Freshworks commitment towards HIPAA Compliance


As a SaaS-based product provider, Freshworks offers several products. There could be instances when customers may use some of our products in their processing of electronic Personal Health Information(ePHI) in the normal course of their business operations. As per the Health Insurance Portability andAccountability Act (HIPAA) of 1996, should our customers get categorized as either Covered Entity or Business Associate, Freshworks may extend support to their compliance towards HIPAA by mutually executing a Business Associate Agreement (BAA).


The scope of BAA is limited to Freshdesk, Freshchat Freshcaller, and Freshdesk Omnichannel products that are offered by Freshworks Freshdesk suite. The processing of any ePHI in any of our other products is not recommended and will not be covered within the scope of our BAA. This document sets forth the specifications that are categorized as Mandatory or Recommended for Customers (either Covered Entity or Business Associate) to adhere to while using Freshdesk to process ePHI. The validity of our BAA is subject to continued adherence by the Customers to mandatory specifications that are specified in this document. Further, Freshworks is not liable for Customers' use of their custom mailbox and/or any Apps (as defined in Customer's agreement with Freshworks). We encourage Customers to independently configure these for their continued compliance with HIPAA.


Mandatory Configuration Specifications


  1. IP Whitelisting: Whitelist specific IP addresses to enforce access to your support portal only from the sources that are authorized by you. Know more.
  2. Identification and Authentication
    • Enable SAML SSO for users to access their support portal with unified identification and authentication and also to validate users logging into the portal using a locally hosted script. Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On, thereby eliminating the need for maintaining various credentials for various applications and reduces identity theft. Know more.
      (or)
    • Configure Advanced Password Policy where you would be able to set password length, complexity, expiry, repetition. Additionally, enable Two-factor authentication if required.
  3. Custom Mailbox: Configure your own custom mail server with Freshdesk to get autonomous control on the incoming and outgoing emails. This lets you make sure that all your email transactions are outside Freshworks, and will be completely managed at your end. Know more.
  4. SSL: Freshdesk offers a wildcard SSL for all users who have a support portal on a freshdesk.com domain. This can be used as long as you continue to use the default Freshdesk URL you signed up with (for example, yourcompany.freshdesk.com). However, the default SSL does not work when you've linked a custom domain name to your support portal (for example, support.yourcompany.com). In this case, you can request a certificate from your account while setting up the custom domain. Customers should enable SSL if they require HIPAA compliance.
  5. Freshconnect: The Freshconnect feature in Freshdesk should remain disabled for all HIPAA-enabled accounts.


Recommended Configuration Specifications

  1. Data Encryption: Freshdesk allows you to add an encrypted single-line field in your forms. These encrypted fields can be added in places where adding a custom field is possible. There is no cap on the number of encrypted fields that can be used. Default fields cannot be encrypted to be HIPAA compliant. If the client decides to store PHI data in a non-encrypted field, Freshdesk cannot be held responsible for the same. Any sensitive PHI data needs to be stored as a custom encrypted field.
  2. Data Sanitization: Data Masking app is available to mask the credit card/ SSN information from the patient conversations.
  3. Secure Data Migration: Ensure secure migration of data, without data being stored with Freshworks in the local database, to comply with your data retention policy. You can contact our support on further details on how the migration works. For information on the information security practices followed at Freshworks, please refer here.


For more information or questions, please contact [email protected].