We don't claim "HIPAA compliant" because that phrase is overused and underdefined. Here's exactly where we stand, what we will sign, and what's on the roadmap.
Hash-only architecture means PHI in the file body is structurally impossible. Encryption at rest, TLS in transit, audit logs, identity-bound receipts, least-privilege access.
When you sign as an Enterprise customer with a healthcare use case, we sign a Business Associate Agreement and swap our default mailer for a HIPAA-eligible substitute on your tenant.
Third-party audit (HITRUST CSF or equivalent), formal Risk Assessment, Privacy + Security Officer designation, workforce training program. On the roadmap, will publish on completion.
HIPAA covers Protected Health Information (PHI). The most common HIPAA breach scenario in SaaS is a vendor that stores PHI in a database that gets exfiltrated, accessed by unauthorized staff, or leaked through a misconfiguration.
StampRight does not receive your files. Every stamp computes a SHA-256 hash in your browser before anything is sent to our servers. The file body — the actual patient record, X-ray, intake form — never leaves your device. We can't leak what we never had.
The hash itself is content-free: it's a fixed-length cryptographic fingerprint that cannot be reversed into the original content. By itself, a SHA-256 hash is not PHI.
The HIPAA risk surface is the metadata envelope — the structured fields you optionally include alongside the hash (parties, subject description, dates, identifiers). Customers in healthcare should follow the guidance below.
StampRight signs Business Associate Agreements with Enterprise customers whose use case requires it. The current process:
Timeline: typically 5–10 business days from request to executed BAA.
| Subprocessor | Role | BAA status |
|---|---|---|
| DigitalOcean (Droplet, Spaces) | Infrastructure hosting | ✓ BAA available |
| DigitalOcean Managed Postgres | Database (encrypted at rest, TLS) | ✓ BAA available |
| Clerk | Authentication / identity | ✓ Enterprise plan |
| Resend (default) | Transactional email | ✗ No BAA |
| Postmark / AWS SES (BAA tenants) | Substitute mailer for HIPAA tenants | ✓ BAA available |
| Stripe | Payments (no PHI flows here) | N/A — not a BAA in scope |
Until your BAA is executed, follow these practices to keep your StampRight usage HIPAA-defensible:
Posture today is one thing; an audited compliance certification is another. We are tracking toward:
We'll publish each milestone on the compliance page as it lands. No certifications are claimed until the underlying audit reports are signed.
You will not see StampRight describe itself as "HIPAA compliant" on its website, sales materials, or in conversations with prospects. The phrase is meaningless in isolation — HIPAA imposes obligations on covered entities and their business associates, not on software products in the abstract. We say "HIPAA-aligned posture with BAAs available" because that's what's actually true.
Email hello@stampright.com with subject line "BAA request" or "HIPAA question." Privacy-specific concerns: privacy@stampright.com.
Last updated: May 15, 2026. This page describes our current posture and is not a substitute for legal advice. Healthcare customers should consult their own compliance counsel before deploying any new system that processes PHI.