Watch Town Hall: Demos & Q2 Roadmap →
Baa

Langfuse HIPAA BAA - Business Associate Agreement

Note: To enter into this BAA with Langfuse, you must use our HIPAA Cloud Region and (!) be subscribed to the Pro Plan (or higher).

Latest revision: 29 April 2025

Effective automatically for eligible accounts

Important Eligibility Notice

This Business Associate Agreement (“BAA”) automatically applies only to Langfuse customer accounts that:

  1. are hosted in the Langfuse HIPAA Cloud Region at https://hipaa.cloud.langfuse.com; and
  2. are subscribed to a Pro, Teams, or Enterprise plan (each a “HIPAA‑Eligible Plan”).

Accounts that do not meet both conditions are not covered by this BAA and may not process Protected Health Information (“PHI”) with Langfuse.

By provisioning or continuing to use an eligible account, the entity identified in the Langfuse billing records (“Customer”, “Covered Entity” or its own business associate under HIPAA) is deemed to have read, understood and agreed to this BAA. No separate checkbox, click‑through or signature is required.

The current and past versions of this BAA is always available at https://langfuse.com/baa and can be downloaded from Settings → Security in the Langfuse Cockpit. Questions? Email [email protected].

1 Parties & Incorporation

This BAA supplements and is incorporated by reference into the Langfuse Cloud Master Subscription Agreement (MSA), Order Form and/or any other written contract governing Customer’s use of the HIPAA‑eligible Langfuse Environment (collectively, the “Services Agreement”). If any conflict arises between this BAA and the Services Agreement with respect to PHI processed in the HIPAA Cloud Region, this BAA controls.

2 Definitions

Capitalized terms have the meanings set out in the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 & 164), as amended by the HITECH Act (together, “HIPAA”). Key terms include:

TermMeaning
PHI / Protected Health InformationHas the meaning in 45 C.F.R. §160.103 and is limited to information created, received, maintained or transmitted by Langfuse on behalf of Customer.
BreachAs defined in 45 C.F.R. §164.402 — the unlawful acquisition, access, use or disclosure of Unsecured PHI.
Security IncidentAs defined in 45 C.F.R. §164.304.
HITECH ActTitle XIII of the American Recovery and Reinvestment Act of 2009.

Other HIPAA terms (e.g., Designated Record Set, Unsecured PHI, Subcontractor) have the same meanings given in HIPAA.

3 Permitted Uses & Disclosures

Langfuse may use or disclose PHI only:

  • To provide the HIPAA Cloud Region environment and related support in accordance with the Services Agreement;
  • For our own management or legal obligations, provided any disclosure is (i) required by law or (ii) to a recipient that agrees to written confidentiality protections and promptly reports any breach; and
  • As otherwise required by law.

Langfuse will not use or disclose PHI for any other purpose without Customer’s written instruction.

4 Customer Responsibilities

Customer represents, warrants and agrees that:

  1. Status. Customer is, and will remain, a Covered Entity or Business Associate under HIPAA and will comply with HIPAA in its use of the Services.
  2. Minimum‑Necessary & Configuration. Customer will (a) limit PHI uploaded to the Service to the minimum necessary, (b) refrain from sending PHI via support tickets, email, or non‑HIPAA workspaces, and (c) follow Langfuse documentation regarding encryption and other HIPAA configuration.
  3. No Impermissible Requests. Customer will not request Langfuse to use or disclose PHI in a manner that would violate HIPAA if performed by Customer.
  4. Consents. Customer is responsible for obtaining any authorisations or consents required for Langfuse’s uses and disclosures of PHI.

Langfuse may rely on Customer’s instructions when assessing the minimum‑necessary standard.

5 Safeguards

Langfuse will:

  • Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI in accordance with the HIPAA Security Rule;
  • Maintain a written information‑security program including risk assessments, encryption in transit and at rest, access controls, logging and vulnerability management; and
  • Ensure that workforce members with access to PHI are bound by confidentiality obligations and trained on HIPAA requirements.

6 Subcontractors

Langfuse will ensure that any Subcontractor that creates, receives, maintains or transmits PHI on Langfuse’s behalf agrees, in writing, to restrictions and security obligations at least as protective as those in this BAA and the HIPAA Security Rule.

7 Incident & Breach Reporting

Langfuse will:

  • Report to Customer any Breach of Unsecured PHI or unauthorised use or disclosure of PHI without unreasonable delay and in no event later than 72 hours after discovery;
  • Report Security Incidents that materially compromise PHI; and
  • Provide available information to assist Customer in complying with 45 C.F.R. §§164.404–410.

Unsuccessful intrusion attempts (e.g., port scans, failed log‑ins, firewall pings) are commonplace and do not require notice under this section.

8 Individual Rights

Where Customer maintains PHI in a Designated Record Set within the HIPAA Cloud Region, Langfuse will, at Customer’s request and within the timeframes required by HIPAA:

  • Provide access to PHI (45 C.F.R. §164.524);
  • Incorporate amendments to PHI (45 C.F.R. §164.526); and
  • Provide disclosure logs for accountings (45 C.F.R. §164.528).

Fees may apply for non‑routine assistance.

9 Books & Records

Langfuse will make its relevant policies, procedures and records relating to the security or use of PHI available to the U.S. Department of Health & Human Services upon request, subject to attorney‑client privilege and trade‑secret protections.

10 Term & Termination

Term. This BAA becomes effective automatically when Customer first creates or upgrades an account that satisfies the eligibility criteria described in the Important Eligibility Notice and remains in effect until the earlier of (a) termination or downgrade of the Services Agreement or applicable plan, or (b) Customer’s cessation of use of the HIPAA Cloud Region.

Termination for Breach. Either party may terminate this BAA on 30 days’ written notice if the other materially breaches it and fails to cure within that period.

Return/Destruction of PHI. Upon termination, Langfuse will return or destroy all PHI within 30 days. If return or destruction is infeasible, Langfuse will continue to protect the PHI and limit further uses and disclosures.

11 Miscellaneous

  • No Third‑Party Beneficiaries. Nothing in this BAA confers rights on anyone other than the parties.
  • Amendment. If HIPAA is amended, the parties will update this BAA as needed to remain compliant. Langfuse may update this BAA prospectively by posting a revised version and providing at least 30 days’ notice; continued use of the HIPAA Cloud Region after the effective date constitutes acceptance.
  • Liability. Each party’s liability under this BAA is subject to the limitations in the Services Agreement, except that HIPAA fines imposed due to a party’s breach are borne by that party.
  • Governing Law. Unless the Services Agreement states otherwise, this BAA is governed by the same law and dispute forum as the Services Agreement.

Was this page useful?

Questions? We're here to help

GitHub Q&AGitHubEmailTalk to sales

Subscribe to updates