Tachova.
Get Started

Compliance

HIPAA & Business Associate Agreement

Tachova is built for healthcare workflows. Our platform is HIPAA-aligned, and we sign Business Associate Agreements with covered entities and qualifying business associates on paid plans.

Encryption

TLS 1.2+ in transit and AES-256 at rest for all provider records, attestations, and uploaded documents.

Least-privilege access

Row-level security on every record. Team members see only what their role and workspace permit.

Trusted subprocessors

Cloud hosting, payments, and identity providers used under HIPAA-compliant agreements where PHI may touch them.

Audit logging

Read and write events on sensitive records are recorded and available to workspace owners on request.

What is a BAA, and do I need one?

A Business Associate Agreement (BAA) is required under HIPAA whenever a vendor creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. If you are a clinician, group practice, or organization handling patient data and you store provider or patient-related information in Tachova, you should have a BAA in place with us.

How to request a BAA

Email compliance@tachova.com from your account email with the practice name and authorized signer. We countersign within two business days. BAAs are included at no additional cost on all Basic and Professional plans.

Scope of our role

Tachova acts as a business associate when handling PHI on your behalf inside the platform. We do not access, sell, or share PHI for our own purposes, and we do not use PHI to train models.

Subprocessors

We use a small set of vetted subprocessors for cloud hosting, payments, identity, and email delivery. Where any subprocessor may touch PHI, a BAA or equivalent safeguard is in place. A current list is available on request.

Security practices

Encryption in transit and at rest, role-based access controls, row-level security, audit logging, principle of least privilege for staff, secrets management, regular dependency review, and an incident response process. See the Security page for details.

Breach notification

In the event of a confirmed breach of unsecured PHI, we will notify affected customers without unreasonable delay and within the timeframes required by HIPAA.

Your responsibilities

You are responsible for: who you invite to your workspace, the accuracy of data you submit, configuring access for staff, and using strong unique passwords with multi-factor authentication where available.

Need a signed BAA before purchasing? Email compliance@tachova.com and we'll get one over to you within two business days.