sendblue supports a BAA.

• HIPAA traffic is handled in a separate environment.

• Formal security/compliance materials can be routed through the appropriate Sendblue team.

HIPAA product basics

• Treatment centers can proactively initiate conversations with patients; they do not have to wait for the patient to message first.

• The requirement is that the customer has the appropriate consent for its use case.

Security / architecture basics

• HIPAA data is stored separately from the main environment.

• Engineer access is temporary, role-based, logged, and monitored.

• Sendblue uses physical Apple devices; this is not Apple Business Chat.

• The device environment is secured in a NYC data center with controlled physical access.

• Message content for the HIPAA environment is retained there, encrypted at rest and in transit, and not logged in the main environment.

• The BAA covers message content and metadata.

If you need formal materials

• BAA request → route through your account owner.

• SOC 2 report request → route through your account owner.

• Security questionnaire → route through your account owner.

• Formal legal/compliance interpretation → route through your account owner and/or legal advisor.

Important boundary

Sendblue can share product/security basics, but if you need a formal legal/compliance answer for a specific campaign or jurisdiction, that decision should be made with your legal advisor.