AutoSPF Data Privacy and HIPAA / BAA Considerations
Key Takeaway: AutoSPF manages your SPF DNS record. SPF is public infrastructure data by design (a TXT record that anyone on the internet can resolve). AutoSPF never sees email content, headers, senders, recipients, attachments, or any Protected Health Information (PHI). AutoSPF is not a HIPAA Business Associate, and a Business Associate Agreement (BAA) is neither required nor meaningful for the AutoSPF service.

What does AutoSPF actually do?

AutoSPF automates the management of your Sender Policy Framework (SPF) record. SPF is a DNS TXT record published at the apex of your domain (or at a delegated subdomain) that lists which mail servers are authorized to send mail on behalf of that domain. SPF is a public standard (RFC 7208) and any SPF record published in DNS is, by definition, publicly resolvable. Anyone, anywhere, can run dig TXT yourdomain.com and read it.

AutoSPF flattens, compresses, and serves your SPF record so it stays inside the 10-DNS-lookup limit imposed by RFC 7208. The data we work with is configuration data, not message data.

What data does AutoSPF process?

Data Element Processed by AutoSPF? Example
Domain name you are managing✓ Yes (public DNS)example.com
SPF mechanisms in your source record✓ Yes (public DNS)include:_spf.google.com, ip4:203.0.113.0/24
The flattened SPF record we serve✓ Yes (public DNS)v=spf1 ip4:... ip4:... -all
Account contact details✓ Yes (you provide at signup)name, company, email, billing
Audit log of admin actions✓ Yes (1 year retention)who edited the record and when
Email message content✗ No, never
Email headers (From, To, Subject)✗ No, never
Sender or recipient email addresses✗ No, never
Attachments✗ No, never
DMARC aggregate or forensic reports✗ No (that is DMARC Report, a separate product)
Any Protected Health Information (PHI)✗ No, never
What we see: Your domain name, your authorized senders (the same data that is public in DNS), and the account info you provided to use the service.
What we never see: A single byte of any email message, ever. AutoSPF sits outside the mail flow.

HIPAA and Business Associate Agreements

A HIPAA Business Associate is a vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity (45 CFR §160.103). The Business Associate Agreement (BAA) governs how that PHI is handled.

AutoSPF does not create, receive, maintain, or transmit any PHI. AutoSPF only manages a public DNS record that lists which servers are allowed to send mail for your domain. The service operates outside the email message path entirely. There is no point at which PHI could enter the AutoSPF system, even theoretically.

For the same reason your domain registrar, your authoritative DNS provider, and your TLS certificate authority are not HIPAA Business Associates, AutoSPF is not a HIPAA Business Associate. A BAA covering AutoSPF would have no PHI to govern.

If your compliance team has been asked to file a BAA against every email-related vendor as a procedural rule, please contact us and we can walk through the scoping with you. In almost every case the right artifact for AutoSPF is our Data Processing Agreement (DPA), not a BAA.

GDPR and personal data

The only personal data AutoSPF processes is the account-holder contact information you provide when you sign up (name, work email, company, billing). This is processor-style processing on your instruction. DuoCircle provides a Data Processing Agreement on request.

Your SPF source record and the flattened record we publish on your behalf contain domain names, IP addresses of mail servers, and SPF mechanisms. These are infrastructure identifiers, not natural-person identifiers, and they are already public in DNS.

Hosting and data residency

Component Provider Region
AutoSPF application and account databaseDigitalOceanSan Francisco, USA (SFO2)
Macro Flattener (authoritative DNS for flattened records)AWSFrankfurt, Germany (eu-central-1)

Backups are encrypted and geographically separated from primary storage. The full subprocessor list is published at duocircle.com/legal/subprocessors/.

What we can provide your compliance team

  • SOC 2 Type II report covering Security, Availability, Confidentiality, and Processing Integrity. Annual examination by Hancock Askew & Co, LLP since 2022. Released under the standardized Bonterms Mutual NDA.
  • CSA STAR Level 1 registry entry for AutoSPF (public, no NDA): cloudsecurityalliance.org/star/registry/duocircle/services/autospf.
  • HECVAT Full, current version, under NDA.
  • Annual third-party penetration test executive summary, under NDA.
  • Data Processing Agreement (DPA) on request, with the standard schedules: Subject Matter and Details of Processing, Technical and Organizational Measures, Cross-Border Transfer Mechanisms, Region-Specific Terms.
  • Information security policy pack (titles and review cadence are public at trust.duocircle.com/policies/; full text under NDA).

Submit one request through the DuoCircle Trust Center and we will respond within one business day, most often the same day.

Frequently Asked Questions

Q: Does AutoSPF need a Business Associate Agreement under HIPAA?
No. AutoSPF does not create, receive, maintain, or transmit Protected Health Information. AutoSPF is therefore not a HIPAA Business Associate and a BAA is not required (and would not be meaningful) for the service.
Q: Does AutoSPF process any personally identifiable information?
Only the account-holder contact details you provide when you sign up: name, work email, company, billing. SPF data itself is infrastructure metadata (domain names, IP addresses of mail servers, SPF mechanisms) and is published publicly in DNS by design.
Q: Where is AutoSPF data hosted?
The AutoSPF application and account database are hosted at DigitalOcean in San Francisco, USA. The Macro Flattener, which is the authoritative DNS that serves your flattened SPF record, runs at AWS in Frankfurt, Germany. Both environments are SOC 2 Type II in scope.
Q: Is DuoCircle SOC 2 certified?
Yes. DuoCircle has held a SOC 2 Type II report since 2022, examined annually by Hancock Askew & Co, LLP. AutoSPF is in scope. The report is available under the Bonterms Mutual NDA through the Trust Center.
Q: Will AutoSPF ever see email content if my organization uses it?
No. AutoSPF sits outside the mail flow. SPF is consulted by recipient mail servers during the SMTP conversation to decide whether to accept your mail; it is a DNS lookup, not a mail relay. AutoSPF never receives, stores, or forwards email messages.
Q: Our procurement requires a BAA from every vendor. What should we do?
Contact us at support@autospf.com and we can walk through scoping with your compliance team. In almost every case the correct artifact for AutoSPF is a Data Processing Agreement (DPA), not a Business Associate Agreement. We provide DPAs on request.

Last reviewed: May 11, 2026.

]]>