SOPdesk is not HIPAA compliant, does not act as a HIPAA Business Associate, and does not sign Business Associate Agreements (BAAs).

This is by design, not by oversight. SOPdesk is a documentation, training, and compliance management platform for pharmacy operations — standard operating procedures, training records, equipment and license tracking, and regulatory monitoring. None of these workflows require Protected Health Information (PHI), and the Service is not intended to store, process, or transmit it.

Your organization remains the HIPAA covered entity for your patient-facing systems (pharmacy management software, dispensing systems, patient records). SOPdesk sits alongside those systems and handles only your operational documentation.

Not being a HIPAA Business Associate does not mean we take security lightly. Your SOPs, training records, and compliance documentation are your operational backbone, and we protect them accordingly:

• Encryption in transit: all traffic to and from the Service is encrypted with TLS
• Encryption at rest: data is encrypted at rest (AES-256) by our database and storage provider, Supabase
• Tenant isolation: every database query is scoped to your organization through row-level security policies enforced at the database layer — not just in application code
• Role-based access: owner and admin roles control who in your organization can see and change what
• Audit logging: key account and document activity is logged
• Network protection: the Service is fronted by Cloudflare for DDoS protection and traffic filtering
• Payment isolation: card data is handled entirely by Stripe and never touches our servers
• Automated backups: provided through our infrastructure provider

A list of the third-party providers that operate parts of the Service is maintained on our Subprocessors page.

• You do not need a BAA with SOPdesk, because no PHI should ever reach the Service
• SOPdesk should be classified in your vendor inventory as a non-PHI operational tool, comparable to a project management or document tool used for internal procedures
• Your staff should be instructed not to include patient information in SOPs, training notes, or uploaded documents

If your compliance team has questions about this position or needs supporting documentation for a vendor review, contact us at [email protected].