Short answer: Sheetgo is not HIPAA compliant, and HIPAA is generally not applicable to Sheetgo because Sheetgo does not store any of your data. For most healthcare-adjacent use cases, Sheetgo's existing certifications — including SOC 2 Type 2 — cover the security expectations HIPAA-regulated organizations care about.
Why HIPAA usually doesn't apply to Sheetgo
HIPAA (the U.S. Health Insurance Portability and Accountability Act) regulates how Protected Health Information (PHI) is stored, transmitted, and shared by covered entities and their business associates. Compliance is required for systems that store or process patient health information.
Sheetgo doesn't fit that profile because Sheetgo does not store any customer data:
Your spreadsheet content stays in your own cloud storage (Google Drive, OneDrive, SharePoint, or Dropbox).
Sheetgo acts only as a secure layer that moves data from one of your files to another over an encrypted connection.
No copies of your files, rows, or values are retained on Sheetgo's servers.
Because Sheetgo never holds your data, it's not in a position to be (or need to be) a HIPAA Business Associate.
What this means if you handle PHI in your workflows
If your spreadsheets contain PHI, HIPAA compliance still applies — but to your underlying cloud storage and identity providers, not to Sheetgo. To stay compliant in that scenario:
Use a HIPAA-eligible plan and signed Business Associate Agreement (BAA) with Google Workspace or Microsoft 365.
Keep PHI inside files and folders that are covered by that BAA.
Restrict workflow sharing and editor access according to your internal HIPAA policies.
Sheetgo will read and write to those files using the permissions you grant, but the data itself never leaves your HIPAA-covered environment.
What Sheetgo does provide
Sheetgo is certified and compliant against the standards most enterprise security and procurement reviews ask about:
SOC 2 Type 2 — independently audited for security, integrity, and confidentiality.
GDPR (Europe) and CCPA (California) — full compliance with personal data rights including correction and deletion.
CASA Tier 3 (Google's Cloud Application Security Assessment).
Recommended for Google Workspace by Google.
OWASP best practices for web application security.
256-bit TLS encryption for all data in transit.
Servers hosted in SOC 1, SOC 2, and ISO 27001-certified data centers (United States).
For the full list and supporting evidence, see the Security and privacy article.
Need a compliance review?
If your organization needs documentation for a procurement or risk-assessment review, contact our support team. We can share our SOC 2 report (under NDA) and answer specific questions about how Sheetgo handles your data.