Appearance
BAA / DPA / Compliance Evidence
Purpose: Audit-ready inventory of every signed BAA, click-through compliance amendment, and supporting evidence file. SOC 2 CC9.2 / HIPAA §164.314 / EDE Phase 3 SA-9.
Convention: filename pattern
<vendor>-<doc-type>-<YYYY-MM-DD>.{pdf,png}. Every file referenced fromdocs/security-compliance/vendor-register.md.
Current evidence files
| Filename | Vendor | Type | Date | Cross-reference |
|---|---|---|---|---|
aws-organizations-baa-signed-2026-04-18.pdf | AWS | Signed BAA PDF (org-wide; covers all 4 member accounts) | 2026-04-18 | vendor-register.md Tier 1 |
google-workspace-hipaa-baa-acceptance-2026-05-01.jpg | Google Workspace | Admin Console click-through screenshot showing the "Google Workspace/Cloud Identity HIPAA Business Associate Amendment" accepted by [email protected] on May 01, 2026. Click-through is the legal acceptance method per Google's BAA model — no separate signed PDF exists. | 2026-05-01 | vendor-register.md Tier 1 |
mongodb-atlas-baa-signed-2026-05-14.pdf | MongoDB Atlas | Signed BAA PDF (doc LA-50572; org-level — covers MongoDB Cloud Services for the customer, so both Atlas projects askflorence-prod-01 + askflorence-staging are in scope). AskFlorence: Taha Salahuddin Abbasi (Founder), 2026-05-13. MongoDB, Inc.: Ashley Kilpatrick (Director, Global Billing), 2026-05-14. Effective Date = fully-signed date 2026-05-14. | 2026-05-14 | vendor-register.md Tier 1 |
Conventions
- PDFs: signed contracts (DocuSign, manual signature, etc.). Filename:
<vendor>-baa-signed-<YYYY-MM-DD>.pdf. - PNGs / screenshots: click-through acceptance evidence (Admin Console, vendor portal). Filename:
<vendor>-<doc-type>-<YYYY-MM-DD>.png. Capture the date stamp + accepting user identity in the screenshot. - Retention: 6 years minimum (HIPAA), 10 years preferred for EDE alignment.
- Access: read-only for non-Taha team members; Taha is the steward.
- Updates: when a BAA expires / renews / a vendor retires, move (don't delete) the file with a
-retired-<date>suffix and update vendor-register.md.
Open follow-ups
- [x] MongoDB Atlas — signed BAA PDF collected + filed as
mongodb-atlas-baa-signed-2026-05-14.pdf(doc LA-50572, fully executed 2026-05-14, org-level scope covers both Atlas projects) - [ ] At Florence Phase 1 — Anthropic BAA, file as
anthropic-direct-api-baa-<date>.pdf - [ ] At Phase 5 (agent platform) — NIPR BAA, ID-verify vendor BAA
- [ ] Drata / Vanta / Sprinto onboarding — DPA in addition to BAA (compliance vendor processes our metadata)
Where to find evidence not yet collected
| Vendor | Where to look |
|---|---|
| MongoDB Atlas (already collected) | Atlas support ticket; BAA tied to org (askflorence@). Signed copy filed 2026-05-14. |
| Anthropic | Anthropic console → org settings → BAA download (when on Tier 1+) |
| AWS (already collected) | AWS Artifact → Compliance Reports → BAA |
| Google Workspace (already collected) | Admin Console → Account → Account Settings → Legal & Compliance → Security and Privacy Additional Terms |
