Background
Background.
Healthcare services org. HIPAA-covered entity. Patient-facing communication is regulated; their existing CRM ([market-leading healthcare CRM]) handled the core CRM, but marketing automation was running on a separate vendor that wasn't BAA'd, and consent state was tracked in a separate compliance tool.
Challenge
Challenge.
Internal audit flagged that marketing journeys had been touching contact records that included PHI. The vendor wasn't under BAA. The audit finding triggered a six-week remediation project: scrub the PHI from the marketing vendor, switch to a BAA'd alternative, re-onboard the team. Repeat for the consent vendor.
The CTO wanted a structural fix: one platform under one BAA, covering CRM + marketing + consent + audit. The team evaluated three options.
Solution
Solution.
Pact Scale ships BYOK encryption (per-tenant data keys wrapped by the customer's KMS) and a HIPAA BAA on the same SKU as the CRM. The team imported their CRM data, configured BYOK against their AWS KMS, and ran the BAA paperwork in parallel with technical setup.
Consent state migrated cleanly. The marketing journeys rebuilt in Pact inherited the BYOK encryption automatically — there is no path to send to a contact whose data isn't encrypted under the tenant key.
Result
Result.
One BAA, signed once, covers CRM + marketing + consent + audit. PHI never reaches a non-BAA'd vendor again — structurally, not policy-wise. Key rotation runs on the team's schedule against their own KMS; key lineage is visible in the admin UI.