Legal Policy

Business Associate Agreement

Last updated: March 2026 5000fish, Inc.

Overview

DashboardFox is designed with the security architecture and controls necessary to support HIPAA-regulated workloads. For healthcare customers who need to connect protected health information (PHI) to DashboardFox, we offer a Business Associate Agreement (BAA) on request.

BAA available on request. Contact team@dashboardfox.com to request a BAA. We will respond within 2 business days.

What is a BAA?

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities — such as healthcare providers, health plans, and healthcare clearinghouses — to have a signed Business Associate Agreement in place with any vendor that creates, receives, maintains, or transmits protected health information (PHI) on their behalf.

A BAA is a legal contract that establishes the permitted uses and disclosures of PHI, sets out each party's responsibilities for safeguarding that data, and documents the vendor's commitment to HIPAA compliance. Without a signed BAA, a covered entity cannot lawfully use a third-party service to process PHI.

Who needs a BAA?

You need a BAA with DashboardFox if you are a HIPAA-covered entity or business associate and you intend to connect data sources containing PHI to your DashboardFox workspace. Common examples include:

  • Healthcare providers reporting on patient records, appointments, or billing data
  • Health plans or insurers analyzing claims or member data
  • Healthcare SaaS companies embedding DashboardFox to report on data that includes PHI
  • Business associates of covered entities whose reporting workflows involve PHI

If you are unsure whether your use case requires a BAA, consult your compliance or legal counsel. As a general rule: if the data you are connecting to DashboardFox could include individually identifiable health information, a BAA is required.

Who does not need a BAA?

A BAA is not required if your DashboardFox workspace does not process PHI. Healthcare-adjacent organizations that connect only de-identified, aggregated, or non-clinical data to DashboardFox do not need a BAA, provided they are confident the data does not meet HIPAA's definition of PHI.

Our approach to HIPAA

DashboardFox is built on an architecture designed to support HIPAA compliance:

  • Isolated workspaces — every customer workspace runs in a dedicated, isolated PostgreSQL database. PHI in one workspace is fully segregated from all other customers.
  • Encryption — data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access controls — role-based access, audit logging, and session management are built into the platform.
  • Annual penetration testing — conducted to validate security controls.
  • Cyber liability insurance — maintained by 5000fish, Inc.

Signing a BAA does not automatically make your DashboardFox deployment HIPAA-compliant — your organization remains responsible for configuring the platform appropriately, managing user access, and ensuring your connected data sources meet HIPAA requirements. We are a tool; HIPAA compliance is a shared responsibility.

How to request a BAA

Email team@dashboardfox.com with the subject line "BAA Request" and include:

  • Your organization name and DashboardFox account email
  • A brief description of the PHI you intend to process within DashboardFox

We will review your request and respond within 2 business days. BAAs are available to customers on any paid plan.

To request a BAA or ask about HIPAA compliance:

team@dashboardfox.com
Early Access — 90 Days Free

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

We'll notify you before Early Access ends

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot