Business Associate Agreement

Addendum to the Stillway Customer Agreement

Effective Date: The date Customer accepts this Business Associate Agreement through the Stillway App or by countersignature.

1. Purpose and Scope

This Business Associate Agreement ("BAA") supplements and is incorporated into the Stillway Customer Agreement ("Agreement") between Customer and Stillway, Inc. ("Stillway"). This BAA governs the use and disclosure of Protected Health Information ("PHI") as required by the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations (collectively, "HIPAA Rules").

This BAA applies only if Customer is a Covered Entity or Business Associate (as defined by HIPAA) and uses the Platform in connection with activities regulated by HIPAA. If Customer is not subject to HIPAA, this BAA has no effect.

2. Definitions

Capitalized terms not defined in this BAA have the meanings given in the Agreement or the HIPAA Rules (45 CFR Parts 160 and 164). For purposes of this BAA:

"Breach" has the meaning given in 45 CFR § 164.402.

"Business Associate" means Stillway, in its capacity as a service provider that creates, receives, maintains, or transmits PHI on behalf of Customer.

"Covered Entity" means Customer, to the extent Customer is subject to the HIPAA Rules.

"Designated Record Set" has the meaning given in 45 CFR § 164.501.

"Electronic Protected Health Information" ("ePHI") means PHI that is transmitted or maintained in electronic media.

"Individual" means the person who is the subject of PHI, and includes a person who qualifies as a personal representative under 45 CFR § 164.502(g).

"Protected Health Information" ("PHI") has the meaning given in 45 CFR § 160.103, limited to PHI created, received, maintained, or transmitted by Stillway on behalf of Customer through the Platform.

"Required by Law" has the meaning given in 45 CFR § 164.103.

"Security Incident" has the meaning given in 45 CFR § 164.304.

3. Obligations of Stillway (Business Associate)

3.1 Permitted Uses and Disclosures

Stillway shall not use or disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law. Stillway may use or disclose PHI solely for the following purposes:

(a) To perform the services described in the Agreement, including appointment scheduling, practice management, client communications, payment processing, AI-assisted features, and related Platform functionality.

(b) For Stillway's proper management and administration, provided that any disclosure is Required by Law or Stillway obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Stillway of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

(c) To provide data aggregation services to Customer as permitted by 45 CFR § 164.504(e)(2)(i)(B), provided such aggregated data cannot reasonably be used to identify any Individual.

(d) To de-identify PHI in accordance with 45 CFR § 164.514(a)-(c). De-identified data is not subject to this BAA.

3.2 Safeguards

Stillway shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include, without limitation:

(a) Encryption of ePHI in transit (TLS 1.2 or higher) and at rest (AES-256).

(b) Field-level encryption for clinical content using AWS KMS-managed envelope encryption.

(d) Audit logging of all access to PHI, with logs retained for a minimum of 7 years.

(e) Automated detection and redaction of PHI in system logs, error tracking, and AI observability pipelines.

(f) Session timeout controls for accounts that interact with clinical data.

Stillway's current security practices are described at stillway.ai/trust.

3.3 Subcontractors

Stillway shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Stillway agrees to the same restrictions and conditions that apply to Stillway under this BAA, in accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2). Stillway maintains a current list of subprocessors at stillway.ai/trust.

3.4 Access to PHI

Within 15 business days of a written request from Customer, Stillway shall make available PHI maintained in a Designated Record Set to the extent necessary for Customer to fulfill its obligations under 45 CFR § 164.524. Customer may also access and export PHI at any time using the Platform's export functionality.

3.5 Amendment of PHI

Within 15 business days of a written request from Customer, Stillway shall make PHI available for amendment and incorporate amendments to PHI in a Designated Record Set as directed by Customer, to the extent necessary for Customer to fulfill its obligations under 45 CFR § 164.526.

3.6 Accounting of Disclosures

Within 30 days of a written request from Customer, Stillway shall provide an accounting of disclosures of PHI as required by 45 CFR § 164.528. Stillway shall maintain records of disclosures for a minimum of 6 years from the date of disclosure.

3.7 Availability of Books and Records

Stillway shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules, subject to applicable legal privileges.

3.8 Minimum Necessary

Stillway shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and the minimum necessary standards.

3.9 Mitigation

Stillway shall mitigate, to the extent practicable, any harmful effect known to Stillway of a use or disclosure of PHI by Stillway in violation of this BAA.

4. Breach Notification

4.1 Notification to Customer

Stillway shall notify Customer without unreasonable delay, and in no event later than 30 calendar days, after discovering a Breach of Unsecured PHI. For purposes of this section, a Breach is "discovered" as of the first day on which the Breach is known to Stillway or, by exercising reasonable diligence, would have been known to Stillway.

4.2 Content of Notification

Breach notifications shall include, to the extent reasonably available:

(a) Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.

(b) A brief description of what happened, including the date of the Breach and the date of discovery.

(d) Steps Stillway has taken or will take to investigate the Breach, mitigate harm, and prevent future occurrences.

(e) Contact information for the Stillway representative handling the incident.

If complete information is not available at the time of initial notification, Stillway shall provide information in stages as it becomes available.

4.3 Security Incidents

Stillway shall report to Customer any Security Incident of which it becomes aware. The parties acknowledge that unsuccessful attempts at unauthorized access (such as pings, port scans, or failed login attempts) occur routinely and do not constitute reportable Security Incidents. Stillway shall provide a summary of such unsuccessful attempts upon Customer's written request, no more than once per calendar quarter.

4.4 Customer's Notification Obligations

Customer is solely responsible for providing any notifications to Individuals and to the Secretary of HHS as required by 45 CFR §§ 164.404 and 164.408. Stillway will cooperate with Customer in fulfilling these obligations.

5. Obligations of Customer (Covered Entity)

5.1 Permissible Requests

Customer shall not request Stillway to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer, except for data aggregation or management and administration activities as described in Section 3.1.

Customer is responsible for obtaining any consents or authorizations required under the HIPAA Rules prior to providing PHI to Stillway through the Platform.

5.3 Notice of Privacy Practices

Customer shall notify Stillway of any limitations in its Notice of Privacy Practices under 45 CFR § 164.520, to the extent such limitations may affect Stillway's use or disclosure of PHI.

5.4 Restrictions on Use or Disclosure

Customer shall notify Stillway of any restriction on the use or disclosure of PHI to which Customer has agreed in accordance with 45 CFR § 164.522, to the extent such restriction may affect Stillway's use or disclosure of PHI.

5.5 Appropriate Use of Platform

Customer is responsible for configuring and using the Platform in compliance with the HIPAA Rules, including determining what information is appropriate to store in the Platform and configuring access controls for Authorized Users.

6. Term and Termination

6.1 Term

This BAA is effective as of the date Customer accepts it and remains in effect for the duration of the Agreement, unless terminated earlier as provided in this section.

6.2 Termination for Cause

Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within 30 days of written notice. If cure is not feasible, the non-breaching party may terminate this BAA and the Agreement immediately upon written notice.

6.3 Termination of the Agreement

Termination of the Agreement for any reason automatically terminates this BAA, subject to the survival provisions in Section 6.4.

6.4 Effect of Termination — Return or Destruction of PHI

Upon termination of this BAA, Stillway shall:

(a) Provide Customer with 30 days to export PHI using the Platform's export functionality, consistent with the Agreement.

(b) Following the export period, return or destroy all PHI in Stillway's possession to the extent feasible. Where return or destruction is not feasible (for example, PHI stored in encrypted backups, audit logs, or de-identified datasets), Stillway shall extend the protections of this BAA to such PHI and limit further use and disclosure to the purposes that make return or destruction infeasible, for as long as the PHI is retained.

(c) The obligations of Sections 3.2 (Safeguards), 3.6 (Accounting of Disclosures), and 4 (Breach Notification) survive termination with respect to any PHI retained by Stillway.

7. General Provisions

7.1 Regulatory References

Any reference to a section of the HIPAA Rules means the section as in effect or as amended. If the HIPAA Rules are amended in a manner that materially changes the obligations of either party under this BAA, the parties shall negotiate in good faith to amend this BAA to comply.

7.2 Interpretation

This BAA shall be interpreted consistently with the HIPAA Rules. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules.

7.3 Conflict

In the event of a conflict between this BAA and the Agreement, this BAA shall control with respect to the use and disclosure of PHI.

7.4 No Third-Party Beneficiaries

Nothing in this BAA confers any rights on any Individual or third party. This BAA is solely between Customer and Stillway.

7.5 Governing Law and Dispute Resolution

This BAA is governed by the dispute resolution and governing law provisions of the Agreement.

7.6 Amendments

This BAA may be amended only by a written instrument accepted by both parties through the Stillway App or by countersignature. Notwithstanding the foregoing, Stillway may update this BAA to the extent necessary to comply with changes to the HIPAA Rules, with at least 30 days' advance notice to Customer.

8. Acceptance

By accepting this Business Associate Agreement through the Stillway App, Customer represents that:

(a) Customer is a Covered Entity or Business Associate subject to the HIPAA Rules.

(b) Customer has the authority to enter into this BAA.

Customer acceptance recorded electronically through the Stillway App at app.stillway.ai.

This Business Associate Agreement is an addendum to the Stillway Customer Agreement and is subject to the terms and conditions thereof.