StampRight
Compliance · HIPAA

HIPAA, the honest version.

We don't claim "HIPAA compliant" because that phrase is overused and underdefined. Here's exactly where we stand, what we will sign, and what's on the roadmap.

HIPAA-aligned today

Hash-only architecture means PHI in the file body is structurally impossible. Encryption at rest, TLS in transit, audit logs, identity-bound receipts, least-privilege access.

BAAs available — Enterprise

When you sign as an Enterprise customer with a healthcare use case, we sign a Business Associate Agreement and swap our default mailer for a HIPAA-eligible substitute on your tenant.

Full HIPAA certification — Q4 2026

Third-party audit (HITRUST CSF or equivalent), formal Risk Assessment, Privacy + Security Officer designation, workforce training program. On the roadmap, will publish on completion.

Why the hash-only architecture is the most important fact

HIPAA covers Protected Health Information (PHI). The most common HIPAA breach scenario in SaaS is a vendor that stores PHI in a database that gets exfiltrated, accessed by unauthorized staff, or leaked through a misconfiguration.

StampRight does not receive your files. Every stamp computes a SHA-256 hash in your browser before anything is sent to our servers. The file body — the actual patient record, X-ray, intake form — never leaves your device. We can't leak what we never had.

The hash itself is content-free: it's a fixed-length cryptographic fingerprint that cannot be reversed into the original content. By itself, a SHA-256 hash is not PHI.

The HIPAA risk surface is the metadata envelope — the structured fields you optionally include alongside the hash (parties, subject description, dates, identifiers). Customers in healthcare should follow the guidance below.

What we will sign — and when

StampRight signs Business Associate Agreements with Enterprise customers whose use case requires it. The current process:

  1. Email hello@stampright.com with "BAA request — [your org]" in the subject. Include your covered-entity status and a brief description of the use case.
  2. We provision a HIPAA-segregated tenant: dedicated subprocessor stack with BAA-eligible substitutes for any default tool that doesn't sign BAAs (notably Resend → Postmark or AWS SES).
  3. We execute a mutual BAA based on the StampRight template (or yours, subject to review).
  4. You get an Enterprise contract with the BAA attached and signed-off subprocessor list.

Timeline: typically 5–10 business days from request to executed BAA.

Subprocessor status (HIPAA-relevant)

Subprocessor Role BAA status
DigitalOcean (Droplet, Spaces)Infrastructure hosting✓ BAA available
DigitalOcean Managed PostgresDatabase (encrypted at rest, TLS)✓ BAA available
ClerkAuthentication / identity✓ Enterprise plan
Resend (default)Transactional email✗ No BAA
Postmark / AWS SES (BAA tenants)Substitute mailer for HIPAA tenants✓ BAA available
StripePayments (no PHI flows here)N/A — not a BAA in scope

Guidance for healthcare customers

Until your BAA is executed, follow these practices to keep your StampRight usage HIPAA-defensible:

What we are working toward — the certification roadmap

Posture today is one thing; an audited compliance certification is another. We are tracking toward:

We'll publish each milestone on the compliance page as it lands. No certifications are claimed until the underlying audit reports are signed.

What we will not say

You will not see StampRight describe itself as "HIPAA compliant" on its website, sales materials, or in conversations with prospects. The phrase is meaningless in isolation — HIPAA imposes obligations on covered entities and their business associates, not on software products in the abstract. We say "HIPAA-aligned posture with BAAs available" because that's what's actually true.

Questions or BAA requests

Email hello@stampright.com with subject line "BAA request" or "HIPAA question." Privacy-specific concerns: privacy@stampright.com.

Last updated: May 15, 2026. This page describes our current posture and is not a substitute for legal advice. Healthcare customers should consult their own compliance counsel before deploying any new system that processes PHI.

Healthcare use case?
Let's talk about a BAA.

5–10 business days from request to executed BAA on Enterprise.

Request a BAA See all compliance