BUSINESS ASSOCIATE AGREEMENT (HIPAA)

Version: 1.0 Effective Date: 20.08.2025

This Business Associate Agreement (this “BAA”) is entered into between NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ ("Business Associate" or "Notrino") and the undersigned Covered Entity / Business Associate ("Covered Entity" or "CE"), and is incorporated into and made part of the master agreement or order form between the parties (the “Underlying Agreement”).

This BAA is intended to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164), the Security Rule (Subparts A and C of Part 164), and the Breach Notification Rule (Subpart D of Part 164), as amended by the HITECH Act.

1. Definitions

Capitalized terms not defined herein have the meanings set forth in HIPAA/HITECH. PHI means Protected Health Information; ePHI means electronic PHI. Secretary means the Secretary of HHS.

2. Permitted Uses and Disclosures by Business Associate

2.1 Services. Notrino may Use and Disclose PHI solely to perform the Services described in the Underlying Agreement and as otherwise permitted or required by this BAA or law. 2.2 Management and Legal Responsibilities. Notrino may Use/Disclose PHI for its proper management and administration or to carry out legal responsibilities, provided that disclosures are Required by Law or recipients provide reasonable assurances to maintain confidentiality and notify Notrino of any breach. 2.3 Data Aggregation. Notrino may provide Data Aggregation services relating to the Health Care Operations of the CE as permitted by 45 C.F.R. §164.504(e)(2)(i)(B). 2.4 De‑Identification (Optional). Notrino may de‑identify PHI in accordance with 45 C.F.R. §164.514(b). Use of de‑identified data for Notrino’s internal operations and service improvement requires express written authorization in the Order Form or an addendum.

3. Obligations of Business Associate

3.1 Compliance with HIPAA. Notrino shall comply with the applicable requirements of the HIPAA Rules. 3.2 Minimum Necessary. Notrino will request, Use, and Disclose only the minimum necessary PHI to accomplish the intended purpose. 3.3 Safeguards. Notrino shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including: risk analysis; access controls and MFA; encryption in transit and at rest; audit controls; workforce training; security incident procedures; and contingency planning. 3.4 Subcontractors. Notrino shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Notrino agrees in writing to substantially the same restrictions and conditions that apply to Notrino with respect to such PHI, including implementation of the Security Rule safeguards. Notrino remains responsible for Subcontractors’ performance. 3.5 Reporting. Notrino shall report to CE without unreasonable delay (and in no case later than 10 business days after discovery) any Breach of Unsecured PHI as defined in 45 C.F.R. §164.402, and any successful Security Incident. Unsuccessful attempts (e.g., ping, blocked scans) are excluded. Notices will include, to the extent known at the time, the elements required by 45 C.F.R. §164.404(c). 3.6 Access. To the extent Notrino maintains PHI in a Designated Record Set, Notrino shall make such PHI available to CE so that CE can meet its obligations under 45 C.F.R. §164.524. If a request is made directly to Notrino, Notrino will promptly forward it to CE. 3.7 Amendment. Notrino shall make PHI in a Designated Record Set available for amendment and incorporate any amendments as directed by CE pursuant to 45 C.F.R. §164.526. 3.8 Accounting. Notrino shall document and provide to CE the accounting of disclosures of PHI as required under 45 C.F.R. §164.528. 3.9 HHS Access. Notrino shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining CE’s compliance. 3.10 Mitigation. Notrino shall mitigate, to the extent practicable, any harmful effect that is known to Notrino of a Use or Disclosure of PHI in violation of this BAA. 3.11 Return/Destruction. At termination of this BAA, Notrino shall, if feasible, return or destroy all PHI, and retain no copies. If return or destruction is infeasible, Notrino shall continue to extend the protections of this BAA to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible.

4. Data Residency & Offshoring

4.1 Default Residency. For HIPAA accounts, Notrino offers U.S. data residency by default. 4.2 Non‑U.S. Residency (Optional). If CE instructs Notrino to host ePHI in a non‑U.S. region (or to permit remote access from outside the U.S. for support), CE and Notrino shall document appropriate risk analysis and supplemental safeguards (e.g., encryption, key management, access restrictions, logging, and contractual assurances). Nothing in HIPAA prohibits such offshoring when adequate safeguards and a BAA are in place.

5. Obligations of Covered Entity

CE shall: (a) inform Notrino of any privacy practices, restrictions, or changes that may affect Notrino’s performance; (b) not request Notrino to Use or Disclose PHI in a manner that would not be permissible under HIPAA; and (c) obtain any patient authorizations/consents required for the Use/Disclosure of PHI to Notrino under the Underlying Agreement.

6. Term and Termination

6.1 Term. This BAA becomes effective on the Effective Date and continues until termination or expiration of the Underlying Agreement, subject to §6.3. 6.2 Termination for Cause. Upon CE’s knowledge of a material breach by Notrino, CE shall provide Notrino an opportunity to cure the breach. If Notrino does not cure within 30 days after written notice, CE may terminate this BAA and the Underlying Agreement to the extent feasible. 6.3 Effect of Termination. Upon termination, Notrino shall perform its obligations under §3.11 regarding return/destruction. Sections that by their nature should survive (including §§3.4–3.11, 6.3, 7, and 8) shall survive termination.

7. Indemnification and Liability

7.1 Indemnification by Notrino. Notrino shall indemnify and hold harmless CE from third‑party claims to the extent arising from Notrino’s material breach of this BAA or willful misconduct, except to the extent caused by CE. 7.2 Indemnification by CE. CE shall indemnify and hold harmless Notrino from third‑party claims arising from CE’s breach of this BAA or violations of HIPAA attributable to CE’s actions or instructions. 7.3 Liability Cap. The aggregate liability of each party under this BAA is subject to the limitation of liability (including caps and exclusions) set forth in the Underlying Agreement; provided that this does not limit either party’s liability for breach of confidentiality, willful misconduct, or obligations to provide Breach notifications required by law.

8. Miscellaneous

8.1 No Third‑Party Beneficiaries. Nothing in this BAA confers any rights upon any person other than the parties. 8.2 Conflicts. If any term of this BAA conflicts with the Underlying Agreement, the BAA controls with respect to PHI. 8.3 Amendment. The parties shall amend this BAA from time to time as necessary for compliance with HIPAA/HITECH or other applicable law. 8.4 Counterparts; Electronic Signatures. This BAA may be executed in counterparts and by electronic signature. 8.5 Governing Law. The governing law and venue specified in the Underlying Agreement apply, provided that HIPAA/HITECH preempt inconsistent state law.

Exhibit A — Description of Services & PHI

Services: RecapMedica ambient clinical documentation, coding assist, integrations, and support. PHI Types: Patient identifiers; clinical conversation audio/video; transcripts; clinical notes; scheduling/billing identifiers; metadata; other PHI included by CE. Systems/Locations: Hosted cloud infrastructure as selected by CE (U.S. by default; other regions by CE request). Use/Disclosure: As required to provide Services and as otherwise permitted in the BAA.

Exhibit B — Safeguards (Summary)

Administrative: Policies and procedures; workforce training and sanctions; risk analysis; vendor risk management; incident response plan.
Physical: Data center controls (via cloud providers); facility access; environmental safeguards.
Technical: Encryption in transit/at rest; unique IDs; role‑based access; MFA; automatic logoff; audit logs; integrity controls; transmission security; key management.
Breach Notification: Procedures to assess incidents; notify CE without unreasonable delay (≤10 business days) with required content; cooperate in investigations and remediation.

Signatures

Covered Entity / Business Associate (Customer)
Name: _________________________
Title: _________________________
Date: _________________________

Business Associate — NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ
Name: _________________________
Title: _________________________
Date: _________________________