Which HIPAA Security Rule technical safeguards does Abundera Sign already satisfy?

Access control (§164.312(a)) via JWT plus product-scoped API keys, audit controls (§164.312(b)) via hash-chained audit trail with RFC 3161 timestamps, integrity (§164.312(c)(1)) via PAdES-LTA digital signatures plus SHA-256 content hashing, person or entity authentication (§164.312(d)) via passkeys, SMS OTP, and centralized identity at abundera.ai, and transmission security (§164.312(e)(1)) via TLS 1.3 with HSTS preload. These satisfy the underlying technical safeguards but do not by themselves make Abundera Sign a HIPAA-compliant Business Associate; a BAA is required for that.

What is PHI envelope mode and when does it ship?

PHI envelope mode is an envelope-level flag that, when enabled, will: disable the AI contract summary (so PHI is not processed by the inference path even though Workers AI runs at the edge), force encryption-at-rest attestation into the audit trail, shorten default retention to the minimum required by the customer's BAA, and trigger breach-notification SLAs on any unauthorized access event. It ships alongside the BAA program, Q3 2026 target.

Can a covered entity use Abundera Sign today for non-PHI documents?

Yes. Covered entities frequently sign vendor agreements, employment contracts, board resolutions, and other non-PHI documents through Abundera Sign. The constraint is specifically on PHI: until a BAA is in place, do not put PHI into envelope content, field values, message threads, or attachments.

BAA on the roadmap

HIPAA posture and PHI handling

Q: Does Abundera Sign sign Business Associate Agreements (BAAs)?

Not yet. The BAA program is on the roadmap with a target of Q3 2026. Until a BAA is in place, customers should not transmit Protected Health Information through Abundera Sign. If you have an active need, email compliance@abundera.ai so we can sequence your engagement.

Abundera Sign does not yet sign Business Associate Agreements. Until a BAA is in place, do not transmit Protected Health Information through any Abundera Sign surface. This page documents the HIPAA Security Rule technical safeguards already in place and the BAA timeline so your compliance team can make an informed sequencing decision.

Do not transmit PHI without a BAA

If you are a covered entity or business associate subject to HIPAA, do not include Protected Health Information in envelope content, field values, message threads, signer names, or attachments until Abundera, Inc. has counter-signed a BAA with your organization. The technical safeguards on this page satisfy the underlying §164.312 requirements, but a BAA is the contractual instrument HIPAA requires.

§164.312(a)Access control

Technical policies and procedures that allow access only to authorized persons.

Unique user identification, centralized at abundera.ai with per-user UUIDs that are never reused
Emergency access procedure documented through the security@abundera.ai escalation path
Automatic logoff via session expiry on the central identity hub, plus token rotation on every sign event
Encryption and decryption (addressable) via TLS 1.3 in transit and R2 encryption at rest
JWT plus product-scoped API key (abnd_sign_*) for every API surface, validated against the hub on each request with KV-cached revocation

§164.312(b)Audit controls

Hardware, software, or procedural mechanisms that record and examine activity in information systems containing PHI.

Every action recorded in an immutable, hash-chained audit trail (SHA-256 per entry, each includes the previous hash)
RFC 3161 trusted timestamps counter-sign the chain head so audit records cannot be back-dated
Audit trail spans envelope creation, view, OTP, field changes, signature, decline, delegation, seal, download
GitHub anchoring of the chain head provides independent third-party attestation
Audit records retained for the full envelope retention period (3 to 99 years per plan) in WORM storage

§164.312(c)(1)Integrity

Policies to protect electronic PHI from improper alteration or destruction.

PAdES-LTA cryptographic signature on every signed PDF, AATL-certified, HSM-backed
Document hash (SHA-256 plus SHA-512 dual hash) recorded in the audit chain and reproducible from the public verify endpoint
WORM (Write Once Read Many) storage on R2 with 3-year, 7-year, and 99-year retention locks; envelopes cannot be modified after sealing
Tamper detection is automatic at verify time, any byte change invalidates both the PAdES signature and the hash chain

§164.312(d)Person or entity authentication

Procedures to verify that a person or entity seeking access to PHI is the one claimed.

Passkeys (WebAuthn) for biometric authentication on Professional plus tiers
SMS OTP via Twilio with rate limiting (3 sends per signer, 60s cooldown, 3 verify attempts per code)
Government ID verification through Veriff (optional, Business tier)
Knowledge-based authentication through LexisNexis or Persona (optional)
Identity proofing scored on the Signer Evidence Score and recorded in the audit trail

§164.312(e)(1)Transmission security

Technical measures to guard against unauthorized access to PHI transmitted over a network.

TLS 1.3 enforced at the Cloudflare edge with HSTS preload and a CAA-locked certificate issuer
Strict Content Security Policy on the signing surface; same-origin script policy with explicit allowlist
HMAC-signed webhook callbacks to customer endpoints prevent spoofing of completion notifications
No third-party analytics or tracking on signing pages; no fingerprinting

§164.308Administrative safeguards (in progress)

Administrative actions, policies, and procedures, the BAA program covers the contractual portion.

Security Officer designated, security@abundera.ai
Workforce security and termination procedures documented
Incident response and breach notification SLAs ship with the PHI envelope mode in Q3 2026
Risk analysis and risk management documented annually
BAA template and counter-signing workflow in flight

Frequently asked questions

Does Abundera Sign sign Business Associate Agreements?

Not yet. The BAA program is targeted for Q3 2026. Until then, do not transmit PHI through any Abundera Sign surface. Email compliance@abundera.ai if you have an active need so we can sequence your engagement.

Can a covered entity use Abundera Sign for non-PHI documents today?

Yes. Vendor agreements, employment contracts, board resolutions, partnership agreements, IT and cloud contracts, NDAs, and any other non-PHI documents are routine usage by covered entities. The constraint is specifically on PHI in envelope content, field values, message threads, signer names, or attachments.

What is the PHI envelope mode?

An envelope-level flag, available on accounts with an active BAA, that disables the AI contract summary path, forces encryption-at-rest attestation into the audit chain, defaults retention to the minimum required by the BAA, and triggers breach-notification SLAs on any unauthorized access event. Ships with the BAA program in Q3 2026.

Is AI processing of envelope content compatible with HIPAA?

AI summaries currently run on Cloudflare Workers AI at the edge, never leaving Cloudflare infrastructure and never sent to a third-party LLM. Even so, until a BAA is in place and PHI envelope mode is enabled (which disables the AI path entirely for PHI envelopes), do not transmit PHI through Abundera Sign.

What about subprocessors that touch envelope data?

The full subprocessor list is on the Trust Center. When PHI envelope mode ships, BAA-tier accounts will receive a PHI-scoped subprocessor list and BAA flow-down attestations from each subprocessor that handles envelope data.

Need a target BAA date for your procurement process, or want to be sequenced into the first BAA cohort? Email compliance@abundera.ai. For the broader security posture, see the Trust Center; for FDA-regulated workflows, see 21 CFR Part 11.