Votexia Business Associate Agreement (BAA)

This Business Associate Agreement ("BAA") is entered into by and between Votexia LLC ("Business Associate"), and the customer ("Covered Entity") (each a "Party" and collectively the "Parties"). This BAA supplements and forms a part of the Votexia Master Subscription Agreement ("MSA") between the Parties.

Background

The Covered Entity utilizes the Votexia SaaS platform ("Service") for automated cloud infrastructure compliance monitoring. While Votexia’s architecture is strictly designed to process infrastructure configuration metadata and explicitly prohibits the transmission or storage of Protected Health Information (PHI), the Parties are entering into this BAA to ensure full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and associated regulations (collectively, the "HIPAA Rules") in the event of limited incidental PHI contained within infrastructure metadata.

1. Definitions

1.1. "Covered Entity" refers to the customer utilizing the Votexia Service, as defined under 45 CFR § 160.103.

1.2. "Business Associate" refers to Votexia, as defined under 45 CFR § 160.103.

1.3. "Protected Health Information (PHI)" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

1.4. "Security Incident" means the successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. For clarity, "Security Incident" does not include unsuccessful attempts such as pings, port scans, or denied access attempts that do not result in unauthorized access to PHI.

1.5. Other Terms: All other capitalized terms used but not defined in this BAA shall have the meanings ascribed to them in the HIPAA Rules or the MSA.

2. Zero-PHI Architecture and Covered Entity Obligations

2.1. Prohibition of PHI Uploads: The Service is engineered for metadata-only scanning. Covered Entity agrees that it shall not configure the Service, provide IAM permissions, or utilize custom tags in a manner that transmits PHI, Personally Identifiable Information (PII), or raw database payloads to Votexia.

2.2. Principle of Least Privilege: Covered Entity represents and warrants that it will strictly provision Votexia's integration access using "Read-Only" or "SecurityAudit" policies as outlined in Votexia's documentation, actively preventing Votexia from accessing healthcare records.

2.3. Permissible Requests: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

3. Obligations and Activities of Business Associate

Notwithstanding Section 2, in the event Business Associate incidentally receives or accesses PHI, Business Associate agrees to:

3.1. Non-Disclosure: Not use or disclose PHI other than as permitted or required by the MSA, this BAA, or as Required by Law (as defined in Section 7.3 of the MSA).

3.2. Safeguards: Use appropriate physical, technical, and administrative safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.

3.3. Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR § 164.410, and any successful Security Incident materially affecting the confidentiality, integrity, or availability of PHI. Notwithstanding the 60-day notification period allowed under 45 CFR § 164.410, Business Associate shall notify Covered Entity without undue delay and in no event later than seventy-two (72) hours after becoming aware of the breach, aligning with the strict notification timeline set forth in the MSA.

3.4. Mitigation: Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

3.5. Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate shall maintain a list of all current subcontractors and shall provide Covered Entity with at least thirty (30) days advance written notice before appointing any new subcontractor, granting Covered Entity the right to object.

3.6. Access to PHI: As Votexia provides a "no-view" metadata monitoring service, it does not typically maintain PHI in a Designated Record Set. However, to the extent Business Associate does possess PHI in a Designated Record Set, Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524. If Business Associate receives a request for access directly from an individual, it shall promptly forward the request to Covered Entity.

3.7. Amendment of PHI: Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526. If Business Associate receives a request for amendment directly from an individual, it shall promptly forward the request to Covered Entity.

3.8. Accounting of Disclosures: Business Associate shall maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. If Business Associate receives a request for an accounting directly from an individual, it shall promptly forward the request to Covered Entity.

3.9. Access to Books and Records: Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA.

3.10. OCR Cooperation: In the event of an investigation, audit, or inquiry by the Office for Civil Rights (OCR) or any other governmental authority concerning the processing of PHI under this BAA, Business Associate shall: (a) promptly notify Covered Entity of such contact (unless prohibited by law); (b) reasonably cooperate with Covered Entity in responding to such inquiry; and (c) provide requested documentation or access to records as Required by Law to demonstrate compliance.

4. Permitted Uses and Disclosures by Business Associate

4.1. Service Provision: Business Associate may use or disclose PHI (if incidentally received) solely to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the MSA.

4.2. Management and Administration: Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that such disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate shall limit its uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.3. Data Aggregation: Business Associate shall not use or disclose PHI for data aggregation services relating to the health care operations of the Covered Entity without the Covered Entity's explicit prior written consent.

5. Term and Termination

5.1. Term: The Term of this BAA shall be effective as of the Effective Date and shall terminate upon the expiration or termination of the MSA.

5.2. Termination for Cause: If either Party determines that the other Party has committed a material breach of this BAA, the non-breaching Party may terminate this BAA and the underlying MSA upon thirty (30) days' written notice, provided the breach is not cured within the notice period. If the material breach involves the ongoing unauthorized exposure, transmission, or disclosure of PHI, the breaching Party must immediately cease the breaching activity as a strict precondition to the thirty (30) day cure period running.

5.3. Obligations Upon Termination: Upon termination of this BAA for any reason, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form, within sixty (60) days of termination.

5.4. Regulatory Retention Exception: Notwithstanding Section 5.3, the Parties acknowledge that Business Associate may be required to retain solely non-PHI metadata and evidence log hashes required to satisfy federal or state record retention requirements. Given the Zero-PHI architecture described in Section 2, retained information shall consist exclusively of infrastructure configuration metadata and cryptographic evidence hashes, which by design do not contain PHI. In such cases, Business Associate shall extend the protections of this BAA to such retained information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. The obligations of Business Associate under this Section 5.4 shall survive the termination of this BAA and continue for as long as Business Associate retains the PHI. Upon the expiration of such regulatory retention periods, Business Associate shall proceed with destruction as outlined in Section 12.1 of the MSA.

6. Miscellaneous

6.1. Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

6.2. Interpretation: Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

6.3. Conflict: In the event of an inconsistency between the provisions of this BAA and mandatory provisions of the HIPAA Rules, as amended, the HIPAA Rules shall control. In the event of a conflict between this BAA and the MSA, this BAA shall govern with respect to PHI.

6.4. Governing Law: This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, except to the extent preempted by federal law, including the HIPAA Rules.

6.5. Dispute Resolution & Enforcement: The dispute resolution and arbitration provisions of the MSA apply to this BAA, with the explicit exception of regulatory enforcement actions, investigations, or audits initiated by the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), or state attorneys general, which shall not be subject to mandatory arbitration.