These recommendations from ngrok’s team do not constitute legal advice.
Please consult your own legal and engineering teams to ensure HIPAA compliance.
Shared responsibility model
ngrok operates with a shared responsibility model. There are many safeguards that we put in place to protect our customers, and there are steps our customers must take to remain compliant with HIPAA. We’re responsible for providing you, the customer, with all the information you need to use ngrok in a compliant manner, and how to configure the ngrok platform to remain compliant. You are responsible for ensuring your use case is compliant and configuring ngrok correctly to ensure compliance.Compliant use cases
ngrok is HIPAA-compliant for use cases where PHI is stored within a packet payload. You are responsible for ensuring that PHI is only present within the packet payload. ngrok won’t store this data in HIPAA workloads but we do store other, non-PHI, data. See Data at ngrok for more details on what data ngrok stores. ngrok account user information, ngrok account billing information, and packet headers should not be considered PHI within any use cases.Customer safeguards
These are ngrok’s recommendations for setting up and configuring your ngrok account securely:- Ensure packet payloads are the only PHI data being sent over the ngrok network
- Don’t put PHI in JWT tokens
- Don’t put PHI in packet headers
- Don’t put PHI in URL parameters
- Ensure the ngrok agent is on a secure machine. The agent-local inspector may have ePHI.
- Ensure that any traffic forwarded from the ngrok agent through your network is secure.
- Use managed certificates. ngrok will automatically provision and renew TLS certificates on your behalf.
- Verify webhooks to ensure the authenticity of incoming requests