Embedded Files
Purpose
Purpose
Describes Braincare’s technical, organizational, and administrative safeguards
Defines cloud hosting, encryption, and access controls
Establishes device and tablet administration responsibilities
Relationship to BAA
Relationship to BAA
This addendum supplements, and does not replace, the Business Associate Agreement where PHI is involved.
Agreement Text
Agreement Text
DATA SECURITY & CLOUD AND TABLET ADMINISTRATION ADDENDUM
DATA SECURITY & CLOUD AND TABLET ADMINISTRATION ADDENDUM
(Public Standard Form - Exhibit E-1 – Mandatory; Optional Delegations Inside)
Version: 1.0
Effective Date: 01/01/2026
This Data Security & Cloud Administration Addendum (“Addendum”) is incorporated by reference into and forms part of the Master Software as a Service Agreement (Public Standard Form) (“Master Agreement”) between Braincare USA Corp. (“Company”) and the healthcare organization identified in a quotation, order form, or purchase order referencing the Master Agreement (“Client”).
This Addendum automatically applies to all Clients under the Master Agreement.
Optional services and delegations are defined within this Addendum and apply only if expressly selected by Client.
Except as expressly stated herein, all terms of the Master Agreement, the Service Level Agreement (“SLA”), and the Business Associate Agreement (“BAA”), if applicable, remain unchanged and in full force and effect. In the event of conflict, the Master Agreement controls.
1. Purpose and Scope
1. Purpose and Scope
This Addendum defines the default and optional administrative responsibilities related to:
Encryption key custody
Cloud account administration
Mobile tablet device management
This Addendum does not expand Company’s access to PHI, alter HIPAA roles, or modify the allocation of liability, security responsibility, or regulatory obligations set forth in the Master Agreement or BAA.
2. Encryption Key Custody
2. Encryption Key Custody
Option
Description
E1-A – Client Managed (Default)
Client holds, and controls the private encryption key used for PHI encryption. Company does not store, access, or have recovery capability for the private key. Loss of the key may render PHI permanently inaccessible.
E1-B – Company Custodian (Optional)
If Client expressly authorizes Company, Company may store the private key within AWS KMS using FIPS-validated cryptographic modules, under SOC 2 Type II controls, acting solely as technical custodian. Company’s liability remains limited per the Master Agreement.
3. Cloud Account Administration (AW
3. Cloud Account Administration (AW
E1-C – Client Managed (Default): Client retains administrative credentials and full control of its AWS environment or sub-account.
E1-D – Company Administered (Optional): Client authorizes Company to administer its AWS sub-account, including credential rotation and configuration changes. Company maintains audit logs and removes access within five (5) business days of revocation.
Company is not responsible for incidents arising from Client-managed credentials, network configuration, or erroneous instructions provided by Client.
4. Mobile Tablet Administration
4. Mobile Tablet Administration
E1-E – Client Managed (Default): Client manages mobile tablets used with the B4C System through its own MDM solution and internal policies.
E1-F – Company Managed (Optional – Android Only): Client authorizes Company to manage tablets via Samsung Knox Manage, limited strictly to Braincare configuration, application updates, and security policies. Company does not access unrelated applications or locally stored PHI.
5. Security and Compliance
5. Security and Compliance
All Company activities under this Addendum comply with:
SOC 2 Type II
HIPAA Security Rule (where applicable)
NIST / FIPS cryptographic standards
Nothing in this Addendum limits Company’s obligations under applicable law or Client’s responsibility for securing its own systems, users, devices, and networks.
6. Term and Changes
6. Term and Changes
This Addendum is co-terminous with the Master Agreement.
Client may change or revoke any optional selection under this Addendum by written notice to support@brain4.care. . Company will implement the change and confirm completion within five (5) business days.
7. Governing Law
7. Governing Law
This Addendum is governed by the laws of the State of Delaware and subject to the governing-law and dispute-resolution provisions of the Master Agreement.
8. Public Standard Form; No Signature Required
8. Public Standard Form; No Signature Required
This Exhibit E-1 is published as a public standard form and is automatically incorporated by reference into all applicable quotations, order forms, and purchase orders referencing the Master Agreement.
Execution of an order document or use of the Services constitutes Client’s acceptance of this Addendum and its default provisions.
Page updated
Report abuse