Vendor compliance profile
Klaviyo HIPAA, BAA, and marketing PHI notes
Klaviyo should not be assumed suitable for PHI or HIPAA-regulated marketing workflows from public documentation alone. Verify BAA availability, eligible plans, data fields, consent handling, SMS/email content, and integration scope directly with Klaviyo before any regulated use.
HIPAA status signal
Unable to confirm
BAA public signal
Unable to confirm
SOC 2 evidence signal
Verify with vendor
PHI warning: Email/SMS marketing data can become PHI when it identifies a patient and relates to healthcare services.
HIPAA, BAA, and SOC 2 summary
| HIPAA | Public Klaviyo materials emphasize customer control of uploaded data, integrations, consent, and marketing compliance, but ComplySaaS did not confirm a public HIPAA-specific covered-services page. |
|---|---|
| BAA | Unable to confirm public BAA availability from Klaviyo's legal and help materials reviewed. Ask Klaviyo sales or legal for current HIPAA/BAA terms before using PHI. |
| SOC 2 | SOC 2 evidence should be requested from Klaviyo's trust or security process. Do not infer HIPAA readiness from privacy or anti-abuse materials. |
| Category | HIPAA-Compliant CRM and Marketing Tools |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Storing diagnosis, treatment, patient notes, or identifiers without verified BAA coverage.
- Sending PHI through unsupported forms, messages, automations, or integrations.
- Replacing legal, compliance, security, or vendor contract review.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is Klaviyo HIPAA compliant?
Klaviyo should not be assumed suitable for PHI or HIPAA-regulated marketing workflows from public documentation alone. Verify BAA availability, eligible plans, data fields, consent handling, SMS/email content, and integration scope directly with Klaviyo before any regulated use.
Will Klaviyo sign a BAA?
Unable to confirm public BAA availability from Klaviyo's legal and help materials reviewed. Ask Klaviyo sales or legal for current HIPAA/BAA terms before using PHI.
Can Klaviyo be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- Medium
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- Klaviyo legal terms and policies
- Klaviyo privacy FAQs
- Klaviyo integration data types