# HIPAA compliance (Zero Data Retention)

> Bookbag is HIPAA-eligible on Enterprise. Once a Business Associate Agreement (BAA) is in place, the workspace owner enables Zero Data Retention (ZDR) to redact chat logs and leads, auto-end and purge conversations, restrict providers, and audit every unredacted view.

Bookbag is **HIPAA-eligible on Enterprise**. A workspace becomes HIPAA compliant once a **Business Associate Agreement (BAA)** is in place between your organization and Bookbag; the workspace **Owner** then turns on **Zero Data Retention (ZDR)** under **Settings → General**. With ZDR on, Bookbag stops retaining the sensitive content that flows through your agents — redacting chat logs and leads, auto-ending and irreversibly purging conversations, and recording every privileged view in the audit log.

> **ENTERPRISE ONLY:** HIPAA compliance and Zero Data Retention are **Enterprise** features and require an executed BAA. They are not available on Free, Hobby, Standard, or Pro.

## Shared responsibility

HIPAA compliance is a **shared-responsibility model**. Bookbag secures the platform — the infrastructure, the BAA, and the ZDR controls described here. **You** are responsible for how you use it:

- **Don't upload PHI to data sources.** ZDR protects conversation and lead content; it does not redact the knowledge you train an agent on. Keep protected health information out of [data sources](/docs/agents/data-sources).
- **Manage your team's access.** Control who can see unredacted content with [roles](/docs/workspace/members) — only Owners and Admins can use the privileged view, and only while a conversation is still ongoing.
- **Use the BAA-covered configuration.** Stay within the allowed providers and keep ZDR enabled for the workspace handling PHI.

## What Zero Data Retention does

When ZDR is **on**, Bookbag redacts and purges the data your agents touch:

- **Full-content redaction.** The **entire content** of every message in chat logs — and the data captured in [leads](/docs/skills/collect-leads) — is redacted. This is not field-level PII masking; the whole message body and lead payload are replaced with a redaction marker.
- **Auto-end on idle or age.** Conversations automatically **end** once they've been idle for more than **24 hours** or are older than **7 days**, whichever comes first.
- **Irreversible purge on end.** Ending a conversation **permanently purges** its unredacted message content and lead data. Only the redaction marker remains — the original content cannot be recovered.
- **Redacted exports.** Chat-log exports (CSV/JSON) and the leads list and its export are redacted too, so PHI never leaves Bookbag through a download.

## Viewing unredacted content (while ongoing)

While a conversation is still **ongoing** — before it auto-ends — its unredacted content is still stored, and a workspace **Owner** or **Admin** can view it using the **"Show unredacted"** toggle in **Activity → Chat logs**.

- **Owner/Admin only.** Editors, Viewers, and Support Associates cannot reveal unredacted content.
- **Every view is audited.** Each unredacted view is recorded in the [audit log](/docs/audit/overview) — who looked, and when.
- **Gone once the conversation ends.** After a conversation auto-ends and its content is purged, the unredacted view is no longer available — there is nothing left to show.

> **INVESTIGATE BEFORE IT ENDS:** If you need to review the full content of a live conversation, do it while the conversation is still ongoing. Once it auto-ends (idle > 24h or age > 7 days), the unredacted content is purged for good.

## Allowed model providers

A HIPAA workspace may only use LLMs from **HIPAA-eligible providers** that Bookbag covers under its BAA. In practice this means:

- Only **OpenAI** and **Anthropic** LLMs may be used. Other model providers are **blocked** on a HIPAA workspace.
- Speech-to-text for voice is likewise limited to HIPAA-eligible providers, and **no voice recordings are retained**.

> **INFO:** If a model is set on an agent before ZDR is enabled and it isn't from an allowed provider, switch it to an OpenAI or Anthropic model — see [Models & model choice](/docs/agents/models).

## Disabled on HIPAA workspaces

To keep PHI from accumulating, ZDR turns off features that would store end-user content beyond a live conversation:

| Feature | On a HIPAA workspace |
| --- | --- |
| Help Desk | Turned off — the [Help Desk](/docs/help-desk/overview) inbox is disabled. |
| Knowledge-gaps analysis | Disabled — Bookbag does not analyze conversations to surface knowledge gaps. |
| End-user attachments | Not retained — files attached via the help form or inbound email are not stored. |

## Audit log

HIPAA-relevant events are recorded so you have an accountability trail. The [audit log](/docs/audit/overview) captures:

- **Enabling and disabling ZDR** — who changed the setting and when.
- **Automatic conversation end** — each time a conversation auto-ends (and its content is purged).
- **Unredacted views** — every time an Owner or Admin reveals a live conversation's content with "Show unredacted".

## How to enable ZDR

With a BAA in place, the workspace **Owner** enables Zero Data Retention:

1. **Open Settings → General** — Go to your workspace settings and find the "HIPAA compliance (Zero Data Retention)" card.
2. **Enable** — Click Enable. This is owner-only and requires Enterprise with an executed BAA.
3. **Move agents to allowed providers** — Make sure every agent uses an OpenAI or Anthropic model, since other providers are blocked once ZDR is on.

> **REDACTION IS IRREVERSIBLE:** Once a conversation auto-ends (idle > 24h or older than 7 days), its unredacted message content and lead data are **permanently purged** — only the redaction marker remains. Review any conversation you need in full **before** it ends; the content cannot be recovered afterward.

## Requesting a BAA

A Business Associate Agreement is required before a workspace can be HIPAA compliant. **Contact Enterprise sales** to put a BAA in place and enable HIPAA on your workspace.

## What's next

- [Members & roles](/docs/workspace/members) — Control who can view unredacted content on a HIPAA workspace.
- [Activity & chat logs](/docs/agents/activity) — Where the "Show unredacted" toggle lives.
- [Plans & billing](/docs/workspace/billing) — HIPAA and ZDR are Enterprise features — talk to sales.
