Vendor compliance profile

Is Freshdesk HIPAA compliant?

Freshdesk may support some HIPAA-regulated ticketing workflows only when Freshworks and the customer execute a BAA for the specified Freshdesk suite products and the customer maintains required configuration. Custom mailboxes, apps, unencrypted fields, notifications, AI, integrations, and products outside the stated scope require separate review.

Visit vendor site

Direct compliance answer

Freshdesk HIPAA, BAA, PHI, and SOC 2 snapshot

Last checked: 2026-07-16 | Confidence: Medium

Direct answerFreshdesk may support some HIPAA-regulated ticketing workflows only when Freshworks and the customer execute a BAA for the specified Freshdesk suite products and the customer maintains required configuration. Custom mailboxes, apps, unencrypted fields, notifications, AI, integrations, and products outside the stated scope require separate review.
BAA availabilityFreshworks says BAA scope is limited to specified Freshdesk suite products. Confirm the current product names, plan, agreement, required configuration, exclusions, custom mailbox behavior, apps, and downstream services directly with Freshworks.
Can it handle PHI?Ticket subjects, email bodies, default fields, attachments, custom mailboxes, notifications, reports, exports, apps, AI features, and integrations can expose ePHI outside the configured or covered Freshdesk workflow.
SOC 2 caveatFreshworks publishes security and compliance materials. Request the current SOC report and verify whether the specific Freshdesk products, regions, support paths, and subprocessors used by the workflow are in scope.
What to verifyThe current Freshworks BAA, covered Freshdesk suite products, eligible plan, region, support path, and mandatory configuration specifications. Identity controls, IP restrictions, SSO, field encryption, attachments, mailboxes, notifications, retention, exports, mobile access, and audit evidence.

HIPAA status signal

Conditional

BAA public signal

BAA for specified products

SOC 2 evidence signal

Public evidence

PHI warning: Ticket subjects, email bodies, default fields, attachments, custom mailboxes, notifications, reports, exports, apps, AI features, and integrations can expose ePHI outside the configured or covered Freshdesk workflow.

Search query answers

Is Freshdesk HIPAA compliant?

Freshworks publishes a conditional HIPAA path for specified Freshdesk suite products under a mutually executed BAA and mandatory configuration. Verify the current covered products, plan, encrypted fields, identity controls, mailboxes, apps, AI, notifications, exports, and integrations before tickets contain ePHI.

Does Freshdesk offer a BAA?

Freshworks says it may execute a BAA for specified products in the Freshdesk suite. Buyers should confirm the current agreement, eligible products and plan, mandatory configuration, exclusions, and whether every connected service is covered.

Can Freshdesk tickets contain ePHI?

Only after BAA scope and required configuration are verified. Freshworks' guide calls for controls such as identity restrictions and appropriate use of encrypted custom fields, while custom mailboxes, apps, other products, exports, and integrations remain customer responsibilities.

HIPAA, BAA, and SOC 2 summary

HIPAAFreshworks publishes a HIPAA Configuration Guide describing conditional support for ePHI in specified Freshdesk suite products under a BAA and customer configuration requirements.
BAAFreshworks says BAA scope is limited to specified Freshdesk suite products. Confirm the current product names, plan, agreement, required configuration, exclusions, custom mailbox behavior, apps, and downstream services directly with Freshworks.
SOC 2Freshworks publishes security and compliance materials. Request the current SOC report and verify whether the specific Freshdesk products, regions, support paths, and subprocessors used by the workflow are in scope.
PHI riskTicket subjects, email bodies, default fields, attachments, custom mailboxes, notifications, reports, exports, apps, AI features, and integrations can expose ePHI outside the configured or covered Freshdesk workflow.
CategoryHIPAA-Compliant Help Desk and Ticketing Systems
Last checked2026-07-16
ConfidenceMedium

Public evidence and open questions

What public sources say

  • Freshworks says it may execute a BAA for specified Freshdesk suite products.
  • Freshworks publishes mandatory and recommended configuration specifications for customers processing ePHI.
  • Freshworks identifies custom mailboxes, apps, non-covered products, and customer configuration as important boundaries.

What remains unconfirmed

  • Whether the buyer's exact Freshdesk product, edition, region, AI functionality, support path, custom mailbox, and apps are covered by current BAA terms.
  • Whether ticket text, attachments, notifications, reports, exports, integrations, mobile access, and support cases remain inside the governed workflow.

What it may be used for

  • Healthcare support ticketing after Freshworks confirms the BAA, covered products, plan, required configuration, and data flow.
  • Restricted service desk workflows using governed identities, fields, attachments, notifications, and integrations.
  • Non-PHI support workflows where diagnosis, treatment, patient status, and identifiers are excluded.

What not to use it for

  • Processing ePHI before the BAA and mandatory Freshworks configuration requirements are completed.
  • Placing PHI in unreviewed default fields, custom mailboxes, apps, notifications, exports, or products outside stated BAA scope.
  • Assuming every Freshworks product or Marketplace integration is covered because Freshdesk has a HIPAA configuration guide.

What to verify with the vendor

  • The current Freshworks BAA, covered Freshdesk suite products, eligible plan, region, support path, and mandatory configuration specifications.
  • Identity controls, IP restrictions, SSO, field encryption, attachments, mailboxes, notifications, retention, exports, mobile access, and audit evidence.
  • Whether Freddy AI, apps, APIs, integrations, analytics, custom mail servers, and connected communication channels are covered or excluded.
  • Whether staff can keep PHI out of subjects, previews, unsupported fields, screenshots, support cases, and downstream tools.

Safer alternatives and related profiles

Safer alternatives to consider

  • Zendesk only after Advanced Compliance, Healthcare Agreement, covered services, and security configuration are verified.
  • Help Scout Pro after its BAA, HIPAA activation, AI addendum, notifications, and integrations are verified.
  • A healthcare-specific support platform when the required email, messaging, attachment, AI, and integration workflow is not covered.

FAQ

Is Freshdesk HIPAA compliant?

Freshworks publishes a conditional HIPAA path for specified Freshdesk suite products under a mutually executed BAA and mandatory configuration. Verify the current covered products, plan, encrypted fields, identity controls, mailboxes, apps, AI, notifications, exports, and integrations before tickets contain ePHI.

Does Freshdesk offer a BAA?

Freshworks says it may execute a BAA for specified products in the Freshdesk suite. Buyers should confirm the current agreement, eligible products and plan, mandatory configuration, exclusions, and whether every connected service is covered.

Can Freshdesk tickets contain ePHI?

Only after BAA scope and required configuration are verified. Freshworks' guide calls for controls such as identity restrictions and appropriate use of encrypted custom fields, while custom mailboxes, apps, other products, exports, and integrations remain customer responsibilities.

Will Freshdesk sign a BAA?

Freshworks says BAA scope is limited to specified Freshdesk suite products. Confirm the current product names, plan, agreement, required configuration, exclusions, custom mailbox behavior, apps, and downstream services directly with Freshworks.

Can Freshdesk be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Does SOC 2 mean Freshdesk is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using Freshdesk with PHI?

The current Freshworks BAA, covered Freshdesk suite products, eligible plan, region, support path, and mandatory configuration specifications. Identity controls, IP restrictions, SSO, field encryption, attachments, mailboxes, notifications, retention, exports, mobile access, and audit evidence. Whether Freddy AI, apps, APIs, integrations, analytics, custom mail servers, and connected communication channels are covered or excluded. Whether staff can keep PHI out of subjects, previews, unsupported fields, screenshots, support cases, and downstream tools.

Last checked and source notes

Last checked
2026-07-16
Confidence
Medium
Dataset rows
271 vendors
  • Reviewed Freshworks' Freshdesk HIPAA Configuration Guide and public contractual materials on 2026-07-16.
  • The public configuration guide should be re-checked with Freshworks for current product naming, plan, AI, app, and BAA scope.
  • ComplySaaS did not verify a private Freshworks agreement, account configuration, or customer-specific BAA.
  • Freshdesk HIPAA Configuration Guide
  • Freshworks security and compliance