BookbagBookbag

HIPAA compliance (Zero Data Retention)

Bookbag is HIPAA-eligible on Enterprise. Once a Business Associate Agreement (BAA) is in place, the workspace owner enables Zero Data Retention (ZDR) to redact chat logs and leads, auto-end and purge conversations, restrict providers, and audit every unredacted view.

View as Markdown

Bookbag is HIPAA-eligible on Enterprise. A workspace becomes HIPAA compliant once a Business Associate Agreement (BAA) is in place between your organization and Bookbag; the workspace Owner then turns on Zero Data Retention (ZDR) under Settings → General. With ZDR on, Bookbag stops retaining the sensitive content that flows through your agents — redacting chat logs and leads, auto-ending and irreversibly purging conversations, and recording every privileged view in the audit log.

Enterprise only

HIPAA compliance and Zero Data Retention are Enterprise features and require an executed BAA. They are not available on Free, Hobby, Standard, or Pro.

Shared responsibility

HIPAA compliance is a shared-responsibility model. Bookbag secures the platform — the infrastructure, the BAA, and the ZDR controls described here. You are responsible for how you use it:

  • Don't upload PHI to data sources. ZDR protects conversation and lead content; it does not redact the knowledge you train an agent on. Keep protected health information out of data sources.
  • Manage your team's access. Control who can see unredacted content with roles — only Owners and Admins can use the privileged view, and only while a conversation is still ongoing.
  • Use the BAA-covered configuration. Stay within the allowed providers and keep ZDR enabled for the workspace handling PHI.

What Zero Data Retention does

When ZDR is on, Bookbag redacts and purges the data your agents touch:

  • Full-content redaction. The entire content of every message in chat logs — and the data captured in leads — is redacted. This is not field-level PII masking; the whole message body and lead payload are replaced with a redaction marker.
  • Auto-end on idle or age. Conversations automatically end once they've been idle for more than 24 hours or are older than 7 days, whichever comes first.
  • Irreversible purge on end. Ending a conversation permanently purges its unredacted message content and lead data. Only the redaction marker remains — the original content cannot be recovered.
  • Redacted exports. Chat-log exports (CSV/JSON) and the leads list and its export are redacted too, so PHI never leaves Bookbag through a download.

Viewing unredacted content (while ongoing)

While a conversation is still ongoing — before it auto-ends — its unredacted content is still stored, and a workspace Owner or Admin can view it using the "Show unredacted" toggle in Activity → Chat logs.

  • Owner/Admin only. Editors, Viewers, and Support Associates cannot reveal unredacted content.
  • Every view is audited. Each unredacted view is recorded in the audit log — who looked, and when.
  • Gone once the conversation ends. After a conversation auto-ends and its content is purged, the unredacted view is no longer available — there is nothing left to show.
Investigate before it ends

If you need to review the full content of a live conversation, do it while the conversation is still ongoing. Once it auto-ends (idle > 24h or age > 7 days), the unredacted content is purged for good.

Allowed model providers

A HIPAA workspace may only use LLMs from HIPAA-eligible providers that Bookbag covers under its BAA. In practice this means:

  • Only OpenAI and Anthropic LLMs may be used. Other model providers are blocked on a HIPAA workspace.
  • Speech-to-text for voice is likewise limited to HIPAA-eligible providers, and no voice recordings are retained.
info

If a model is set on an agent before ZDR is enabled and it isn't from an allowed provider, switch it to an OpenAI or Anthropic model — see Models & model choice.

Disabled on HIPAA workspaces

To keep PHI from accumulating, ZDR turns off features that would store end-user content beyond a live conversation:

FeatureOn a HIPAA workspace
Help DeskTurned off — the Help Desk inbox is disabled.
Knowledge-gaps analysisDisabled — Bookbag does not analyze conversations to surface knowledge gaps.
End-user attachmentsNot retained — files attached via the help form or inbound email are not stored.

Audit log

HIPAA-relevant events are recorded so you have an accountability trail. The audit log captures:

  • Enabling and disabling ZDR — who changed the setting and when.
  • Automatic conversation end — each time a conversation auto-ends (and its content is purged).
  • Unredacted views — every time an Owner or Admin reveals a live conversation's content with "Show unredacted".

How to enable ZDR

With a BAA in place, the workspace Owner enables Zero Data Retention:

  1. 1
    Open Settings → General
    Go to your workspace settings and find the "HIPAA compliance (Zero Data Retention)" card.
  2. 2
    Enable
    Click Enable. This is owner-only and requires Enterprise with an executed BAA.
  3. 3
    Move agents to allowed providers
    Make sure every agent uses an OpenAI or Anthropic model, since other providers are blocked once ZDR is on.
Redaction is irreversible

Once a conversation auto-ends (idle > 24h or older than 7 days), its unredacted message content and lead data are permanently purged — only the redaction marker remains. Review any conversation you need in full before it ends; the content cannot be recovered afterward.

Requesting a BAA

A Business Associate Agreement is required before a workspace can be HIPAA compliant. Contact Enterprise sales to put a BAA in place and enable HIPAA on your workspace.

What's next