Business Associate Agreement (BAA)

Last updated: February 10, 2026

1. Applicability; Relationship to Terms

1.1 Only If Applicable

This BAA applies only if (a) an Order Form (including an electronic purchase/enablement flow) expressly indicates that HIPAA functionality is enabled, or (b) Customer submits PHI to the Services and Customer and H33 mutually execute this BAA. If neither applies, this BAA does not apply.

1.2 Underlying Agreement

This BAA supplements the H33 Terms of Service or other governing agreement between the parties (the "Agreement"). Except as expressly stated in this BAA, the Agreement remains in full force.

1.3 Order of Precedence; Liability Not Expanded

If there is a conflict between this BAA and the Agreement regarding the parties' HIPAA obligations, this BAA controls solely to the extent necessary to comply with HIPAA. For all other matters (including fees, support, service availability, disclaimers, limitations of liability, and remedies), the Agreement controls.

Without limiting the foregoing, the Agreement's limitations of liability (including Section 17) apply to this BAA and to any claims arising out of or relating to PHI, this BAA, or HIPAA compliance, unless an Order Form expressly states otherwise. This BAA does not expand H33's liability or Customer remedies beyond the Agreement.

1.4 Customer Status

Customer represents that it is (i) a Covered Entity or (ii) a Business Associate acting on behalf of a Covered Entity ("Downstream Covered Entity"), and that it has authority to disclose PHI to H33 for the purposes described in this BAA.

2. Definitions

Capitalized terms not otherwise defined have the meanings set forth in HIPAA and its implementing regulations at 45 C.F.R. Parts 160 and 164.

2.1 "HIPAA"

Means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations.

2.2 "PHI"

Means Protected Health Information as defined in 45 C.F.R. §160.103, including ePHI.

2.3 "Breach"

Has the meaning set forth in 45 C.F.R. §164.402.

2.4 "Security Incident"

Has the meaning set forth in 45 C.F.R. §164.304, provided that routine and unsuccessful attempts to access systems (e.g., pings, port scans, denial-of-service attempts) are not Security Incidents unless they result in unauthorized access to PHI.

3. Permitted Uses and Disclosures

3.1 Permitted Uses/Disclosures

H33 may use and disclose PHI only as necessary to provide the Services to Customer under the Agreement, and as otherwise permitted by this BAA or required by law.

3.2 Management and Administration

H33 may use PHI for its proper management and administration or to carry out its legal responsibilities, and may disclose PHI for those purposes only if (a) required by law, or (b) H33 obtains reasonable assurances from the recipient that the PHI will remain confidential and used/disclosed only as required by law or for the purpose for which it was disclosed, and the recipient will notify H33 of any Breach.

3.3 Minimum Necessary

H33 will apply the "minimum necessary" standard to uses and disclosures of PHI where applicable to Business Associates under HIPAA.

3.4 No Sale/Marketing

H33 will not use or disclose PHI for marketing or sale of PHI, as those terms are defined under HIPAA, and will not receive remuneration for PHI except as permitted by HIPAA.

3.5 De-Identified Information

To the extent permitted by HIPAA, H33 may create and use de-identified information (45 C.F.R. §164.514) and may use such de-identified data for product improvement, security, analytics, and benchmarking. De-identified information is not PHI.

4. Encrypted Processing Model; Customer Responsibilities

4.1 Architecture Note (No Plaintext Access by Design)

Customer acknowledges that the Services are designed to process sensitive inputs using privacy-preserving cryptographic techniques, and that H33 generally does not require access to PHI in plaintext to provide the Services. Customer is responsible for determining whether and what PHI is submitted to the Services.

4.2 No Key Escrow / Customer Control

Unless expressly agreed in an Order Form, H33 does not provide key escrow, custody, or recovery for Customer-managed keys, credentials, or wallets. Customer is responsible for access control, endpoint security, and credential hygiene in Customer's environment.

4.3 No PHI On-Chain

Customer will not write or cause PHI to be written to any blockchain network via the Services (including via hashes, pointers, metadata, token metadata, or embedded references). If Customer enables blockchain functionality, it must do so in a manner that does not place PHI on-chain.

5. Safeguards

5.1 Administrative, Physical, and Technical Safeguards

H33 will implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) to protect the confidentiality, integrity, and availability of ePHI maintained in H33-controlled systems.

5.2 Security Exhibit

To the extent the parties have a Security Exhibit incorporated into the Agreement, the Security Exhibit describes certain controls and shared-responsibility allocations and is incorporated by reference into this BAA for security controls, provided that nothing in the Security Exhibit reduces H33's required obligations under HIPAA.

6. Reporting; Breach Notification; Mitigation

6.1 Breach and Security Incident Reporting

H33 will notify Customer of any Breach of Unsecured PHI as defined in 45 C.F.R. §164.402 without unreasonable delay and in any event no later than sixty (60) days after discovery.

6.2 Content of Notice

H33's notice will include, to the extent then-known and reasonably available, the information required for Customer to meet its notification obligations, including the nature of the incident, types of PHI involved, and mitigation steps taken or recommended.

6.3 Mitigation

H33 will mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by H33 in violation of this BAA.

6.4 Customer Cooperation

Customer will promptly provide information reasonably requested by H33 to support investigation, response, and mitigation, including confirmation of whether affected data constitutes PHI and whether it was "unsecured" under HIPAA.

7. Subcontractors

7.1 Subcontractors Handling PHI

If H33 uses subcontractors that create, receive, maintain, or transmit PHI on H33's behalf, H33 will obtain written assurances (including through an appropriate business associate agreement or equivalent written terms) that such subcontractors will comply with restrictions and conditions regarding PHI that are no less stringent than those that apply to H33 under this BAA, as required by 45 C.F.R. §164.502(e) and §164.504(e).

7.2 Third-Party Platforms

Customer acknowledges H33 may use third-party infrastructure providers. Customer's exclusive remedies for third-party outages or failures are as set forth in the Agreement, and H33 is not responsible for third-party systems not controlled by H33, except to the extent required under HIPAA and applicable law.

8. Individual Rights; Access; Amendment; Accounting

8.1 Access

To the extent required by HIPAA and to the extent H33 maintains PHI in a "designated record set" on Customer's behalf, H33 will provide reasonable assistance to enable Customer to respond to access requests under 45 C.F.R. §164.524. Customer acknowledges that in many configurations, Customer controls the relevant records and can respond directly.

8.2 Amendment

To the extent required by HIPAA and applicable to PHI maintained by H33 in a designated record set, H33 will reasonably assist Customer with amendments under 45 C.F.R. §164.526.

8.3 Accounting of Disclosures

To the extent required by HIPAA and applicable to disclosures made by H33, H33 will provide information reasonably requested by Customer to support an accounting of disclosures under 45 C.F.R. §164.528.

8.4 Fees for Extraordinary Requests

If Customer requests assistance that requires material engineering effort, custom reporting, or professional services beyond standard support, the parties will agree on scope and fees in an Order Form before H33 is obligated to perform such work.

9. Government Access; HHS Requests

9.1 HHS Access

H33 will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by H33 on behalf of, Customer available to the Secretary of HHS as required by HIPAA.

9.2 Customer Notice

To the extent permitted by law, H33 will provide Customer prompt notice of any such request.

10. Term; Termination; Return/Destruction

10.1 Term

This BAA remains in effect until the earlier of (a) termination of the Agreement, or (b) the date H33 no longer maintains PHI on Customer's behalf, unless earlier terminated under this Section.

10.2 Termination for Cause

If either party believes the other has materially breached this BAA, the non-breaching party will provide written notice and an opportunity to cure within thirty (30) days, unless the breach cannot be cured. If cure is not completed within the cure period, the non-breaching party may terminate this BAA and/or the affected Services.

10.3 Return or Destruction

Upon termination of this BAA, H33 will, to the extent feasible, return or destroy PHI that H33 maintains in H33-controlled systems on Customer's behalf. If return or destruction is not feasible, H33 will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as H33 maintains such PHI.

10.4 Customer Environment

Customer is responsible for return, deletion, and destruction of PHI within Customer's systems and environments, including any On-Prem or Enterprise Deployment components operated by Customer.

11. No Third-Party Beneficiaries

This BAA is solely for the benefit of the parties and does not create any rights in any third party.

12. Miscellaneous

12.1 Interpretation

This BAA will be interpreted to comply with HIPAA. Any ambiguity will be resolved to permit compliance.

12.2 Survival

Sections 10.3, 11, and 12 survive termination of this BAA.

12.3 Counterparts; Electronic Signature

This BAA may be executed in counterparts and by electronic signature, each of which is deemed an original.

12.4 No Customer Audits; No Questionnaires

Except as expressly agreed in an Order Form signed by H33, Customer has no right to audit H33 (including onsite inspections, walkthroughs, interviews, penetration tests, or similar assessments) and H33 has no obligation to complete Customer security questionnaires, respond to Customer audit requests, or provide audit reports or evidence beyond H33's standard materials (if any) made available by H33 in its discretion.

Customer acknowledges that H33 does not provide onsite audit access or in-person facilities visits as part of the Services. Nothing in this Section limits H33's obligation to make information available to the Secretary of HHS as required by HIPAA.

Signature Blocks