Skip to content
HQ Baseline logoHQ Baseline
Get started

Compliance

HQ Baseline handles data that matters — student-athletes, their parents, their clinicians. We built the platform around three overlapping regulatory frameworks: HIPAA, FERPA, and SOC 2. Here is the honest state of each.

HIPAA

HQ is HIPAA-aligned. We sign Business Associate Agreements (BAAs) with covered entities — sports medicine clinics, hospital-affiliated athletic programs, and any other group where the data is protected health information (PHI). All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is role-based and every record access is audit-logged.

FERPA

When HQ is deployed by a school or district, student-athlete data is treated as an educational record and governed by FERPA. Data is accessible only to authorized school officials (athletic trainers, school nurses, administrators) with legitimate educational interest. Parent access is available for minor athletes.

SOC 2

HQ is pursuing SOC 2 Type II attestation. Control areas under active implementation include change management, access control, incident response, vendor management, and business continuity. Current status and projected report date available on request under NDA.

Data we collect

Data we don’t collect

Subprocessors

A current list of subprocessors (cloud infrastructure, email delivery, analytics) is available on request. We notify customers before adding or removing subprocessors.

Data residency

Production data is stored in US-East AWS regions by default. Enterprise customers can request alternative regions on request.

Data deletion

Customers can request export or deletion of all data at any time. Deletion is typically completed within 30 days of a verified request.