This Business Associate Agreement (“BAA”) governs Braincare’s obligations with respect to Protected Health Information (“PHI”) when Braincare acts as a Business Associate under HIPAA.

This BAA applies only where Braincare creates, receives, maintains, or transmits PHI on behalf of a covered entity in connection with the services.

Braincare may agree to review and execute a client-provided business associate agreement in lieu of this standard form, subject to mutual written agreement.

BUSINESS ASSOCIATE AGREEMENT (BAA)

(Public Standard Form – Exhibit A - Mandatory)

Version: 1.0

Effective Date: 01/01/2026

This Business Associate Agreement (“BAA”) is entered into by and between Braincare USA Corp., a Delaware corporation (“Business Associate” or “Company”), and the healthcare organization identified in a quotation, order form, or purchase order referencing this BAA (“Covered Entity” or “Client”).

This BAA is incorporated by reference into the Master Software as a Service Agreement (Public Standard Form) (“Master Agreement”) and governs the Parties’ obligations with respect to Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.

1. Purpose

 This Exhibit establishes the HIPAA-required terms and safeguards governing the creation, receipt, use, and disclosure of Protected Health Information (“PHI”) in connection with the Services provided under the Master Agreement.

It is entered into to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Privacy, Security, Breach Notification, and Enforcement Rules (45 CFR Parts 160 and 164). It governs Business Associate’s creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) on behalf of the Covered Entity.

2. Definitions

All capitalized terms not otherwise defined have the meanings set forth in 45 CFR §160.103 and §164.501. “Where PHI remains encrypted such that Braincare USA cannot access or decrypt it, Company acts solely as a conduit and not as a Business Associate under HIPAA.”

3. Permitted Uses and Disclosures

3.1 Use by Business Associate

Business Associate may use PHI solely to perform services for or on behalf of Covered Entity as described in the underlying Service Agreement, including device analytics, clinical reporting, and related support consistent with its FDA-cleared and HIPAA-compliant platform.

3.2 Disclosures by Business Associate

 Business Associate may disclose PHI only to:

1. the Covered Entity;

2. subcontractors or agents that have executed written agreements requiring equivalent protections; or

3. as required by law.

3.3 Minimum Necessary

Business Associate shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.

4. Safeguards and Security

Business Associate shall implement and maintain administrative, physical, and technical safeguards that meet or exceed the requirements of 45 CFR §§164.308–312 and are consistent with its SOC 2 Type II certified information security program.

4.1 Encryption and Key Management

 All PHI processed through the B4C System is encrypted at the point of origin using RSA 2024-bit asymmetric encryption implemented through AWS Key Management Service (KMS), which uses FIPS 140-2 validated cryptographic modules in accordance with NIST SP 800-131A key-management guidance.

For each Covered Entity, Business Associate generates a unique public/private key pair. The private key is transferred exclusively to the Covered Entity and is not stored, retained, or recoverable by Business Associate. The public key encrypts PHI before transmission to the secure AWS environment. Consequently, Business Associate has no capability to decrypt or view PHI under normal operations.

If the Covered Entity expressly requests that Business Associate act as custodian of the private key, Business Associate shall apply the same technical and administrative safeguards required under this Agreement, including key rotation, access control, and logging consistent with HIPAA Security Rule and SOC 2 Type II standards.

Covered Entity acknowledges that if the private key is lost, corrupted, or destroyed, the encrypted data cannot be recovered, and Business Associate has no technical means to restore access.

4.2 Additional Security Controls

1. All data remains encrypted in transit (TLS 1.2 or higher with forward secrecy) and at rest within AWS.

2. Access to systems handling metadata or anonymized outputs is restricted by least-privilege principles and multifactor authentication.

3. Audit logs are retained for a minimum of six years.

5. Reporting Obligations

Business Associate shall promptly report to Covered Entity any security incident involving PHI and any breach of unsecured PHI as defined by 45 CFR §164.402, without unreasonable delay and no later than ten (10) business days after discovery.
Business Associate shall cooperate with Covered Entity to mitigate any harmful effects of a known breach or unauthorized disclosure.

6. Subcontractors

Business Associate shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and safeguards that apply to Business Associate.

7. Access, Amendment, and Accounting

To the extent that Covered Entity must provide an individual access to PHI, Business Associate shall:

1. make PHI available in the required format within ten (10) business days of request;

2. incorporate amendments as directed by Covered Entity; and

3. maintain and provide an accounting of disclosures as required by 45 CFR §164.528.

8. Term and Termination

8.1 Term

This Agreement remains in effect for the duration of the Service Agreement and until all PHI is returned or destroyed.

8.2 Termination for Cause

 Covered Entity may terminate this Agreement if it determines that Business Associate has materially violated its terms and failed to cure the breach within thirty (30) days after notice.

8.3 Effect of Termination

 Upon termination, Business Associate shall, at Covered Entity’s direction, return or destroy all PHI. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement and limit further use or disclosure to those purposes that make return or destruction infeasible.

9. Liability and Indemnification

Each Party is responsible for its own acts or omissions and those of its employees and subcontractors. Neither Party shall be liable for consequential or punitive damages except to the extent required by law or arising from gross negligence or willful misconduct.
Business Associate shall indemnify Covered Entity for direct damages resulting from a breach of this Agreement caused by Business Associate’s negligence or intentional misconduct.

10. Miscellaneous

1. Independent Entities: The Parties are independent contractors.

2. Regulatory References: References to a HIPAA section include any amendments or successor provisions.

3. Survival: Obligations under Sections 4–9 survive termination.

4. Governing Law: This Agreement is governed by the laws of Delaware, without regard to conflict-of-law principles.

5. Entire Agreement: This BAA supersedes any inconsistent terms relating to PHI in other agreements between the Parties.

11. Governing Law; Venue

This BAA is governed by the laws of the State of Delaware. Disputes shall be resolved in accordance with the Governing Law and Dispute Resolution provisions of the Master SaaS Agreement.

12. Public Standard Form; No Signature Required

This Business Associate Agreement is published as a public standard form and is incorporated by reference into the Master Software as a Service Agreement.

Execution of a quotation, order form, purchase order, or use of the Services constitutes acceptance of this BAA.

If the Covered Entity requires a separately executed business associate agreement, the Parties may instead enter into a mutually agreed written BAA, which shall supersede this Exhibit solely with respect to PHI obligations.