diff --git a/src/lib/components/MainFooter.svelte b/src/lib/components/MainFooter.svelte
index 341e80c1f10..2a99487376b 100644
--- a/src/lib/components/MainFooter.svelte
+++ b/src/lib/components/MainFooter.svelte
@@ -63,6 +63,11 @@
                         onclick={() => trackEvent(`footer-cookies-click`)}>Cookies</a
                     >
                 </li>
+                <li>
+                    <a class="web-link" href="/baa" onclick={() => trackEvent(`footer-baa-click`)}
+                        >BAA</a
+                    >
+                </li>
             </ul>
         </div>
     </footer>
diff --git a/src/lib/components/layout/sub-footer.svelte b/src/lib/components/layout/sub-footer.svelte
index 8802f7701d5..86cc0efda81 100644
--- a/src/lib/components/layout/sub-footer.svelte
+++ b/src/lib/components/layout/sub-footer.svelte
@@ -39,6 +39,7 @@
             <li><a class="web-link" href="/terms">Terms</a></li>
             <li><a class="web-link" href="/privacy">Privacy</a></li>
             <li><a class="web-link" href="/cookies">Cookies</a></li>
+            <li><a class="web-link" href="/baa">BAA</a></li>
         </ul>
     </div>
 </footer>
diff --git a/src/routes/baa/+page.markdoc b/src/routes/baa/+page.markdoc
new file mode 100644
index 00000000000..a9acacbbc78
--- /dev/null
+++ b/src/routes/baa/+page.markdoc
@@ -0,0 +1,85 @@
+---
+layout: policy
+title: Business Associate Agreement
+description: Appwrite's HIPAA Business Associate Agreement (BAA) governing how protected health information is handled for eligible plans.
+---
+
+This Business Associate Agreement ("BAA") applies to clients under the Scale plan or the Startups program.
+
+This BAA forms an integral part of the underlying agreement entered into by the parties (the "Agreement") and pursuant to the services given under the Agreement (the "Services"). This BAA is entered into as of the effective date (the "Effective Date") by the Customer ("Customer" or "Covered Entity") and Appwrite Code Inc. ("Company" or "Business Associate"). Both parties shall be referred to as the "Parties" and each, a "Party".
+
+Whereas, Customer is subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and as may be further modified or superseded from time to time (collectively, the "HIPAA Rules"), and among other obligations under HIPAA is required to enter into agreements with respect to the use, disclosure, and safeguarding of PHI.
+
+Whereas, the Parties desire to enter into this BAA in order to set forth the terms and conditions pursuant to which PHI will be handled by the Company (if any PHI is shared with Business Associate) and certain third parties, as applicable, during the duration of this BAA and the Agreement and upon its termination, cancellation, expiration, or other conclusion.
+
+Now, therefore, in consideration of the conditions contained herein and the continued provision of PHI by Customer to Company under the Agreement and this BAA, the Parties agree as follows:
+
+# Definitions
+
+The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Breach Notification Rule, De-Identify, Data Aggregation, Designated Record Set, Disclosure, Electronic PHI, Individual, Protected Health Information ("PHI"), Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
+
+# Company's obligations and activities
+
+The Company agrees to:
+
+- Use and Disclose PHI as permitted or required by this BAA or by applicable law to provide the Services to Customer or as otherwise permitted under this BAA. Company may Use and/or Disclose PHI (i) for conducting the Company's business, (ii) for management and administrative services, (iii) to carry out the legal responsibilities of the Company, or (iv) on a de-identified, aggregated, and/or anonymous basis for the purpose of analyzing the usage and performance of the Company's proprietary technology (for internal and/or external purposes), including, without limitation, for market research and to provide analytics to Customer and further developing and improving Company's products and services.
+
+- Use appropriate physical, technical, and administrative safeguards (a) to prevent Use or Disclosure of PHI other than as permitted under this BAA or as required by applicable law, and (b) to reasonably protect the confidentiality, integrity, and availability of the PHI. Company will use commercially reasonable efforts to implement industry standard safeguards to prevent the Use or Disclosure of PHI other than as provided by the Agreement and/or this BAA.
+
+- Report to Customer any Security Incident, or Breach of Unsecured PHI, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of breach. Such report shall be in accordance with § 164.410(c). Company will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Company of any Security Incident and/or Breach of Unsecured PHI. The obligations herein shall not apply to incidents that are caused by Customer or Customer's users or are otherwise unrelated to the provision of the Services by Company.
+
+- Use commercially reasonable efforts to ensure that its Subcontractors that process PHI on Company's behalf are subject to substantially the same restrictions and conditions concerning the processing of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any PHI. Customer hereby agrees that Company may disclose PHI to Subcontractors and others who assist in the provision of services to Customer.
+
+- Reasonably assist, within ten (10) business days, the Customer to comply with Individuals' requests related to their PHI in accordance with the HIPAA Rules requirements (e.g., to make available in a designated record set to the Customer to meet Customer's obligations under 45 CFR 164.524 or make any amendment(s) to PHI in a designated record set as agreed to by the Customer pursuant to 45 CFR 164.526); provided that Customer informs Company in writing of the applicable request.
+
+- Make its internal practices, books, and records available to the Secretary for purposes of determining Customer's and/or Company's compliance with HIPAA Rules. Nothing in this Section waives any applicable privilege or protection.
+
+# Customer obligations and activities
+
+Customer agrees:
+
+- Not to request Company to Use or Disclose PHI or take any other action in any manner that would not be permissible under HIPAA Rules and/or that will imply the breach or violation of any applicable law and/or Individuals' rights.
+
+- To notify Company of any limitation or restriction related to the relevant PHI, to the extent that such limitation may affect Company's Use or Disclosure of PHI (including, without limitation, 45 CFR §164.520 and 45 CFR §164.522).
+
+- To provide all notices and obtain all required consents from an Individual to allow Company to use the PHI as set forth in this BAA. Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Company's Use or Disclosure of PHI.
+
+- And acknowledges that any Use or Disclosure of PHI or action made by Company at the request of Customer is made in reliance that such request and/or action is permissible and that Customer is requesting the minimum necessary to accomplish the intended Use or Disclosure of the PHI.
+
+- To indemnify and hold harmless Company from and against all liabilities, losses, damages, and expenses (including reasonable attorney's fees) arising from Customer's breach of this BAA, including this section.
+
+# Term and Termination
+
+**Term.** This BAA will become effective as of the Effective Date, and shall continue until the earliest of: (a) all of the PHI provided by Customer to Company is deleted, destroyed, and/or de-identified; (b) this BAA is terminated in writing by the Parties; or (c) the Agreement is completed, concluded, or otherwise terminated, in which case this BAA will terminate automatically and without the need for any further action or notice on the part of either Customer or Company.
+
+**Termination for cause.** Both Parties may terminate immediately this BAA and/or the applicable sections of the Agreement, if a Party makes a determination that the other Party has breached a material term of this BAA and such breach is incurable or was uncured within thirty (30) days following the other Party's written notification.
+
+**Effect of Termination.** Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Company will be returned to Customer or destroyed. Company shall be allowed to retain a copy of the de-identified data, as permitted in Section 2. In any event, to the extent required or allowed by applicable law, Company may retain one copy of the PHI for evidence purposes and/or for the establishment, exercise, or defence of legal claims and/or to comply with applicable laws and regulations. This Section, and Sections 5 and 6 will survive any termination of this BAA.
+
+# Limitation of liability
+
+Notwithstanding anything to the contrary in the Agreement and/or in any other agreements between the Parties and to the maximum extent permitted by law: (A) Company's (including Company's Affiliates') entire, total, and aggregate liability, related to personal data, information or PHI, privacy, or for breach of this BAA and/or HIPAA Rules, including, without limitation, if any, any indemnification obligation, shall be limited to the amounts paid to Company under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Company and/or Company's Affiliates and/or their subcontractors be liable under, or otherwise in connection with this BAA for: (i) any indirect, exemplary, special, consequential, incidental, or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue, or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Company, Company's Affiliates, or subcontractors have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this BAA fails of its essential purpose; and (iii) regardless of the form, theory, or basis of liability (such as, but not limited to, breach of contract or tort).
+
+# Miscellaneous
+
+**Notice.** All communications and notices shall be in writing, delivered personally, by email, or sent through any mailing services to the addresses set forth in the Agreement.
+
+**Effect of BAA.** This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern. In the event of any conflict between the provisions of this BAA and the provisions of the Agreement, the provisions of this BAA shall prevail over the conflicting provisions of the Agreement.
+
+**Amendments.** This BAA may be amended solely by a written instrument duly signed by both the Parties.
+
+**Severability.** The provisions of this BAA shall be deemed severable and if any portion shall be held invalid, illegal, or unenforceable for any reason, the remainder of this BAA shall be effective and binding upon the Parties.
+
+**Interpretation.** Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
+
+**No Third Party Beneficiaries.** Nothing contained herein, whether express or implied, is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
+
+**Assignment.** Neither Party may assign this BAA without the other Party's prior written consent, provided that the consent shall not be unreasonably withheld. Notwithstanding the foregoing, Company may assign this BAA, in the event of a merger, change of control, or sale or transfer of all or substantially all of its assets, without requiring Customer's consent.
+
+**Governing Law.** This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to its conflict of laws principles. Any dispute, controversy, or claim arising out of, or in relation to, this BAA, shall be settled amicably between the Parties. If the dispute cannot be resolved by the Parties, the Parties hereby submit to the exclusive jurisdiction of the state and federal courts located in the State of Delaware with respect to any disputes or claims howsoever arising under this BAA. Notwithstanding anything to the contrary, the Company may seek interim relief before any court of competent jurisdiction worldwide.
+
+# Execution
+
+In light of the mutual agreement and understanding described above, the Parties execute this BAA as of the Effective Date. This BAA is entered into between Appwrite Code Inc. and the Customer and forms part of the underlying Agreement between the Parties.
+
+For any questions regarding this BAA, please contact [privacy@appwrite.io](mailto:privacy@appwrite.io).
diff --git a/src/routes/docs/advanced/security/hipaa/+page.markdoc b/src/routes/docs/advanced/security/hipaa/+page.markdoc
index 1f05abd7188..a8621676388 100644
--- a/src/routes/docs/advanced/security/hipaa/+page.markdoc
+++ b/src/routes/docs/advanced/security/hipaa/+page.markdoc
@@ -24,6 +24,16 @@ requiring authentication and authorization through multi-factor authentication (
 
 Appwrite safeguards personal information to the same extent it protects its own, complying with relevant privacy laws and regulations in the jurisdictions where its services are offered.
 
+## Business Associate Agreement (BAA)
+
+A Business Associate Agreement (BAA) is a HIPAA-required contract between you (the covered entity) and Appwrite (the business associate) that governs how protected health information (PHI) is handled. You need a BAA in place before storing or processing PHI on Appwrite Cloud.
+
+You can enable a BAA yourself from the Appwrite Console. Open your **Organization settings**, find the **BAA** section, and select **Enable BAA**. The BAA is a paid add-on that costs $350 per month, prorated for your current billing cycle, and applies to your entire organization.
+
+The add-on is available on eligible paid plans. If your current plan does not support it, the Console prompts you to upgrade first. You can disable the BAA at any time, and it stays active until the end of your current billing cycle.
+
+For the full terms, see the [Business Associate Agreement](/baa).
+
 ## Data retention
 
 Appwrite gives you full control over your data lifecycle. By default, Appwrite stores user and project data until you explicitly delete it. There's no automatic purging or TTL unless you configure it that way in your application logic or functions.
