Business Associate Agreement

Required before any Protected Health Information (PHI) is transmitted through the managed Service — see Section 5 and Section 4 of our Terms and Privacy Policy.

Template version — last updated: July 7, 2026

⚠ Draft template — not yet executed or attorney-reviewed. This page describes the BAA we intend to offer Enterprise / Healthcare Compliance Add-On customers. It is a starting point, not a binding agreement, and has not been reviewed by a healthcare/privacy attorney. Do not represent to a prospective customer that a signed BAA is currently available until (a) this document has been reviewed and finalized by qualified counsel, and (b) the operational prerequisite in Section 11 below is actually in place. An unsigned page on a website does not create HIPAA compliance by itself.

Recitals

This Business Associate Agreement ("BAA") is entered into between AI Control Plane Gateway ("Business Associate") and the covered entity or business associate identified in the applicable Order Form ("Covered Entity"), and supplements the Terms of Service between the parties. Covered Entity wishes to disclose Protected Health Information ("PHI") to Business Associate in connection with Business Associate's provision of the managed Service, and the parties intend this BAA to satisfy the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, 45 C.F.R. Parts 160 and 164, as amended (collectively, "HIPAA").

1. Definitions

Terms used but not otherwise defined in this BAA have the meanings given in HIPAA, including "Breach," "Designated Record Set," "Electronic Protected Health Information," "Protected Health Information," "Required by Law," "Secretary," "Security Incident," "Subcontractor," and "Unsecured Protected Health Information."

2. Permitted Uses and Disclosures of PHI

3. Technical Safeguards Specific to This Service

In addition to the general safeguards described below, Business Associate implements the following technical measures specific to the Service:

Covered Entity acknowledges that PHI redaction is a defense-in-depth control, not a substitute for Covered Entity's own risk analysis, minimum-necessary determinations, and workforce training obligations under HIPAA.

4. Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it creates, receives, maintains, or transmits on behalf of Covered Entity, in compliance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C).

5. Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees, in writing, to the same restrictions and conditions that apply to Business Associate with respect to such PHI. As of the date of this template, potential Subcontractors include: cloud infrastructure hosting, and payment/email providers used solely for account and billing administration (which do not receive PHI in the ordinary course of the Service). See Section 11 — Business Associate must execute its own Subcontractor BAAs, or configure the Service such that no Subcontractor receives PHI, before this Section can be satisfied in practice.

6. Reporting

7. Access, Amendment, and Accounting of Disclosures

Business Associate shall make available PHI in a Designated Record Set (if any is maintained by Business Associate), and information necessary for Covered Entity to respond to an individual's request for an accounting of disclosures, within a reasonable time following Covered Entity's request, to the extent Business Associate maintains such information as part of the Service.

8. Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 C.F.R. § 164.502(b).

9. Term and Termination

This BAA is effective as of the date PHI is first transmitted through the Service under an executed Order Form, and terminates upon termination of the underlying Terms of Service. Upon termination, Business Associate shall, at Covered Entity's election, return or destroy all PHI it maintains, or if neither is feasible, extend the protections of this BAA to the PHI for as long as it is retained.

10. Miscellaneous

11. Prerequisite for This BAA to Be Operationally Valid — Read Before Relying on This Page

A signed BAA between Business Associate and Covered Entity does not, by itself, make the Service HIPAA-compliant. HIPAA requires that every entity in the chain that could receive PHI has its own BAA in place. Before this template is finalized and offered to customers, the following must be true:

12. Contact

To request execution of a BAA once the above prerequisites are met:

AI Control Plane Gateway
Email: [email protected]
Website: aicontrolplanegateway.com