Business Associate Agreement
We can not access
your data.
DevSafe encrypts your code on your machine with keys only you hold. This BAA template is in preparation. It describes how DevSafe's zero-knowledge architecture addresses HIPAA technical safeguards.
Plain-language summary
DevSafe is an encrypted git backup tool. Your code is encrypted on your machine before it ever leaves. Your encryption keys never touch our servers. We hold your email address and usage metrics. That is all we have. If your source code contains protected health information, it is encrypted with AES-256-GCM before we ever see it. We receive ciphertext. We can not decrypt it. Not "we will not." We can not.
Zero-Knowledge Architecture Declaration
DevSafe uses client-side encryption. All data is encrypted on the customer's machine using AES-256-GCM before transmission. Encryption keys are generated by the customer, stored by the customer, and never transmitted to HXA Labs or any third party.
HXA Labs structurally can not access plaintext source code, backup contents, or encryption keys. This is not a policy decision. It is an architectural impossibility. DevSafe does not possess the cryptographic material required to decrypt customer data.
This agreement between HXA Labs LLC ("Business Associate") and the customer ("Covered Entity") establishes the terms under which DevSafe operates as an encryption layer for git backup data. DevSafe's zero-knowledge architecture addresses several HIPAA technical safeguards by ensuring that protected health information, if present in source code, is encrypted before it enters any system operated by or accessible to HXA Labs.
Scope of Services
DevSafe provides an encrypted backup encryption layer for git repositories. The service operates as follows:
- Discovery. DevSafe identifies git repositories on the customer's local machine.
- Bundling. DevSafe creates git bundles by reading from the git object database. It does not copy the filesystem.
- Encryption. Bundles are encrypted with AES-256-GCM on the customer's machine using customer-generated keys. Encryption occurs before any data leaves the local environment.
- Upload. Encrypted ciphertext is uploaded to customer-owned cloud storage (Cloudflare R2, AWS S3, or any S3-compatible provider). HXA Labs does not operate or control the destination storage.
- Verification. DevSafe verifies that each backup is structurally valid and restorable. Verification operates on authentication tags and metadata, not on plaintext content.
If protected health information exists within the customer's source code, it is encrypted before leaving the customer's machine. HXA Labs receives only ciphertext. The customer's own storage holds encrypted data that only the customer can decrypt.
Data DevSafe Does Handle
HXA Labs collects and stores the following data categories in the normal course of providing the DevSafe service:
- Email addresses. Used for account authentication (email and password, magic link, or GitHub OAuth login), billing communications, and service notifications.
- Usage metrics. Backup counts, storage utilization, feature usage, and error rates. These metrics describe service usage patterns. They do not contain source code, file contents, or encryption keys.
These data categories are not protected health information. They do not contain, reference, or derive from patient records, clinical data, or any information subject to HIPAA protections.
Data DevSafe Can Not Access
The following data categories are architecturally inaccessible to HXA Labs. This is not a policy restriction. It is a cryptographic impossibility.
- Customer source code. All source code is encrypted on the customer's machine before transmission. DevSafe receives ciphertext only. HXA Labs does not possess the decryption keys.
- Backup contents. Encrypted backups are stored in the customer's own cloud storage. HXA Labs does not have credentials to the customer's storage bucket. Even if HXA Labs obtained the ciphertext, it could not decrypt it.
- Encryption keys. Keys are generated locally on the customer's machine using cryptographically secure random number generation. Keys are never transmitted, stored, logged, or cached by any HXA Labs system. The key derivation hierarchy (master key to per-repository key to per-bundle key) operates entirely within the customer's environment.
A subpoena, court order, or government request directed at HXA Labs can not produce customer source code or backup contents. HXA Labs does not possess the cryptographic keys required to decrypt this data. Compliance with such a request is not a matter of willingness. It is a matter of mathematical impossibility.
Technical Safeguards
DevSafe's zero-knowledge architecture addresses several HIPAA technical safeguard requirements through the following controls:
- Encryption at rest. Customer data is encrypted with AES-256-GCM before storage. Encryption keys are managed exclusively by the customer. The encrypted data resides in the customer's own cloud storage bucket.
- Encryption in transit. All communications between the DevSafe client and cloud storage use TLS 1.2 or higher. All communications between the DevSafe client and HXA Labs infrastructure use HTTPS with TLS 1.2 or higher.
- Access controls. HXA Labs uses email and password, magic link, or GitHub OAuth authentication with optional TOTP multi-factor authentication. Passwords hashed by Supabase Auth, never accessible to DevSafe. API key authentication for programmatic access, and role-based access control for team plans. Access to internal systems follows the principle of least privilege.
- Key management. Customer-side key generation using cryptographically secure random number generators. Three-tier key hierarchy with two HKDF-SHA256 derivations: master key derives per-repository keys, which derive per-bundle keys. Keys never leave the customer's machine.
- Integrity verification. Every backup includes a GCM authentication tag that detects tampering. Backups are verified restorable before the operation is considered complete.
- Audit trail. Every backup operation produces a cryptographic receipt recording the operation timestamp, verification status, and integrity proof.
DevSafe is an encryption layer. It is not a compliance program. Customers are responsible for their own HIPAA compliance program, risk assessments, and administrative safeguards. DevSafe's architecture provides the technical encryption controls that support a customer's broader compliance posture.
SOC 2 Type II certification is on the HXA Labs roadmap with a target observation period beginning in 2027.
Breach Notification
In the event of a security incident affecting HXA Labs systems, HXA Labs will notify affected customers within 48 hours of confirmed discovery. Notification will include:
- A description of the incident and the data categories potentially affected.
- The date and time of discovery.
- The steps HXA Labs is taking to contain and remediate the incident.
- Recommendations for customer action, if any.
Even in the event of a complete breach of HXA Labs systems, no protected health information could be exposed. HXA Labs systems contain email addresses and usage metrics only. Customer source code and backup contents are encrypted with keys that HXA Labs does not possess. A breach of HXA Labs infrastructure can not produce plaintext customer data because the decryption keys do not exist within that infrastructure.
HXA Labs will cooperate with the customer's incident response process. HXA Labs will preserve relevant logs and provide technical assistance as needed to support the customer's breach assessment and regulatory notification obligations.
Subcontractors
HXA Labs uses the following infrastructure providers to operate the DevSafe service. Flow-down obligations apply where applicable. None of these providers have access to customer source code, backup contents, or encryption keys.
- Cloudflare. DNS, CDN, DDoS protection, and web application firewall. Cloudflare processes network traffic metadata only. Customer backup data transits Cloudflare in encrypted form (ciphertext) en route to customer-owned storage.
- Supabase. Authentication, database, and API infrastructure. Supabase stores customer email addresses, account metadata, and usage metrics. Supabase does not receive source code, backup contents, or encryption keys. Database encryption at rest is enabled.
- Stripe. Payment processing. Stripe receives billing information (payment method, billing address) only. Stripe does not receive source code, usage data, or encryption keys. Stripe is PCI DSS Level 1 certified.
- Resend. Transactional email delivery. Resend receives email addresses and email content (login links, notifications) only. Resend does not receive source code, backup data, or encryption keys.
HXA Labs will notify customers before adding new subcontractors that process customer data. The current subcontractor list is maintained on the Trust Center.
Customer Responsibilities
DevSafe's zero-knowledge architecture places certain responsibilities on the customer. The customer is responsible for:
- Key management. Generating, storing, backing up, and protecting encryption keys. If the customer loses their encryption key, HXA Labs can not recover it. Data encrypted with a lost key is permanently inaccessible.
- Storage configuration. Configuring their cloud storage bucket (Cloudflare R2, AWS S3, or compatible provider) with appropriate access controls, encryption settings, and retention policies. HXA Labs does not manage or monitor customer storage buckets.
- PHI determination. Determining whether their source code repositories contain protected health information. HXA Labs can not inspect customer code to make this determination. The customer is in the best position to know what their code contains.
- Compliance program. Maintaining their own HIPAA compliance program, including risk assessments, workforce training, administrative safeguards, and physical safeguards. DevSafe provides technical encryption controls. It is not a substitute for a compliance program.
- Access control. Managing team member access, revoking access for departing personnel, and rotating keys according to their own security policies.
Term, Termination, and Data Return
When executed, this BAA will be effective as of the date the customer begins a paid DevSafe subscription. It will remain in effect for the duration of the subscription.
Upon termination:
- HXA Labs will delete the customer's email address, account metadata, and usage metrics within 30 days of subscription termination. The customer may request immediate deletion at any time.
- The customer retains full ownership of all encrypted backups in their own cloud storage. These backups are stored in the customer's bucket, under the customer's control, encrypted with the customer's keys. HXA Labs has no access to delete, modify, or read this data.
- The backup format is open and documented. The customer can restore backups without DevSafe. Decrypt with the customer's key, then restore with standard git tools. No vendor lock-in. No dependency on HXA Labs for data recovery.
HXA Labs will certify in writing that all customer data within its systems has been deleted upon request following termination.
Questions about this agreement?
This BAA template is in preparation. For questions about HIPAA compliance, BAA execution, or DevSafe's security architecture, contact us.
HXA Labs LLC
For BAA, DPA, or compliance inquiries: contact the security team.
For technical architecture questions, see the Trust Center and Security & Threat Model.