Vendor BAA Matrix
Which AI vendors will sign a BAA and under what terms. This is re-verified quarterly.
| Vendor | BAA? | Plan required | Notes |
|---|---|---|---|
| OpenAI | Yes | Enterprise / API Zero Data Retention | API ZDR required for PHI use; Enterprise contracts include DPA. |
| Anthropic (via AWS Bedrock) | Yes | AWS Bedrock + AWS BAA | Work through Bedrock for enterprise-grade BAAs and controls. |
| Google (Gemini in Workspace) | Yes | Workspace Business+ w/ BAA | Gemini in Workspace covered under the Workspace BAA when enabled. |
| Microsoft (M365 Copilot) | Yes | M365 E3/E5 + Microsoft BAA | Copilot in M365 is covered when tenant has an active BAA and proper settings. |
| Notion AI | Limited | Enterprise + BAA | Only workspace-scoped data; check export/retention settings. |
| Perplexity | No | — | Consumer product; do not use with PHI. |
Audit checklist
When negotiating a BAA, confirm: data retention, subprocessor list, access controls, encryption at rest/in transit, logging, and incident notification SLA.