Skip to main content

Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is a legally required contract under HIPAA (45 CFR §164.504(e)) between a Covered Entity (or upstream Business Associate) and any vendor — the "Business Associate" — that creates, receives, maintains, or transmits Protected Health Information (PHI) on the Covered Entity's behalf.

Does Mabble require a BAA?

Yes. If your organization is a HIPAA Covered Entity or Business Associate, and you use Mabble Helix to store, process, or transmit PHI, you must execute a BAA with Mabble before going live with PHI data.

Mabble Helix is designed and operated as a HIPAA-compliant platform. A signed BAA is part of the baseline agreement for any tenant whose use case involves PHI.

How to execute a BAA

  1. Contact Mabble at legal@mabble.ai to initiate the BAA process.
  2. Mabble will provide the standard BAA template for your legal team to review.
  3. Once both parties sign, the BAA is effective and you may begin processing PHI in your Helix tenant.

BAA execution is typically completed within 1–3 business days for standard terms.

What the Mabble BAA covers

The Mabble BAA is based on the 45 CFR §164.504(e) requirements and includes §164.314(a) Security Rule extensions. Key provisions:

  • Permitted uses: Helix may use PHI only to perform services under your Underlying Agreement (store, encrypt, audit, return PHI). PHI is never sold, used for marketing, or disclosed to third parties beyond what is necessary.
  • Safeguards: Helix implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including envelope encryption (BYOK KMS), row-level security, immutable audit logging, and access controls.
  • Subprocessors: A current list of Helix subprocessors is maintained in the operator console and available upon request. Mabble provides 30-day advance notice of material subprocessor changes.
  • Breach notification: Helix will notify the Covered Entity of a suspected or confirmed breach of unsecured PHI within 72 hours of discovery, consistent with HIPAA's Breach Notification Rule (45 CFR §164.410).
  • Individual rights support: Helix's Privacy Center (DSAR workflow, privacy notice) provides the technical infrastructure to support your obligations under §164.524 (access), §164.526 (amendment), and §164.528 (accounting of disclosures).
  • Termination: On termination of the Underlying Agreement, Helix will return or destroy PHI per your instruction, consistent with §164.504(e)(2)(ii)(I).

Sub-processor disclosure

Mabble uses third-party subprocessors to operate the Helix platform. Current subprocessors include services for cloud infrastructure (AWS), transactional email, and error monitoring. The full list is available to tenants in the operator console under Settings > Compliance > Sub-processors.

Material additions to the subprocessor list are announced at least 30 days in advance. Tenants may object in writing within that window.

GDPR Data Processing Agreement (DPA)

For tenants processing personal data of EU/EEA data subjects, a separate Data Processing Agreement (DPA) is required under GDPR Art.28. Contact legal@mabble.ai to request the DPA template. Standard Contractual Clauses (SCCs) are available for international data transfers.

BAA template version

The Mabble BAA template is versioned. The current version was last updated 2026-05-12. Tenants who executed a previous version will be notified of material changes and given the opportunity to review updated terms.

Contact

For BAA or DPA inquiries: legal@mabble.ai
For compliance questions: compliance@mabble.ai
For security questions: security@mabble.ai