Using DX with Protected Health Information (PHI)

DX helps organizations understand and improve developer productivity by analyzing engineering productivity, software usage patterns, and employee feedback. This page explains how our service is intended to be used, and what to do if your organization works with Protected Health Information (PHI).

In brief: DX is not intended for processing, storing, or transmitting Protected Health Information (PHI). Because our service is not designed for PHI workflows, we do not offer Business Associate Agreements (BAAs) for DX.

How DX is intended to be used

DX is designed to help engineering organizations gain better understanding about how their teams work. The service collects and analyzes information from connected engineering systems, DX-native product surfaces, customer-supplied imports, and AI-assisted analysis features. Common categories of data that DX processes include:

  • Connected engineering tools: Metadata such as titles from issues, work items, pull requests, merge requests, commits, reviews, labels, custom fields, users, teams, repositories, projects, and related metadata from tools such as Jira, GitHub, GitLab, Azure DevOps, and Linear.
  • DX-native and customer-supplied data: Snapshot answers and comments (survey insights from your developers), PlatformX responses and event metadata (in-the-moment feedback from the users of their internal tools), Studies responses (targeted developer surveys), catalog entity descriptions and properties, custom data, and custom metric metadata.
  • AI Code Insights data: Commit metrics, repository metadata, file-level attribution metrics, installation and status data, session metadata, and scrubbed session messages when transcript capture is enabled.
  • DX AI and Data Studio data: AI-generated summaries, SQL generation, comment summaries, and analysis over engineering data, subject to DX AI and Data Studio access controls.

This information helps organizations identify trends, improve developer experience, and better understand how engineering teams collaborate and deliver software. The service is intended for organizational and operational data, not healthcare information about patients.

What this means for you

DX is designed for engineering metadata, and PHI should not typically be included in such data. If your organization uses DX, avoid submitting information that includes Protected Health Information (PHI).

For example, you should not use DX to collect, upload, or analyze:

  • Patient medical records
  • Clinical notes
  • Diagnoses or treatment information
  • Health insurance information
  • Laboratory or imaging results
  • Employee survey responses that include PHI
  • Files or documents containing patient identifiers together with health information

If your organization needs to process PHI as part of a developer productivity or workforce analytics program, DX is not the appropriate service for that workflow.

Business Associate Agreements (BAAs) aren’t necessary to use DX

A Business Associate Agreement (BAA) is a contract used when a service provider processes Protected Health Information (PHI) on behalf of a HIPAA covered entity or another business associate. Because DX is not intended to process PHI, a BAA is not necessary to use this service and we do not offer a BAA.

Remove PHI before using DX services

We recommend that you take all necessary precautions to ensure that PHI is not sent to DX services. Some best practices include:

  • Keep PHI out of upstream engineering tools. Do not put PHI in issue titles, work item descriptions, pull request descriptions, commit messages, labels, custom fields, branch names, survey comments, AI prompts, AI transcripts, or custom data payloads that may be sent to DX.
  • Use non-PHI identifiers. Use internal ticket IDs, anonymized references, or other non-PHI identifiers instead of patient names, medical record numbers, health conditions, treatment details, or other health information.
  • Limit connector scope. Configure service accounts, project access, repository access, and allowlisted fields so DX imports only the projects, repositories, teams, and custom fields needed for engineering reporting.
  • Review custom data imports. Validate Data Cloud API payloads, catalog properties, event metadata, and custom tables before sending them to DX.
  • Disable transcript capture for AI Code Insights if needed. AI Code Insights transcript capture is optional and off by default. If AI conversations could include PHI, keep transcript capture disabled for your organization. See FAQs for more information.
  • Restrict sensitive data surfaces. Limit AI Code Insights transcript visibility, DX AI chat access to individual contributor data, and Data Studio access to trusted administrators.
  • Train users and admins. Document which upstream fields are connected to DX and instruct developers, managers, and admins not to enter PHI into those fields. We strongly recommend regular training and monitoring to ensure relevant individuals comply with these policies.

FAQs

No.

Security and HIPAA serve different purposes. DX includes strong security controls designed to protect customer information from unauthorized access or use. [Add link to best security doc / SOC] explains DX’s security commitments and controls in more detail. However, security alone does not make a service appropriate for HIPAA-regulated data. Supporting PHI also requires specific contractual commitments, operational processes, and product capabilities. Because DX is not intended for PHI workflows, we do not position or offer the service as a HIPAA-supported platform.

In many cases, organizations may use properly de-identified information that no longer meets the definition of PHI. Your organization is responsible for determining whether data has been appropriately de-identified before it is submitted to DX.

If you believe PHI has been submitted to DX by mistake, remove the information if possible and contact our support team as soon as practical so we can help you understand the available next steps.

No. Because DX is not intended to process PHI, we do not offer BAAs for this service. DX is not the appropriate product for use cases that require processing PHI for operational insights.

We recommend checking all free-text fields of data you connect to DX to ensure that they do not contain PHI. Common examples include:

  • Issue and work item text: Jira issue summaries and custom field values, Azure DevOps work item titles, acceptance criteria, tags, and custom field values, and Linear issue titles or project content.
  • Pull request and commit text: Pull request titles, pull request descriptions where enabled, merge request titles, branch names, labels, and commit messages.
  • Survey and feedback text: Snapshot comments, PlatformX response answers, Studies response answers, and other free-text feedback fields.
  • Custom data: Custom data JSON, custom metric metadata, catalog entity descriptions, catalog properties, and customer-provided event metadata.
  • AI session text: AI Code Insights session titles, session summaries, evaluation comments, and message content when transcript capture is enabled.

DX does not rely on review comment body text, GitLab merge request descriptions, Linear issue descriptions, or source-code line contents in current AI Code Insights commit metrics. If those upstream fields are added to your DX configuration in the future, treat them as free text fields and ensure there is no PHI included in them.

AI Code Insights enables supported AI coding agents to provide session metadata to DX to process insights. You can optionally turn on transcript capture, which will then provide transcripts of message text from coding agents to DX to process.

You do not need to use transcript capture. When transcript capture is disabled, DX does not store message content. When transcript capture is enabled, DX is designed to scrub message content for common personal data and secret patterns before storing the data within DX’s services. While we do some pre-scrubbing on data for this feature, DX is still not intended for processing PHI. If there is any reason that your end users will include PHI into AI coding agent conversations, you should disable transcript capture.

For a complete description of AI Code Insights data flow, local storage, transmission, transcript handling, and endpoint considerations, see Security and privacy.

Quick reference

Your intended use Is DX appropriate?
Measuring software delivery performance Yes
Understanding developer workflow trends Yes
Running employee engagement surveys Yes
Collecting patient information No
Analyzing clinical records No
Storing or transmitting PHI No
Processing healthcare data that requires a BAA No