Business Associate Agreement

1. Parties and Recitals

This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between the entity accepting TrainBase's Terms of Service ("Covered Entity" or "Customer") and TrainBase, LLC, a Texas limited liability company ("Business Associate" or "TrainBase").

This BAA is a click-wrap agreement that becomes effective automatically when Covered Entity accepts TrainBase's Terms of Service (the "TOS") and uses the Services. This BAA is incorporated into and made part of the TOS.

Covered Entity is or may be a healthcare provider, health plan, or healthcare clearinghouse (or a business associate of such entities) subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, "HIPAA"). Business Associate provides a training platform service that may involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") as defined under HIPAA.

2. Definitions

Capitalized terms not otherwise defined in this Agreement shall have the meanings assigned to them under HIPAA and the HIPAA Regulations (45 CFR Parts 160 and 164), including:

2.1 "Breach" has the meaning set forth in 45 CFR § 164.402.

2.2 "Designated Record Set" has the meaning set forth in 45 CFR § 164.501.

2.3 "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media.

2.4 "HIPAA Regulations" means the regulations at 45 CFR Parts 160 and 164, as amended from time to time.

2.5 "Protected Health Information" or "PHI" has the meaning set forth in 45 CFR § 160.103.

2.6 "Security Incident" has the meaning set forth in 45 CFR § 164.304.

2.7 "Services" means TrainBase's training platform and related features provided under the TOS.

2.8 "Transient Processing" means short-term, intermediate processing of data (including PHI) solely to provide the Services, where raw or original inputs are processed to create outputs (for example, transcripts, training materials, and/or redacted media), and the raw or original inputs are then promptly deleted or destroyed in the ordinary course. Business Associate is not a long-term custodian or archive for un-redacted PHI.

2.9 "Unsecured PHI" has the meaning set forth in 45 CFR § 164.402.

3. Obligations of Business Associate

3.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to perform its obligations under the TOS and to provide the Services to Covered Entity, including:

• Video training content creation, processing, editing, and storage
• AI-powered script generation and content analysis (via Google Cloud Vertex AI)
• Synthetic voice generation from post-redaction text scripts (via ElevenLabs API)
• Automated PHI detection and redaction using optical character recognition and natural language processing
• Platform hosting, data storage, and Transient Processing of content

3.2 Additional Permitted Uses

(a) Business Associate may use or disclose PHI as required by law.

(b) Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that any disclosure for such purposes is: (i) required by law; or (ii) made only after Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(c) Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)-(c). De-identified information is not subject to the terms of this Agreement.

3.3 Prohibited Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 (the "Privacy Rule") if done by Covered Entity, except as expressly permitted in Section 3.2.

4. Safeguards

4.1 Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).

4.2 These safeguards include:

• TLS 1.2 or higher encryption for all PHI in transit
• Cloud provider server-side encryption (e.g., AWS S3 SSE) for PHI at rest in cloud storage
• Application-level access controls limiting PHI access to authenticated, authorized users
• Role-based access control within customer workspaces
• Hashed and salted credential storage
• Regular security monitoring and vulnerability assessment

4.3 Business Associate shall comply with the applicable requirements of the HIPAA Security Rule with respect to ePHI.

5. Subcontractors

5.1 Pre-Authorized Subcontractors. Covered Entity pre-authorizes Business Associate to use and disclose PHI to the following subcontractors (each, a "Subcontractor") solely as necessary to provide the Services:

• Amazon Web Services, Inc. ("AWS") — Cloud object storage (S3) and related infrastructure services. AWS operates as a downstream Business Associate under its own BAA with TrainBase.
• Google LLC ("Google") — AI content analysis and script generation via Google Cloud Vertex AI. Video content and associated text are transmitted to Google Cloud for processing. Google Cloud has executed a BAA with TrainBase covering Vertex AI services. Google Cloud's terms prohibit use of customer data for model training.
• ElevenLabs, Inc. ("ElevenLabs") — Synthetic voice generation from text scripts. Only AI-generated text scripts (created after PHI redaction) are transmitted to ElevenLabs. Raw video content, PHI, and patient-identifying information are never shared with ElevenLabs. Because no PHI is transmitted to ElevenLabs, a downstream BAA is not required for this Subcontractor.
• Railway Corp. ("Railway") — Application hosting and compute infrastructure. Railway processes ePHI as part of application runtime. TrainBase has executed a Data Processing Agreement with Railway. Railway's infrastructure operates on Google Cloud Platform, which provides HIPAA-eligible services with a BAA in place. Application-level encryption (TLS in transit, AES-256 at rest for stored files) provides additional PHI protection independent of the hosting provider.

5.2 Subcontractor Agreements. Before permitting any Subcontractor to create, receive, maintain, or transmit PHI on behalf of Business Associate, Business Associate shall ensure that a written agreement is in place with the Subcontractor that imposes obligations on the Subcontractor that are substantially similar to the obligations imposed on Business Associate by this Agreement, as required by 45 CFR § 164.502(e)(1)(ii) and § 164.504(e)(1)(i).

5.3 Additional Subcontractors. Business Associate may engage additional Subcontractors with access to PHI, provided that Business Associate: (a) enters into a written agreement with each such Subcontractor as described in Section 5.2; and (b) maintains an up-to-date list of Subcontractors with access to PHI, available to Covered Entity upon written request.

6. Individual Rights

6.1 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within 15 business days of a request from Covered Entity, make such PHI available to Covered Entity to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524.

6.2 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within 15 business days of a request from Covered Entity, make such PHI available for amendment and incorporate any amendments directed by Covered Entity, to enable Covered Entity to fulfill its obligations under 45 CFR § 164.526.

6.3 Accounting of Disclosures

Business Associate shall maintain records of disclosures of PHI as required by 45 CFR § 164.528 and shall, within 30 days of a request from Covered Entity, provide such information as is necessary for Covered Entity to respond to an individual's request for an accounting of disclosures.

7. Minimum Necessary

7.1 Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

7.2 When responding to requests for PHI from Covered Entity or its authorized representatives, Business Associate shall verify the identity and authority of the requesting party and provide only the specific PHI requested that is reasonably necessary for the stated purpose.

7.3 Covered Entity shall limit the PHI it provides to Business Associate to the minimum necessary for Business Associate to perform the Services. Covered Entity is responsible for ensuring that videos and content uploaded to the platform do not contain PHI beyond what is necessary for the intended training purpose.

7A. Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA, as required by 45 CFR § 164.504(e)(2)(ii)(I).

8. Breach Notification

8.1 Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Security Incident, or any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.

8.2 A Breach shall be treated as discovered on the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

8.3 To the extent known at the time of notification, the report shall include:

• The nature of the Breach, including a brief description of what happened
• The date of the Breach and the date of discovery (if known)
• The types of PHI involved (e.g., names, dates, medical record numbers)
• The identity of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed
• A description of the steps Business Associate is taking or will take to investigate, mitigate harm, and prevent recurrence
• Contact information for a person knowledgeable about the Breach

8.4 Business Associate shall cooperate with Covered Entity in Covered Entity's investigation of and response to any Breach, including any notifications required under 45 CFR §§ 164.404–164.408.

8.5 Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

9. Termination

9.1 Term. This Agreement shall be effective upon Covered Entity's acceptance of the TOS and shall remain in effect until the TOS terminates or expires, unless earlier terminated in accordance with this Section.

9.2 Termination for Cause. Either party may terminate this Agreement if it determines that the other party has materially violated a term of this Agreement, provided the non-breaching party gives written notice of the violation and the breaching party fails to cure within thirty (30) days of receiving such notice. If cure is not reasonably possible, the non-breaching party may terminate immediately upon written notice.

9.3 Effect of Termination on TOS. Termination of this Agreement for Business Associate's uncured material breach shall also constitute grounds for Covered Entity to terminate the TOS.

10. Destruction of PHI

10.1 Destruction Upon Termination. Upon termination or expiration of this Agreement (or the TOS), Business Associate shall destroy all PHI in its possession or control, including PHI held by Subcontractors, as soon as reasonably practicable. Covered Entity acknowledges and agrees that, consistent with the Transient Processing model, Business Associate does not maintain raw or original un-redacted inputs as a long-term archive. PHI will be destroyed rather than returned.

10.2 Method of Destruction. Destruction shall be performed using commercially reasonable methods designed to render PHI unreadable, indecipherable, and otherwise unable to be reconstructed, consistent with NIST Special Publication 800-88 or equivalent standards.

10.3 Subcontractors. Business Associate shall use commercially reasonable efforts to ensure that its Subcontractors destroy PHI in their possession in accordance with their written agreements and applicable law.

10.4 Retention Where Destruction Is Infeasible. If destruction of any PHI is not feasible (for example, due to legal requirements, litigation holds, or technical constraints of backup systems), Business Associate shall: (a) continue to extend the protections of this Agreement to such PHI; (b) limit further uses and disclosures to those purposes that make destruction infeasible; and (c) destroy such PHI as soon as the basis for infeasibility no longer exists.

11. Obligations of Covered Entity

11.1 Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.

11.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an individual to use or disclose PHI, to the extent such changes may affect Business Associate's use or disclosure of PHI.

11.3 Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI.

11.4 Covered Entity represents and warrants that it has obtained or will obtain any necessary consents, authorizations, or other permissions required under applicable law for the disclosure of PHI to Business Associate.

12. Indemnification

12.1 Business Associate shall indemnify and hold harmless Covered Entity from and against any claims, damages, fines, penalties, or expenses (including reasonable attorneys' fees) arising directly from Business Associate's breach of this Agreement or violation of HIPAA, except to the extent such claims arise from Covered Entity's acts or omissions.

12.2 Covered Entity shall indemnify and hold harmless Business Associate from and against any claims, damages, fines, penalties, or expenses (including reasonable attorneys' fees) arising from: (a) Covered Entity's failure to obtain required consents or authorizations; (b) Covered Entity's breach of the TOS or this Agreement; or (c) PHI uploaded by Covered Entity's users in violation of Covered Entity's own policies or applicable law.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BUSINESS ASSOCIATE'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT (INCLUDING ANY BREACH OF THIS AGREEMENT OR VIOLATION OF HIPAA), WHETHER IN CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS ACTUALLY PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE FOR THE SERVICES IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) FIFTY THOUSAND DOLLARS ($50,000 USD). THIS LIMITATION APPLIES EVEN IF A REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE.

EXCLUSIONS FROM LIABILITY CAP. THE FOREGOING LIMITATION SHALL NOT APPLY TO: (I) BUSINESS ASSOCIATE'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 12.1 TO THE EXTENT ARISING FROM BUSINESS ASSOCIATE'S GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD; (II) REGULATORY FINES OR PENALTIES IMPOSED BY HHS OR ANY GOVERNMENTAL AUTHORITY UNDER HIPAA; (III) DIRECT COSTS OF BREACH NOTIFICATION REQUIRED UNDER 45 CFR §§ 164.404–164.408; OR (IV) ANY LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE TEXAS OR FEDERAL LAW.

14. Regulatory Changes

The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with changes in HIPAA, the HITECH Act, and their implementing regulations. If a regulatory change materially impacts the obligations under this Agreement, either party may request amendment. Amendments may be accepted electronically (including via click-wrap, e-signature, or online workflow) unless a specific method is required by applicable law.

15. General Provisions

15.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict-of-laws principles, and applicable federal law (including HIPAA).

15.2 Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remainder of this Agreement shall remain in full force and effect.

15.3 Survival. The obligations of Business Associate under Sections 4, 8, 10, 12, and 13 shall survive the termination or expiration of this Agreement.

15.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and permits compliance with HIPAA.

15.5 No Third-Party Beneficiaries. Nothing in this Agreement shall be construed to create any rights in any third party, including any individual whose PHI is subject to this Agreement.

15.6 Entire Agreement. This Agreement, together with the TOS and Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements.

Download this BAA for your records.