HIPAA Business Associate Agreement.

'HIPAA' means the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act of 2009 and implementing regulations at 45 CFR Parts 160, 162, and 164.

'PHI' means Protected Health Information, as defined at 45 CFR 160.103, that is created, received, maintained, or transmitted by ShieldMind on behalf of Customer.

'Covered Entity', 'Business Associate', 'Required by Law', 'Subcontractor', 'Breach', 'Unsecured PHI', 'Designated Record Set', 'Limited Data Set', and 'Security Incident' have the meanings ascribed to them under HIPAA.

'Customer' means the Covered Entity or Business Associate executing this BAA. 'ShieldMind' means DTRAS-G Solutions Private Limited.

ShieldMind may use or disclose PHI only as permitted or required by this BAA, the underlying ShieldMind Master Services Agreement, or as Required by Law.

ShieldMind may use PHI for the proper management and administration of ShieldMind or to carry out ShieldMind's legal responsibilities, provided that any disclosure for such purposes is Required by Law, or the recipient provides reasonable assurances that the PHI will be held confidentially and used or disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient notifies ShieldMind of any instance of which it is aware in which the confidentiality of the PHI has been breached.

ShieldMind will NOT use or disclose PHI for marketing purposes, for the sale of PHI, or to train any machine-learning or generative-AI model. Customer PHI is never used in our shared product analytics.

ShieldMind may de-identify PHI in accordance with 45 CFR 164.514(b) and use such de-identified data for any lawful purpose.

ShieldMind will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, as required by 45 CFR Part 164 Subpart C (Security Rule).

Without limitation, these safeguards include: (a) AES-256-GCM encryption at rest with per-row data encryption keys wrapped by a customer-controllable KMS Key Encryption Key; (b) TLS 1.3 in transit; (c) HMAC-chained audit logging with tamper detection; (d) multi-tenant database isolation enforced at the application and row-security-policy layers; (e) least-privilege RBAC with periodic access reviews; (f) employee background checks and HIPAA awareness training annually; (g) SOC 2 Type II observation (in progress; report available on completion).

ShieldMind will report to Customer any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410, without unreasonable delay and in no case later than 30 calendar days after discovery.

The report will include, to the extent known at the time: (a) identification of each individual whose Unsecured PHI was involved; (b) a description of what happened, including the date of the incident and the date of discovery; (c) a description of the types of Unsecured PHI involved; (d) any steps individuals should take to protect themselves from potential harm; (e) a brief description of what ShieldMind is doing to investigate, mitigate, and prevent recurrence.

ShieldMind will also report Security Incidents (45 CFR 164.304) on an aggregate, no-less-than-quarterly basis, except that successful Security Incidents resulting in unauthorized access, use, disclosure, modification, or destruction of PHI will be reported individually per the timeline above.

ShieldMind will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of ShieldMind agrees in writing to the same restrictions and conditions that apply to ShieldMind with respect to such PHI, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

ShieldMind's current Subcontractors processing PHI are listed at /legal/sub-processors and include the cloud infrastructure providers, monitoring vendors, and identity providers required to operate the platform.

ShieldMind will provide Customer at least 30 days' prior notice of the addition or replacement of any Subcontractor processing PHI; Customer may object on reasonable grounds, and if objection cannot be resolved, terminate the underlying agreement.

To the extent ShieldMind maintains PHI in a Designated Record Set, ShieldMind will, within 15 business days of Customer's request, make such PHI available to Customer (or, at Customer's direction, to the individual) as necessary to satisfy Customer's obligations under 45 CFR 164.524.

ShieldMind will, within 30 business days of Customer's request, make any amendment to PHI in a Designated Record Set that Customer directs pursuant to 45 CFR 164.526.

ShieldMind will document and make available the information required to provide an accounting of disclosures of PHI as required by 45 CFR 164.528, within 30 business days of Customer's request.

ShieldMind will make its internal practices, books, and records relating to the use and disclosure of PHI received from Customer available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.

This BAA is effective on the Effective Date and continues until terminated.

Either party may terminate this BAA for material breach by the other party, if the breaching party fails to cure within 30 days of written notice.

Upon termination, ShieldMind will return or destroy all PHI received from, or created or received on behalf of, Customer, including PHI held by Subcontractors. If return or destruction is infeasible, ShieldMind will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

ShieldMind will provide a written Certificate of Destruction upon Customer's request, generated by our termination workflow at /dashboard/settings/terminate.

Each party will indemnify and hold harmless the other party for damages arising from its breach of this BAA, subject to the limitations of liability set out in the underlying Master Services Agreement.

ShieldMind maintains cyber liability insurance with limits of not less than US $5,000,000 per occurrence for errors and omissions, including coverage for HIPAA-related claims.

Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended.

Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as may be necessary for the parties to comply with the requirements of HIPAA.

Survival. Sections 4, 6, 7, 8, and 9 survive termination of this BAA.

Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits the parties to comply with HIPAA.

Governing Law and Forum. The BAA itself is governed by the laws specified in the underlying Master Services Agreement, but the parties' substantive HIPAA obligations are governed by US federal law.

Execution. To execute, email bd@dtrasglobal.com with your organization name, signatory, and a brief description of the PHI flows. We will send a countersigned PDF within 2 business days.