A per-organization executed Business Associate Agreement, server-side AI proxying, SSO with Google and Microsoft, and contractual commitments — including a 10-business-day breach-notification window — that hold up to procurement review.
What you see below is not a marketing summary. Every commitment links to the clause that backs it.
Every customer signs a BAA with UPStandards LLC before using the platform with real PHI. Audit trail, both parties' signatures, downloadable anytime.
The BAA prohibits transmitting PHI to Anthropic or any non-BAA vendor. AI runs through a server-side proxy on aggregate or de-identified inputs only.
Google, Microsoft (Entra ID / Azure AD), or email and password. Self-service password reset. Role-based access for org admins, billing admins, and clinical roles.
Customer Data is available for export throughout your subscription and for 30 days after termination — longer on enterprise terms.
When you sign up, you're not joining a platform that "supports HIPAA." You're entering into a contractual relationship governed by an executed Business Associate Agreement under HIPAA's Privacy, Security, Breach Notification, and Enforcement Rules.
The BAA is signed before your organization uses the Services with real PHI. The signed copy lives in your account, with a complete audit trail — both parties' names and titles, signature (drawn or typed), the version of the BAA you accepted, the signing IP address, and the timestamp. You can open it, print it, or download it anytime from the Your Business Associate Agreement page inside the app.
Under Section 5 of the BAA, UPStandards shall not transmit PHI to Anthropic, external AI providers, or other non-BAA vendors unless the parties amend the Services architecture and contractual terms. That is not a policy statement — it is a contract.
Under Section 6, UPStandards implements administrative, physical, and technical safeguards including workforce confidentiality obligations, access controls, role-based permissions, authentication, encryption in transit, encryption at rest where supported by infrastructure providers, logging, backup and recovery, vendor review, vulnerability management, and incident response.
Under Section 7.1, in the event of a Breach of Unsecured PHI, UPStandards reports to the Covered Entity without unreasonable delay and in no event later than 10 business days after discovery — except where a law-enforcement delay applies or more urgent notice is required by law.
The complete BAA is published at /baa.html. Procurement and security teams are welcome to read it before signup.
UPStandards uses AI for document drafting, policy gap analysis, and the in-app Helper. The architecture and the contract are both built around one principle: PHI does not go to AI providers.
Three things make that hold up in practice rather than just on paper.
"AI inputs should be aggregate, de-identified, or otherwise non-PHI." — Terms of Service §8
Per-organization AI quotas are enforced server-side and visible in your account. Every successful AI call is recorded in an ai_usage_events log so you can audit what was used and when.
Most workforce users sign in with their existing identity provider. Email and password remain available for organizations that haven't moved to SSO.
Per the BAA, the Covered Entity is responsible for promptly disabling access for workforce members who no longer require it, configuring user permissions to follow the minimum-necessary standard, and notifying UPStandards of suspected credential compromise.
You own your data. UPStandards processes it under the BAA and the Data Processing Addendum, and gives it back to you whenever you ask — including after you cancel.
While you're a customer. Customer Data may be exported at any time through standard platform features. Saved documents, signed BAA executions, chart-audit records, and policy library entries are all retrievable from inside the app.
After termination. Standard self-serve accounts receive a 30-day post-termination export window. Enterprise Order Forms may provide 60 to 90 days. After the applicable window, UPStandards may delete, de-identify, or retain data according to its retention practices, the BAA, the DPA, backup cycles, and applicable law.
Backups. Backup copies may persist temporarily according to backup cycles. They remain protected and are not used for purposes unrelated to providing, securing, or supporting the Services.
Geography. UPStandards is intended for U.S. customers at launch. We do not currently target EU or UK customers. If international processing becomes applicable, additional transfer terms and subprocessor review are required before that processing begins (DPA §12).
Customer Data ownership. Customer Data belongs to the Customer. UPStandards receives only the rights necessary to host, process, display, transmit, and use Customer Data to provide, secure, support, and improve the Services (Terms §16).
The "Privacy / HIPAA Position" column reflects the design intent of the platform and the contractual position with each vendor.
This list reflects the current product stack and is updated as it changes. The authoritative version is published in the Privacy Policy (§10) and Schedule 3 of the Data Processing Addendum.
HIPAA assigns responsibilities to both the Covered Entity and the Business Associate. The platform is built around that split.
If you're in procurement or IT review, here's everything you need.
Send privacy and data-protection inquiries to privacy@upstandards.net.
General support and account questions go to support@upstandards.net.
If you suspect a security incident affecting PHI processed through UPStandards, contact privacy@upstandards.net immediately, with "Security Incident" in the subject line. We'll respond promptly and follow the breach-reporting commitments in Section 7 of the BAA.
UPStandards LLC
PO Box 1554
Cobb, CA 95426
Yes. Every customer organization signs a BAA with UPStandards LLC before using the platform with real Protected Health Information. The agreement covers HIPAA's Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
The executed copy of your BAA is available from inside your account on the Your Business Associate Agreement page, with both parties' names and titles, signature (drawn or typed), the version of the BAA you accepted, the signing IP address, and the timestamp.
No. Section 5 of the BAA prohibits UPStandards from transmitting PHI to Anthropic or any non-BAA vendor unless the parties amend the Services architecture and contractual terms. The Terms reinforce this: "AI inputs should be aggregate, de-identified, or otherwise non-PHI."
Architecturally, AI calls go through a server-side proxy that customers never see — there's no Anthropic API key in the customer's hands — and every successful call is logged in the ai_usage_events table for audit.
Anthropic's commercial terms, in turn, specify that API inputs are not used to train models.
Section 7.1 of the BAA commits UPStandards to reporting a Breach of Unsecured PHI without unreasonable delay and in no event later than 10 business days after discovery — except where a law-enforcement delay applies or more urgent notice is required by law.
The DPA adds parallel commitments for Personal Data: notice "without undue delay" after becoming aware of a confirmed security breach, including the nature of the incident, affected data categories, likely consequences, measures taken or proposed, and a contact point.
Standard self-serve accounts have a 30-day post-termination export window. Enterprise Order Forms may provide 60 to 90 days. After the applicable export period, UPStandards may delete, de-identify, or retain data per its retention practices, BAA, DPA, backup cycles, and applicable law.
Backup copies may persist temporarily but remain protected and are not used for unrelated purposes.
Sign in with Google or Microsoft (Entra ID / Azure AD), or with email and password. Password sign-in requires at least 8 characters. Self-service password reset is available via email recovery — recovery links are valid for one hour and can only be used once.
Five disclosed subprocessors at the time of this writing: Supabase (managed Postgres, authentication, edge functions — handles platform PHI under BAA-tier infrastructure), Postmark (transactional email, no PHI in content), Stripe (payments, no PHI), Netlify (frontend hosting, no PHI), and Anthropic (AI document drafting and policy support, aggregate or de-identified inputs only).
The authoritative list lives in §10 of the Privacy Policy and Schedule 3 of the Data Processing Addendum. It is updated as the product stack changes.
UPStandards is built for a limited accreditation, safety, audit, and compliance data set — not full clinical records. Per Terms §6(h) and §7, users should not place the following into the platform unless a written agreement or product workflow expressly permits it:
Diagnoses, SUD diagnoses, treatment-plan content, treatment goals, interventions, modalities, progress notes, psychotherapy notes, SUD counseling notes, full medical records, lab results, imaging, prescriptions, billing PHI, and financial PHI.
Some workflows do involve named-patient identifiers where operationally necessary — Q15 patient safety observation logs, restraint and seclusion documentation, and certain chart-audit fields. The platform supports those workflows specifically; everything outside them belongs in your EHR.
No. Per Terms §3, UPStandards is not an electronic health record, designated record set, patient portal, emergency service, clinical documentation system, diagnosis tool, treatment-planning platform, billing platform, utilization-management system, legal-advice platform, accreditation-body representative, or substitute for professional judgment.
UPStandards lives alongside your EHR and handles the operational, audit, policy, and accreditation-readiness workflows that an EHR isn't built to handle.
Start a free trial. Full access. Cancel anytime.