Vendor compliance profile

Is SendGrid HIPAA compliant?

Twilio SendGrid should not be used to send or process PHI. SendGrid's own documentation says it is not a HIPAA Eligible Service, does not natively support HIPAA-compliant transmission, and Twilio is not able to sign BAAs for SendGrid.

Visit vendor site

HIPAA status signal

Not HIPAA eligible

BAA public signal

Not available for SendGrid

SOC 2 evidence signal

Public evidence

PHI warning: Transactional emails, marketing campaigns, templates, substitution data, contact fields, event logs, click tracking, and support tickets can all contain PHI.

HIPAA, BAA, and SOC 2 summary

HIPAATwilio's SendGrid documentation states that SendGrid is not a HIPAA Eligible Service and should not be used for any purpose involving PHI.
BAATwilio states it is not able to sign Business Associate Agreements for SendGrid. Use a different email service for PHI workflows.
SOC 2SendGrid security materials reference SOC 2 Type II controls, but SOC 2 does not make SendGrid suitable for HIPAA PHI transmission.
CategoryHIPAA-Compliant Email and Messaging Software

What it may be used for

  • General business workflows that do not include PHI.
  • Healthcare-adjacent operations after BAA scope and configuration have been verified.
  • Vendor risk review, procurement research, and compliance planning.

What not to use it for

  • Sending appointment, lab, treatment, billing, or prescription details through SendGrid.
  • Embedding PHI in templates, dynamic variables, contact lists, event webhooks, or tracking metadata.
  • Relying on custom message-body encryption to make SendGrid a HIPAA Eligible Service.

What to verify with the vendor

  • Whether the vendor will sign a BAA for your exact product, plan, and use case.
  • Which services, add-ons, regions, and support channels are covered by the agreement.
  • Whether your intended workflow stores, transmits, or processes PHI.
  • Which admin, access control, retention, audit log, and encryption settings must be enabled.

Safer alternatives and related profiles

Paubox

HIPAA: HIPAA-focused email | SOC 2: AWS-backed evidence

Google Workspace

HIPAA: Conditional | SOC 2: Public evidence

HubSpot

HIPAA: Conditional | SOC 2: Public evidence

Klaviyo

HIPAA: Unable to confirm | SOC 2: Verify with vendor

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

FAQ

Is SendGrid HIPAA compliant?

Twilio SendGrid should not be used to send or process PHI. SendGrid's own documentation says it is not a HIPAA Eligible Service, does not natively support HIPAA-compliant transmission, and Twilio is not able to sign BAAs for SendGrid.

Will SendGrid sign a BAA?

Twilio states it is not able to sign Business Associate Agreements for SendGrid. Use a different email service for PHI workflows.

Can SendGrid be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Last checked and source notes

Last checked
2026-04-30
Confidence
High
Dataset rows
267 vendors