Is Deepgram HIPAA Compliant? BAAs, PHI, and Security Explained

If you handle Protected Health Information (PHI), the practical question is whether you can deploy Deepgram in a HIPAA-compliant way. In short, yes—Deepgram supports HIPAA-compliant use when you sign a Business Associate Agreement (BAA) and configure security, retention, and deployment options appropriately. The sections below clarify BAAs and HIPAA roles, data encryption, privacy controls, certifications, PHI redaction, data residency, and deployment models so you can make an informed decision.

Business Associate Agreements and HIPAA Roles

Under HIPAA, Deepgram acts as a Business Associate when a Covered Entity (or its Business Associate) sends electronic PHI for processing. Deepgram states it can provide a Business Associate Agreement to eligible healthcare customers upon request, formalizing responsibilities for safeguarding PHI under the Privacy and Security Rules. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

Practically, HIPAA compliance is shared: Deepgram supplies administrative, technical, and physical controls, while you must implement appropriate access controls, retention rules, and permissible-use policies in your application. Your BAA governs how Customer Data is retained and deleted, aligning Deepgram’s handling with your contractual requirements. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

Data Encryption Standards

Deepgram encrypts data in transit and at rest using industry-standard algorithms. Documentation notes transport encryption with TLS (including TLS 1.3) and at-rest encryption with AES‑256, complemented by enterprise access controls such as MFA and role-based access control. ([developers.deepgram.com](https://developers.deepgram.com/docs/the-deepgram-model-improvement-partnership-program?utm_source=openai))

For self-hosted deployments, you manage TLS termination at your proxy or load balancer, while licensing communications to Deepgram’s license server use mutual TLS (mTLS). This model lets you keep audio and transcripts within your controlled environment while maintaining secure vendor licensing. ([developers.deepgram.com](https://developers.deepgram.com/docs/self-hosted-deployment-environments?utm_source=openai))

Data Privacy Compliance

Deepgram indicates alignment with major privacy frameworks and attestations: SOC 2 (Type I and Type II), GDPR readiness, CCPA compliance, and PCI compliance, with documentation available under NDA. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

Data use is purpose-limited. By default, Deepgram processes your data to provide the service and adheres to your contract for retention. If you opt in to the Model Improvement Partnership Program, only contractually included data is stored for model improvement; otherwise, your data is not used for training. ([developers.deepgram.com](https://developers.deepgram.com/docs/the-deepgram-model-improvement-partnership-program?utm_source=openai))

Security Certifications and Audits

Deepgram has achieved SOC 2 Type I and SOC 2 Type II, demonstrating independently assessed security controls and operational effectiveness. Its SOC 2 Type II attestation is highlighted in both product documentation and a security update from the information security team. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

PHI Redaction Capabilities

Deepgram provides PHI Redaction as a single-parameter control in the API. Setting redact=phi redacts protected health information such as medical conditions, drugs, injuries, blood types, medical processes, and statistics. Redaction supports both pre‑recorded (batch) and real‑time (streaming) speech‑to‑text. ([developers.deepgram.com](https://developers.deepgram.com/docs/redaction?utm_source=openai))

Streaming redaction uses a two‑phase approach—initial placeholders followed by precise entity tags after segment finalization—so PHI stays masked without sacrificing transcript utility. Supported entity types are documented to help you validate coverage across your use case. ([developers.deepgram.com](https://developers.deepgram.com/docs/redaction?utm_source=openai))

Data Residency Considerations

You can keep workloads in the United States or run them fully within the European Union. Deepgram’s EU‑hosted API endpoint reached General Availability on January 10, 2026, providing full EU data residency for compliance‑driven use cases and lower latency for European users. ([deepgram.com](https://deepgram.com/learn/deepgram-eu-endpoint-now-generally-available?utm_source=openai))

If you need complete data locality, self‑hosted deployments ensure audio and transcripts remain in your infrastructure, with no audio content sent to Deepgram beyond licensing telemetry. Your contract determines retention and deletion for any Customer Data Deepgram can access. ([developers.deepgram.com](https://developers.deepgram.com/on-prem/?utm_source=openai))

Deployment and Integration Options

Deepgram offers flexible integration paths: the hosted cloud API (US and EU endpoints), private deployments in your VPC, and fully self‑hosted containers orchestrated with Docker/Podman or Kubernetes. This flexibility lets you meet latency targets and compliance constraints without redesigning your application. ([developers.deepgram.com](https://developers.deepgram.com/docs/self-hosted-deployment-environments?utm_source=openai))

SDKs can point to your self‑hosted endpoint for both batch and streaming workloads, and your proxy handles TLS. Combine deployment choices with redaction parameters, access controls, and retention policies to satisfy the Security Rule while preserving developer velocity. ([developers.deepgram.com](https://developers.deepgram.com/docs/using-sdks-with-self-hosted?utm_source=openai))

Conclusion

Deepgram enables HIPAA‑compliant speech AI when you sign a Business Associate Agreement and configure safeguards appropriately. Strong data encryption, SOC 2 Type II attestation, PHI redaction, EU data residency, and self‑hosted/VPC options give you multiple paths to protect PHI while delivering accurate, low‑latency transcription and voice capabilities. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

FAQs.

What makes Deepgram HIPAA compliant?

HIPAA compliance is achieved through a signed Business Associate Agreement plus technical and administrative controls: encryption in transit (e.g., TLS 1.3) and at rest (AES‑256), access controls (MFA/RBAC), PHI redaction, contractual retention/deletion, and deployment models that keep data in approved regions or entirely within your environment. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

How does Deepgram handle PHI protection?

PHI can be redacted automatically via redact=phi for both batch and streaming. Data is encrypted in transit/at rest, and data use is restricted to service delivery unless you explicitly opt in to model‑improvement storage. Self‑hosting keeps audio and transcripts on your infrastructure for maximum control. ([developers.deepgram.com](https://developers.deepgram.com/docs/redaction?utm_source=openai))

Does Deepgram provide BAAs to healthcare clients?

Yes. Deepgram is a Business Associate under HIPAA and will provide a Business Associate Agreement to qualified Covered Entities and partners upon request. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))

What security certifications does Deepgram hold?

Deepgram has SOC 2 Type I and SOC 2 Type II attestations and indicates compliance with additional frameworks such as PCI, alongside GDPR readiness and CCPA compliance. Request current reports from Deepgram for audit evidence. ([developers.deepgram.com](https://developers.deepgram.com/documentation/security/data-privacy/?utm_source=openai))