When a provider or health system uses ElderberryMD, we sign a Business Associate Agreement (BAA) with them. We also execute BAAs with every vendor that processes protected health information (PHI) on our behalf. This page lists those vendors and their roles. Last updated: May 2026.
What is a Business Associate Agreement?
Under HIPAA, a Business Associate Agreement is a contract between a covered entity (such as a physician practice or health system) and a business associate (us) that sets out how PHI may be used and protected. It assigns responsibilities and ensures that anyone downstream who touches that data is held to the same standard.
ElderberryMD acts as a Business Associate to the providers and health systems on our platform. We in turn execute BAAs with every subprocessor that handles PHI — so the chain of accountability is unbroken.
Processors with a BAA on file
This registry is sourced from
docs/compliance/vendor-BAA-registry.md in our repository and reviewed
each quarter.
| Processor | Role | What they handle | BAA status |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Site hosting (S3), content delivery (CloudFront), and DNS (Route 53). Application data is stored in AWS regions subject to the AWS BAA. | BAA on file |
| Cloudflare | Edge network & CDN | DNS resolution, DDoS protection, and edge routing. Cloudflare Workers handle transient contact-form routing server-side. | BAA on file |
Processors that do not require a BAA (because they do not handle PHI): GitHub (source code only) and Plausible Analytics (self-hosted, first-party, no PHI).
BAA template
If you are a provider or health system integrating ElderberryMD, we provide a standard BAA template as the starting point. Your organization can propose edits; our team reviews and countersigns.
Download the template below, review it with your compliance team, and return a signed copy to begin the contracting process. Execution takes place outside this page — the template is a starting document only.
Download BAA templateOpens a print-ready page. Use your browser's Print → Save as PDF to save a copy.
Our privacy commitments
BAAs are one part of our broader privacy posture. We also publish commitments covering patient advertising, consent, tracker use, and data rights. Additional Trust Hub pages are published as each is completed.