Business Associate Agreement

Last updated: 2026-04-27

WAVE Online, LLC offers a Business Associate Agreement (BAA) under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act for Customers who are Covered Entities or Business Associates and who require HIPAA-tier service.

How to obtain a BAA

BAAs are activated on a per-Customer basis. To request execution:

Email [email protected] with the subject “BAA Request” and your organization name.
Receive the BAA template (under NDA) for your review.
Execute via DocuSign or counter-sign and return.
Once executed, your account is configured for HIPAA-eligible processing — including BAA-only subprocessor routing (Anthropic BAA, Twilio ConversationRelay BAA where applicable, Supabase BAA).

Scope summary (full terms available under NDA)

Permitted uses and disclosures: WAVE will use or disclose Protected Health Information (PHI) only as permitted by the BAA, the underlying Master Subscription Agreement, or required by law.
Safeguards: WAVE implements administrative, physical, and technical safeguards required by 45 C.F.R. §§ 164.308, 164.310, and 164.312.
Security incident reporting: WAVE notifies Customer of Successful Security Incidents within 24 hours; for Breaches of Unsecured PHI, within 48 hours of discovery.
Subcontractors: WAVE flows down BAA terms to all Subcontractors who handle PHI; the BAA-eligible subprocessor list is provided as Attachment A to the executed BAA.
Data return / destruction: Within 60 days of termination, WAVE returns or destroys all PHI in its possession, subject to obligations to retain PHI to comply with law.
Liability cap carve-out:The Master Subscription Agreement's limitation of liability does not cap damages arising from breach of HIPAA obligations, consistent with HHS guidance.

Eligible service tiers

BAAs are available on Enterprise tier and above. Free, Starter, Launch, Scale, and Volume tiers do not include HIPAA features by default — contact [email protected] to discuss upgrade options.

Out-of-scope features

Some platform features are not BAA-eligible because their underlying subprocessors do not offer BAAs. These are disabled for BAA-active accounts and listed in Attachment B of the executed BAA. Examples may include: select third-party analytics integrations, certain social-media auto-post features, and AI features routed through models without BAA coverage.

How to obtain a BAA

BAAs are activated on a per-Customer basis. To request execution:

Email [email protected] with the subject “BAA Request” and your organization name.
Receive the BAA template (under NDA) for your review.
Execute via DocuSign or counter-sign and return.
Once executed, your account is configured for HIPAA-eligible processing — including BAA-only subprocessor routing (Anthropic BAA, Twilio ConversationRelay BAA where applicable, Supabase BAA).

Scope summary (full terms available under NDA)

Permitted uses and disclosures: WAVE will use or disclose Protected Health Information (PHI) only as permitted by the BAA, the underlying Master Subscription Agreement, or required by law.
Safeguards: WAVE implements administrative, physical, and technical safeguards required by 45 C.F.R. §§ 164.308, 164.310, and 164.312.
Security incident reporting: WAVE notifies Customer of Successful Security Incidents within 24 hours; for Breaches of Unsecured PHI, within 48 hours of discovery.
Subcontractors: WAVE flows down BAA terms to all Subcontractors who handle PHI; the BAA-eligible subprocessor list is provided as Attachment A to the executed BAA.
Data return / destruction: Within 60 days of termination, WAVE returns or destroys all PHI in its possession, subject to obligations to retain PHI to comply with law.
Liability cap carve-out:The Master Subscription Agreement's limitation of liability does not cap damages arising from breach of HIPAA obligations, consistent with HHS guidance.

Eligible service tiers

BAAs are available on Enterprise tier and above. Free, Starter, Launch, Scale, and Volume tiers do not include HIPAA features by default — contact [email protected] to discuss upgrade options.

Business Associate Agreement

How to obtain a BAA

Scope summary (full terms available under NDA)

Eligible service tiers

Out-of-scope features

Related documents

Business Associate Agreement

How to obtain a BAA

Scope summary (full terms available under NDA)

Eligible service tiers

Out-of-scope features

Related documents