Is VictorOps HIPAA Compliant? Splunk On-Call Compliance Explained (2026)

Splunk On-Call Overview

Splunk On-Call (formerly VictorOps) is Splunk’s SaaS for on-call scheduling, incident alerting, and real-time collaboration across DevOps and SRE teams. It centralizes alert routing, escalations, and notifications so you can acknowledge, swarm, and resolve production incidents faster. ([splunk.com](https://www.splunk.com/en_us/products/on-call.html?utm_source=openai))

While it integrates tightly with observability and monitoring stacks, Splunk On-Call is a distinct service within Splunk’s portfolio and should be evaluated on its own security and compliance posture—especially when healthcare data is in scope. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

HIPAA Compliance Requirements

To process or store protected health information (PHI), a cloud service must meet the HIPAA Security Rule’s administrative, technical, and physical safeguards and support HITECH Breach Notification Requirements. In practice, that also means executing a Business Associate Agreement (BAA) that contractually binds the vendor to HIPAA obligations. Splunk notes that its HIPAA program is available for designated offerings and is governed through its BAA process. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))

Splunk Cloud Platform offers a Premium HIPAA environment that is documented as compliant with the HIPAA Security Rule and HITECH requirements, illustrating what “HIPAA-eligible” looks like within the Splunk ecosystem. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))

Splunk On-Call Security Measures

Splunk On-Call implements defense-in-depth controls aligned to industry practices. Customer data is encrypted in transit with TLS 1.2+ and encrypted at rest with AES‑256. The service runs in top-tier cloud facilities with strong data center protections, and Splunk enforces least-privilege employee access with periodic reviews. ([splunk.com](https://www.splunk.com/en_us/customer-success/on-call-security-faq.html))

Operationally, Splunk cites secure SDLC practices (SAST/DAST), regular third‑party penetration tests, network-layer protections (WAF/DDoS, ACLs, firewalls), and daily offsite backups with restore testing. Its incident response framework includes customer notification and assistance obligations following a data breach. ([splunk.com](https://www.splunk.com/en_us/customer-success/on-call-security-faq.html))

Third-Party Audit Status

As of January 2026, Splunk’s own legal terms state that Splunk On-Call “has not yet undergone a security audit by an independent third party and therefore does not have SOC 2 or ISO 27001 certification.” ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

By contrast, Splunk Cloud Platform maintains SOC 2 Type II and ISO 27001 for its managed service, including its HIPAA environment—useful context when selecting a Splunk service for PHI workloads. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))

Alternative Splunk HIPAA Solutions

For regulated PHI, Splunk directs customers to offerings that are explicitly HIPAA‑eligible and covered by its BAA:

• Splunk Cloud Platform (Premium HIPAA environment): Designed to meet the HIPAA Security Rule and HITECH Breach Notification Requirements; requires contracting for the HIPAA environment and following service-specific controls (for example, IP allow lists). ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))
• Splunk Observability Cloud: Splunk’s Specific Terms state that the Splunk BAA applies to Splunk Observability Cloud (confirm scope in your Order Form and with Splunk, as eligibility is contract-dependent). ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

Important: Splunk’s BAA coverage explicitly references Splunk Cloud Platform’s Premium HIPAA environment and Splunk Observability Cloud—not Splunk On-Call—so you should treat On-Call as non‑HIPAA‑eligible unless and until Splunk changes its terms and you have a signed BAA that lists it. (This conclusion is based on Splunk’s published legal terms.) ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

Compliance Risk Considerations

• Absence of third‑party audits: Without SOC 2 or ISO 27001 certification for Splunk On-Call, you may face vendor‑risk and due‑diligence gaps for PHI use cases. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))
• BAA scope: Splunk’s BAA applies to specific services (for example, Splunk Cloud Platform HIPAA environment and Splunk Observability Cloud). Using a service outside that scope can leave you without contractual HIPAA protections. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))
• Data minimization: Alert payloads can inadvertently contain identifiers or clinical details; sending such PHI to a non‑HIPAA‑eligible paging tool heightens breach exposure and HITECH notification risk. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))
• Operational controls: Even in HIPAA‑eligible services, customers must implement administrative safeguards (policies, training), technical safeguards (RBAC, MFA, encryption, IP allow lists), and physical safeguards to satisfy shared‑responsibility obligations. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))

Customer Recommendations

• Decide if PHI must appear in alerts. If yes, route PHI to Splunk Cloud Platform’s Premium HIPAA environment (and/or eligible Observability Cloud components) under a signed BAA; keep Splunk On-Call free of PHI. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))
• Execute Splunk’s BAA and verify your Order lists the HIPAA environment or eligible services you plan to use. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-baa.html))
• Configure “minimum necessary” alert content. Use tokens or IDs in Splunk On-Call messages; keep clinical details in HIPAA‑eligible data stores and dashboards. Splunk notes you control what data is sent into On-Call. ([splunk.com](https://www.splunk.com/en_us/customer-success/on-call-security-faq.html))
• Harden access. Enforce SSO/MFA, least privilege, and periodic access reviews; for the HIPAA environment, maintain IP allow lists as required. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))
• Validate vendor controls. Review the Splunk On-Call Security Exhibit and your organization’s vendor‑risk register; document compensating controls when using On-Call without PHI. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-on-call-security-exhibit.html))
• Test breach response. Map incident and breach playbooks to HITECH timelines; Splunk services include customer notification and assistance, but you must operationalize those steps. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-on-call-security-exhibit.html))

Bottom line: As of early 2026, Splunk On-Call (VictorOps) is not positioned by Splunk as a HIPAA‑eligible service. Use it for operational alerting without PHI, and direct regulated data to Splunk Cloud Platform’s Premium HIPAA environment or eligible Observability Cloud components under a signed BAA. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

FAQs

Is VictorOps covered under HIPAA regulations?

HIPAA applies to covered entities and their business associates under a signed BAA. Splunk’s BAA currently applies to Splunk Cloud Platform’s Premium HIPAA environment and Splunk Observability Cloud. Splunk On-Call is not listed in that scope; combined with the absence of third‑party audits, you should treat On-Call as non‑HIPAA‑eligible and avoid sending PHI through it unless Splunk updates its terms and you execute a BAA that names it. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

Does Splunk On-Call have SOC 2 or ISO 27001 certification?

No. Splunk’s Specific Terms (last updated January 2026) state that Splunk On-Call has not yet undergone an independent third‑party security audit and therefore does not have SOC 2 or ISO 27001 certification. ([splunk.com](https://www.splunk.com/en_us/legal/splunk-specific-terms.html))

What Splunk products are HIPAA compliant?

Splunk Cloud Platform’s Premium HIPAA environment is documented as compliant with the HIPAA Security Rule and HITECH Breach Notification Requirements and is supported by Splunk’s BAA. Splunk’s BAA terms also reference coverage for Splunk Observability Cloud (confirm service scope in your Order). Splunk On-Call is not listed as HIPAA‑eligible. ([help.splunk.com](https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/9.2.2406/information-about-the-service/splunk-cloud-platform-service-details?utm_source=openai))

How can customers ensure compliance when using Splunk On-Call?

Keep PHI out of Splunk On-Call by redacting or tokenizing alert payloads; store detailed patient data only in HIPAA‑eligible Splunk services under a signed BAA. Enforce administrative, technical, and physical safeguards (for example, SSO/MFA, least privilege, and IP allow lists where applicable) and maintain breach‑response procedures aligned to HITECH. Splunk confirms you control what data flows into On-Call. ([splunk.com](https://www.splunk.com/en_us/customer-success/on-call-security-faq.html))