DEV Community: Jordan Vance

HIPAA BAA gotchas in 2026: the SaaS tools that only sign on Enterprise

Jordan Vance — Mon, 01 Jun 2026 10:34:25 +0000

If you handle protected health information, the single document that decides whether a SaaS tool is allowed to touch it is the Business Associate Agreement. No BAA, no PHI. It doesn't matter how good the vendor's SOC 2 report is or how many times the marketing page says "enterprise-grade security." Under HIPAA, if the vendor hasn't signed a BAA with you, putting a patient's name in that tool is a violation.

The part nobody tells you up front: a lot of the tools your team already runs on will sign one, but only if you're on the right plan. And the plan they want you on is usually the one with a "Contact Sales" button instead of a price.

I maintain a directory that tracks BAA availability across 105 of the SaaS tools developers and ops teams actually use. After going vendor by vendor through the published terms, the distribution is blunt:

27 of 105 will sign a BAA on a standard paid plan (sometimes any paid plan).
57 of 105 gate it. They'll sign, but only on a specific, usually higher, tier.
21 of 105 won't sign at all, on any plan, including Enterprise.

So more than half the tools in common use put the BAA behind a plan wall, and a fifth slam the door entirely. Here are the three traps that catch teams, with named examples and the exact gotcha for each.

Trap 1: the Enterprise-only wall

This is the big one. Of the 57 plan-gated tools, roughly 40 reference Enterprise as the gate, and about 17 are Enterprise-and-nothing-else. A few you've almost certainly got open in another tab right now:

Notion signs a BAA only on the Enterprise plan, and Beta Services are explicitly excluded from coverage, which matters if you've turned on anything new.
Slack says you "must be using a Slack Enterprise plan" (Enterprise Grid) to be covered. Pro and Business+ are not named on the HIPAA page, which means a team on Business+ has no BAA and no obvious sign that they don't. (I keep the cited details and the third-party-app caveat on the Slack BAA page. Slack's own BAA doesn't cover third-party apps you install, which is its own quiet gap.)
Box has signed BAAs since 2013, but only on Enterprise, Enterprise Plus, or Enterprise Advanced. The lower tiers have identical security controls and still can't execute a BAA. The wall is contractual, not technical.
HubSpot only signs once you're on an Enterprise tier and have enabled its Sensitive Data feature.

The pattern: the security is the same across tiers. What changes at Enterprise is the legal willingness to take on Business Associate liability. That's a procurement and budget problem wearing a security badge, and you want to know it before you've built a workflow on the Business plan.

Trap 2: "paid, but not the way you think"

Not every gate is Enterprise. Some vendors will sign on a mid-tier paid plan, which is good news, but the fine print hides in which plan and which country.

Dropbox signs electronically through the admin console on Standard, Advanced, Business, and Business Plus, but not free, Plus, or Family. Two more catches: the self-service BAA is US-only, and signing it disables reseller support. Dropbox Sign needs its own separate BAA on top.
Zoom covers paid healthcare customers across Pro, Business, Business Plus, and Enterprise. Free accounts are out. And the BAA itself is US-only: customers with a Canadian billing address get a Personal Health Information Annex (PHIA) for PHIPA/PIPEDA instead.
Google Workspace offers a BAA to any paid Workspace/Cloud Identity customer through the Admin console, but it covers only the services on Google's HIPAA Included Functionality list. Consumer Gmail is never covered.

Cloud storage is the cleanest illustration of how much the tier and geography matter. Dropbox and Box look interchangeable until you line up who can actually sign, on which plan, in which country. I put them side by side on the cloud storage comparison so you can see the gate before you commit a migration to it.

The lesson here is to read the mechanism, not just the yes/no. "We sign a BAA" can mean a self-serve toggle in the admin console (Dropbox) or a sales call and a higher SKU (Box). Those are very different timelines when you're trying to ship.

So plan for the slow path. If the gate is a sales motion, the BAA is the long pole in your launch, not an afterthought you handle the week before go-live.

Trap 3: never, on any plan

Twenty-one tools won't sign, and some of them are surprising because they feel like infrastructure:

Calendly does not sign a BAA on any plan, including Enterprise.
Mailchimp (Intuit) won't either. Its Acceptable Use Policy bars importing regulated sensitive data.
Stripe does not act as a Business Associate for its core payments platform and states PHI may not be processed through it. Being PCI Level 1 for cardholder data is not a HIPAA substitute, which is a confusion I see constantly.
Figma, Miro, Canva, Zapier, Shopify, and Google Analytics (GA4) round out the no-BAA list.

If a tool sits in this bucket, no amount of configuration makes it compliant for PHI. The only safe moves are to keep PHI out of it entirely or to find a vendor that will sign. Worth flagging: a couple of these verdicts (Calendly especially) rest on terms that vendors quietly change, so re-confirm directly before you rely on a "no."

The scope gotchas that bite after you've signed

Getting the signature isn't the finish line. The BAA usually covers less than the whole product:

Twilio signs a Business Associate Addendum, but only on Security or Enterprise Edition, and only HIPAA-Eligible Products may carry PHI. The eligible-products list lives on a separate doc that changes over time.
Notion's BAA excludes Beta Services, so the shiny new feature may be out of scope the day you turn it on.
Slack's BAA doesn't extend to third-party apps you install into the workspace; each of those needs its own agreement.

So "the vendor signed a BAA" and "this specific feature is in scope for PHI" are two different facts. Always pull the included/excluded list.

A short checklist for actually getting one

Find the gate first. Before you build anything, confirm which plan signs and whether it's self-serve or a sales motion. The tier requirement is the long-lead item.
Get the mechanism right. Admin-console toggle, billing add-on, or sales call: each has a different timeline. Don't assume "Enterprise" means "instant."
Read the scope list. HIPAA-eligible products, excluded beta features, third-party apps, and geography (US-only is common) are all standard ways the coverage is narrower than the product.
Re-verify the "no" answers. Vendors change terms without announcing it. A "won't sign" from six months ago may have flipped, in either direction.
Keep PHI out of the no-BAA tools entirely. Configuration cannot fix a missing agreement.

None of this is exotic. It's just tedious to chase across 105 different help-center pages, each of which words it differently and updates on its own schedule. If it's useful, the full directory (every vendor's BAA status, the cited source, the plan tier, and the step-by-step request path) lives at baa-atlas.vercel.app, last verified end of May 2026. Every claim above is pulled from a vendor's own published terms; where a verdict leans on a third-party source, the directory says so.

Which AI coding assistants train on your code? A 2026 zero-retention comparison

Jordan Vance — Mon, 01 Jun 2026 10:17:43 +0000

On 24 April 2026, GitHub flipped a default. Copilot Free, Pro and Pro+ now use your prompts and accepted code suggestions to train models unless you go into settings and switch it off. Until that date the same data sharing was opt-in. Now it's opt-out, and most individual subscribers never saw the toggle move.

That change is a good reason to actually read what your coding assistant does with the code you feed it. I went through the published terms for seven of the assistants developers actually use and pulled out the one thing that matters: does your code train a model, and can the vendor hold onto it? The short version is that "it depends on your plan" is not a cop-out answer. For most of these tools it's the literally correct answer, and the line usually runs right between the free tier you're using and the business tier you're not.

Here's where each one stands as of June 2026.

The quick comparison

Tool	Trains on your code by default?	Zero data retention?
Tabnine	No, on every plan	Yes. Ephemeral, nothing stored
Sourcegraph Cody	No	Yes. ZDR with providers
GitHub Copilot	Free/Pro/Pro+: yes (opt-out). Business/Enterprise: no	No individual ZDR product
Cursor	Free/Pro with Privacy Mode off: yes. Privacy Mode on / Business: no	Yes, when Privacy Mode is on
Codeium / Windsurf	Individual non-ZDR: code logs may be stored. Teams/Enterprise: no	Yes. Default on Teams/Enterprise, opt-in for individuals
Amazon Q Developer	Free: yes (opt-out). Pro: no	Enterprise posture only, no self-serve toggle
Replit AI	Public Apps: yes. Private Apps / paid endpoints: no	Enterprise routes ZDR-endpoints only

Two tools say no across the board. The other five gate it by tier. If you only remember one thing: the free tier is almost never the safe tier.

The two that don't train, regardless of plan

Tabnine runs a no-train, no-retain policy on every plan, from the solo Dev seat up to fully air-gapped self-hosting. Code you send for a completion is held in memory as ephemeral context to generate the suggestion, then discarded as soon as the response comes back. There's nothing to opt out of because training on customer code never happens by default. Its base completion and chat models are trained only on permissively licensed open-source code, and if you want a model that knows your codebase you can pre-train a private one inside your own environment where only your team can reach it. The compliance paperwork backs the claim up: SOC 2 Type II, ISO 27001, GDPR.

Sourcegraph Cody also doesn't train on your code, but the mechanics are worth understanding because Cody isn't running its own model. It sends code snippets to Anthropic and OpenAI to generate responses, and the protection is that those calls happen under zero-retention agreements on both inputs and outputs. The same holds through Sourcegraph's own Cody Gateway, and the Fireworks.ai endpoint used for autocomplete doesn't store chat or autocomplete data either. Enterprises that want inference to never leave their cloud can bring their own LLM keys through Azure OpenAI or Amazon Bedrock. Cody is now positioned as the Sourcegraph Enterprise code-intelligence assistant, and it carries SOC 2 Type II, GDPR and CCPA compliance.

The distinction between these two matters if your threat model includes third parties: Tabnine can run with no data leaving your infrastructure at all, while Cody's default path still routes snippets to external model providers, just under contracts that forbid retention and training.

The five that hinge on your tier

GitHub Copilot is the one that changed. Since 24 April 2026, interaction data (your prompts, the code you accept, the surrounding file context) trains GitHub's models on Free, Pro and Pro+ unless you disable it. Copilot Business and Enterprise are exempt and were never folded into the policy change; prompts and suggestions on those tiers are never used for training. There's no zero-retention product aimed at individuals. If you're on an individual plan and want out, go to your profile photo, open Copilot settings, and set "Allow GitHub to use my data for AI model training" to Disabled. A separate "block suggestions matching public code" filter exists on every tier and is worth turning on regardless.

Cursor routes the entire question through one switch called Privacy Mode. With it on, none of your code is ever trained on by Cursor or any third party, and zero data retention kicks in with the model providers. With it off, which is the default for Free and Pro, Cursor may store and train on your codebase data, prompts, editor actions and code snippets. Privacy Mode is forced on for Business and Teams and can be enforced org-wide by an admin, so company seats are covered automatically; individual users have to opt in themselves. One detail people miss: with Privacy Mode off, the underlying providers like OpenAI and Anthropic may retain prompts for around 30 days for trust and safety, so it's not just Cursor in the loop.

Codeium / Windsurf ties everything to zero-data-retention mode. Code submitted by ZDR users is never serialized, never stored in plaintext on Codeium's servers or subprocessors, and never trained on. ZDR is on by default for Teams and Enterprise. Individuals have to opt in from their profile page, and until they do, logs containing code snippets may be stored. So on Free or Pro you'll want to enable ZDR and disable telemetry under Settings. Enterprise admins get an explicit "train on customer code" toggle and US/EU data-residency selection that lower tiers don't expose, plus HIPAA BAAs for significant implementations. I'd rate the confidence here a notch lower than the others; the public terms are less precise about individual non-ZDR handling than I'd like.

Amazon Q Developer splits cleanly on Free versus Pro. On the Pro tier, AWS does not use your content for service improvement or to train foundation models at all; it's governed by the AWS service terms and GDPR DPA. On the Free tier, AWS may use your questions, the responses, and your generated code for service improvement, including model training, unless you opt out. The opt-out lives in your IDE: in VS Code, search settings for "Amazon Q: Share Content" and deselect it; JetBrains and Eclipse have an equivalent "Share Amazon Q content with AWS" checkbox. Organizations can also set an AI services opt-out policy in AWS Organizations to cover console and chat usage. There's no self-serve per-request zero-retention switch; data handling rides on the AWS agreement rather than a toggle.

Replit AI is the odd one out because its training line is public versus private, not free versus paid. Content you publish in a public App may be used by Replit to develop and train large language models, during and after your term. Private App content is excluded from AI training. For Replit's AI Integrations, paid model endpoints have training disabled, but free endpoints may train on and publish your prompts and completions. Enterprise enforces routing to zero-data-retention endpoints only, which narrows the model selection in exchange for the guarantee. A DPA with Standard Contractual Clauses is available, account data is deleted within 30 days of request, and Replit holds SOC 2 Type 2.

What to actually do about it

If you're on a free or individual plan of anything other than Tabnine or Cody, assume your code is in scope for training until you've changed a setting. The concrete moves:

Copilot (individual): profile → Copilot settings → "Allow GitHub to use my data for AI model training" → Disabled.
Cursor (Free/Pro): turn on Privacy Mode. That single switch both stops training and triggers ZDR with providers.
Codeium/Windsurf (individual): enable zero-data-retention mode from your profile page and disable telemetry under Settings.
Amazon Q (Free): deselect "Amazon Q: Share Content" in your IDE, or set an Organizations opt-out policy.
Replit: keep work in private Apps, and if you use AI Integrations, stay on paid endpoints or bring your own API key.

If the data simply can't leave the building, the conversation is shorter: Tabnine offers VPC, on-prem and air-gapped deployments, and Cody Enterprise plus Amazon Q Pro give you contractual no-training postures under a DPA.

How I checked this, and where the numbers come from

Every fact above comes from the vendors' own published data-use pages, security pages, docs and terms of service, cross-checked and dated. I didn't paraphrase marketing copy. The tier breakdowns track what the actual privacy and security documentation says, including the awkward parts vendors don't lead with (Copilot's default flip, Replit's free-endpoint publishing, Codeium's non-ZDR logging).

I keep these write-ups current at AI Data Watch, a cited directory of AI training and retention verdicts. Each tool has its own page with the per-tier breakdown and source links:

Vendor terms change, and they depend on your plan, region and contract, so treat this as a starting point for your own due diligence rather than legal advice. If something's drifted since I last verified it (most of these were re-checked on 31 May–1 June 2026), the per-tool pages carry the latest verification date.