1. Definitions and Scope
This guide applies to the use of Nebius Cloud services for workloads that may involve the processing, transmission, or storage of electronic Protected Health Information (ePHI) as defined by 45 CFR §160.103.- Customer - refers to a covered entity or Business Associate under HIPAA that uses Nebius services.
- ePHI - electronic Protected Health Information subject to the HIPAA Security and Privacy Rules.
- Scope of Regions - Nebius permits the storage and processing of ePHI in any Nebius region. All Nebius regions operate under uniform security, operational, and physical safeguards aligned with ISO 27001, SOC 2, and Nebius internal compliance frameworks. Customers are responsible for selecting regions and replication configurations consistent with their own compliance, residency, and data-sovereignty requirements.
-
Scope of Services
- Object Storage is the only service authorized for storing ePHI at rest.
- Compute Instances and Managed Kubernetes (mK8s) may be used to process or transmit ePHI in transient form, provided that no ePHI is persistently written to local disks, NBS, shared filesystems, managed solutions, or images in Container registry.
- All other Nebius services must not be used to store or process ePHI unless explicitly designated as HIPAA-eligible in Nebius documentation.
2. Shared Responsibility Model
Nebius and its customers share responsibility for protecting ePHI stored or processed in the Nebius Cloud.| Responsibility | Nebius | Customer |
|---|---|---|
| Infrastructure Security (physical, network, hypervisor, compute nodes, storage) | ✓ | |
| Platform Security Controls (Object Storage, IAM, Audit Logs) | ✓ | |
| Customer Data Classification & Handling | ✓ | |
| Identity & Access Management configuration | ✓ | |
| Encryption of data in transit and at rest | ✓ (platform-level) | ✓ (application-level keys and usage) |
| Audit Logging & Monitoring | ✓ (service capability) | ✓ (enablement and monitoring) |
| Data Integrity Controls | ✓ | |
| Business Associate Agreement (BAA) | ✓ (on request) | ✓ (execution required before storing ePHI) |
3. HIPAA Safeguards Alignment
Nebius aligns with the core HIPAA Security Rule safeguard categories:| HIPAA Safeguard Category | Nebius Controls | Customer Controls |
|---|---|---|
| Administrative (§164.308) | Access management, audit logging, personnel security, risk management | Workforce training, incident response, policies & procedures, risk management |
| Physical (§164.310) | Controlled data-center access, CCTV, hardware disposal | None (Nebius-managed) |
| Technical (§164.312) | Encryption at rest and in transit, IAM, Object Storage ACLs, audit logging | Application-level access control, data integrity validation |
4. Business Associate Agreement (BAA) Process
Before processing or storing ePHI, Customers must execute a Business Associate Agreement (BAA) with Nebius. The BAA outlines each party’s responsibilities regarding HIPAA compliance, data handling, and breach notification. ePHI must not be uploaded or processed until the BAA is fully executed, signed and confirmed. A draft BAA can be requested through your sales representative or by contacting Nebius Support at support@nebius.com.5. Data Residency
Nebius offers regional Object Storage. All Nebius regions meet the same physical and logical security standards. Customers are responsible for selecting regions consistent with organizational or legal residency requirements.6. Encryption and Key Management
Nebius enforces strong encryption across all layers of data handling.- At Rest – All objects in Nebius Cloud Object Storage are encrypted using AES-256 by default.
- In Transit – All communications use HTTPS (TLS 1.2 or higher).
7. Access Logging and Audit Requirements
To maintain accountability and traceability, customers must enable access logging for Object Storage buckets containing ePHI.7.1 Enabling Access Logs
- Logging is not enabled by default for data access operations in Object Storage.
- Customers must explicitly request Access Log activation via Nebius Support.
- Access logging is enabled on a per-bucket basis, for specific Object Storage buckets identified by the customer as containing ePHI.
- Once enabled, all read, write, and delete events will be captured in Nebius Audit Logs.
7.2 Customer Obligations
Customers must:- Monitor and review logs regularly.
- Set up alerts for anomalous access activity.
- Retain logs for the legally required period.
- Ensure logs themselves do not include ePHI.
8. Data Integrity and Retention Obligations
8.1 Data Integrity
Nebius provides redundant storage infrastructure but does not validate or guarantee the logical integrity of Customer data. Data integrity is entirely the Customer’s responsibility. Customers should implement:- Checksums or digital signatures.
- Periodic integrity verification and restoration plans.
- Backup mechanisms for corruption recovery.
8.2 Data Retention (Six-Year Rule)
Nebius does not guarantee six-year retention or automatic archiving of ePHI. If long-term retention is required, the customer must keep the relevant Object Storage buckets active and billed.9. Incident Response and Breach Notification
Nebius maintains a documented Security Incident Response Program covering detection, containment, investigation, and remediation of potential data incidents. If Nebius becomes aware of an incident affecting the confidentiality or integrity of Customer data, Nebius will notify the affected Customer without undue delay and in accordance with contractual and regulatory obligations – including those outlined in the BAA. Customers are responsible for defining their own internal HIPAA breach-notification processes for incidents within their applications or configurations.10. Data Deletion and Lifecycle Management
Nebius Object Storage provides customers with full control over the lifecycle and deletion of their data. Customers can delete objects or entire buckets at any time through the Nebius Console or API/CLI/Terraform. When deletion is initiated, Nebius performs a multi-stage secure deletion process to ensure the data becomes irrecoverable both logically and cryptographically.10.1 Object and Bucket Deletion Process
- When an object is deleted, it is first placed into a deletion queue.
- When a bucket is deleted, all objects within that bucket are placed into the deletion queue, and the Key Encryption Key (KEK) associated with that bucket is permanently deleted.
- Each object has its own Data Encryption Key (DEK), which is stored in object metadata and encrypted with the bucket’s KEK.
-
Within three (3) days, all items in the deletion queue are processed through the following steps:
- Metadata and DEK deletion (cryptographic deletion) - The object metadata, including the DEK, is permanently deleted from the metadata store. Once the DEK is deleted, the underlying encrypted data becomes cryptographically irretrievable.
-
Storage blob deletion -
Encrypted data chunks (“blobs”) are deleted from physical storage. Some residual data may temporarily remain on underlying disks; however, it is impossible for other platform users or Nebius personnel to reconstruct it because:
- Data is randomly split into chunks up to 4 MB in size.
- Chunks are distributed across multiple racks within the data center.
- No metadata remains linking blobs to customer objects.
- Residual data handling - Over time, some unlinked blobs may persist in the blob storage subsystem. These blobs are automatically overwritten with new data during normal storage operations. On current Nebius clusters, full overwrite of residual data typically occurs within 1–2 days after metadata removal.
10.2 Customer Responsibilities
Customers are responsible for:- Defining lifecycle and deletion policies in compliance with HIPAA retention requirements.
- Ensuring deleted data is no longer needed for compliance or legal purposes.
- Understanding that once metadata and DEKs are deleted, data recovery is impossible.
11. Compliance and Certification References
Nebius aligns its security and privacy controls with internationally recognized standards, including:- ISO/IEC 27001 – Information Security Management System
- SOC 2 Type II – Security, Availability, and Confidentiality
- ISO/IEC 27701 – Privacy Information Management
12. Prohibition on Storing ePHI in Object Metadata
Customers must not include electronic Protected Health Information (ePHI), personally identifiable information (PII), or any other confidential data in object metadata, tags, or key names in the Nebius Cloud Object Storage service. Object metadata, tags, and identifiers may be transmitted, logged, or processed by internal control systems for purposes such as request routing, billing, and monitoring. As such, these data fields are not designed or approve for storing regulated content under HIPAA or other privacy frameworks. To maintain compliance with HIPAA and ensure proper data protection, customers should store ePHI only within encrypted object contents in appropriately secured buckets that meet the encryption and access control requirements defined in this guide.13. Recommended Best Practices
- Use least-privilege IAM policies for users and service accounts.
- Separate HIPAA workloads from general environments.
- Encrypt data at the application layer when feasible.
- Verify data integrity periodically.
- Regularly review access logs and IAM bindings.
- Document retention and deletion policies.
14. Disclaimer
Nebius provides the technical and procedural controls necessary to support HIPAA compliance. However, compliance is not automatic. It depends on how customers configure and operate Nebius services. Customers are responsible for ensuring that their applications, configurations, and data-handling processes meet all applicable HIPAA requirements, including data integrity and long-term data retention.Web address: https://docs.nebius.com/legal/hipaa Publication date: October 31, 2025
Effective date: October 31, 2025