DRAFT — REVIEW BY HEALTHCARE COUNSEL REQUIRED. This Business Associate Agreement is a starter template intended to satisfy the required elements of 45 CFR §164.504(e). It is drafted to protect SecurelyFax to the extent permitted by law. It is not legal advice and is not an executed agreement until both parties sign the counterpart provided in App Store Connect at /app/baa.

Business Associate Agreement

This Business Associate Agreement (this "BAA") is entered into as of the Effective Date by and between SecurelyFax, the SecurelyFax entity operating securelyfax.com and the SecurelyFax mobile applications ("Business Associate" or "SecurelyFax"), and the SecurelyFax HIPAA-tier customer identified in SecurelyFax's records at the time of execution ("Covered Entity" or "Customer"). SecurelyFax and Customer are each a "Party" and collectively the "Parties". This BAA is a supplement to, and is incorporated by reference into, SecurelyFax's Terms of Service (the "Underlying Agreement"). To the extent there is any conflict between this BAA and the Underlying Agreement with respect to PHI, this BAA controls.

1. Definitions

Capitalized terms used and not otherwise defined have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 CFR Parts 160 and 164, as amended (collectively, "HIPAA"). For convenience:

• "Breach" has the meaning set forth at 45 CFR §164.402.
• "Designated Record Set" has the meaning set forth at 45 CFR §164.501.
• "Electronic Protected Health Information" or "ePHI" has the meaning set forth at 45 CFR §160.103.
• "Protected Health Information" or "PHI" has the meaning set forth at 45 CFR §160.103 and is limited for purposes of this BAA to PHI that Customer transmits to or receives via the SecurelyFax HIPAA-tier Service.
• "Security Incident" has the meaning set forth at 45 CFR §164.304.
• "Service" means the SecurelyFax HIPAA-tier online fax service provided to Customer under the Underlying Agreement, including the encrypted storage, transmission, and retrieval of PHI on Customer's behalf.
• "Subscription" means Customer's active, paid HIPAA-tier subscription with SecurelyFax. A subscription is "active" only while Customer is current on payment of all SecurelyFax fees and the subscription has not been terminated, expired, suspended for non-payment, or otherwise lapsed.

2. Permitted Uses and Disclosures of PHI

SecurelyFax may use and disclose PHI only as follows:

1. To perform the Service for Customer in accordance with the Underlying Agreement, including transmitting, receiving, storing, and rendering PHI submitted by Customer's authorized workforce members.
2. For SecurelyFax's proper management and administration and to carry out SecurelyFax's legal responsibilities, provided that any disclosure is required by law or that SecurelyFax obtains reasonable assurances from the recipient that PHI will be held confidentially, used or disclosed only as required by law or for the purposes for which it was disclosed, and that the recipient will notify SecurelyFax of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
3. To provide Data Aggregation services as defined in 45 CFR §164.501 to Customer relating to the health care operations of Customer.
4. As Required by Law.

SecurelyFax will not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer, except as permitted in this Section 2. SecurelyFax will not sell PHI, use PHI for marketing or advertising, or use PHI to train artificial-intelligence models other than as necessary to deliver the Service to Customer in real time and only on a transient basis.

3. Safeguards

SecurelyFax will implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI it creates, receives, maintains, or transmits on behalf of Customer, in accordance with 45 CFR §§164.308, 164.310, and 164.312. SecurelyFax's current safeguards are described in its HIPAA Compliance page, which is incorporated by reference; SecurelyFax may update those safeguards from time to time provided that any update does not materially weaken the protection of PHI.

4. Workforce

SecurelyFax will limit access to PHI to workforce members who require it to perform the Service or to provide support to Customer. SecurelyFax will train and supervise its workforce in accordance with 45 CFR §164.530(b) as that obligation applies to a business associate.

5. Subcontractors

In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), SecurelyFax will require any subcontractor that creates, receives, maintains, or transmits PHI on SecurelyFax's behalf to agree in writing to the same restrictions, conditions, and requirements that apply to SecurelyFax with respect to such PHI. SecurelyFax's current PHI-handling subcontractor relationships are:

• Amazon Web Services, Inc. ("AWS") — provides encrypted storage (S3), encryption key management (KMS), email delivery (SES), and AI inference (Bedrock). AWS is a business associate of SecurelyFax under the AWS Business Associate Addendum, which contains commitments substantially equivalent to those in this BAA.
• Telnyx LLC ("Telnyx") — provides PSTN and T.38 fax-transmission carrier services. Telnyx is not a business associate of SecurelyFax because Telnyx qualifies for the "conduit exception" under HHS guidance at 78 FR 5571-72 — Telnyx transmits PHI from SecurelyFax to the destination fax line and does not retain PHI beyond what is incidental to the transmission. Customer acknowledges and accepts that this carrier relationship is conduit-based and that no BAA exists or is required with Telnyx.

SecurelyFax may add or change subcontractors from time to time provided that any new subcontractor that has access to PHI is bound by terms substantially equivalent to this BAA.

6. Reporting of Non-Permitted Uses and Disclosures; Security Incidents

(a) Non-Permitted Uses or Disclosures. SecurelyFax will report to Customer any use or disclosure of PHI not permitted by this BAA of which SecurelyFax becomes aware, without unreasonable delay and in any event within thirty (30) days after discovery. The report will be made to the address Customer provided to SecurelyFax for HIPAA notices.

(b) Successful Security Incidents. SecurelyFax will report to Customer Successful Security Incidents affecting ePHI without unreasonable delay and in any event within thirty (30) days after discovery. A "Successful Security Incident" means a Security Incident that compromises or is likely to have compromised the confidentiality, integrity, or availability of ePHI.

(c) Unsuccessful Security Incidents. The Parties acknowledge and agree that all unsuccessful Security Incidents — such as pings, port scans, denial-of-service attacks that did not result in unauthorized access, and similar trivial events that occur routinely and result in no unauthorized access, use, or disclosure of ePHI — are reported by this Section 6(c) without further notice. SecurelyFax will document such events for its own audit purposes and make summary information available to Customer upon reasonable written request.

(d) Breach Notification. If SecurelyFax determines that a Breach of unsecured PHI has occurred, SecurelyFax will notify Customer without unreasonable delay and in any event within thirty (30) calendar days after discovery, in accordance with 45 CFR §164.410. The notice will include, to the extent then available, (i) the identification of each Individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; (ii) a description of the Breach, including the date of discovery and the nature of the unsecured PHI involved; (iii) the steps SecurelyFax has taken to investigate and to mitigate harm; and (iv) the steps SecurelyFax has taken or will take to prevent future similar Breaches.

(e) Cooperation. SecurelyFax will reasonably cooperate with Customer in connection with Customer's investigation of and notification obligations relating to any Breach. The Parties acknowledge that Customer (and not SecurelyFax) is responsible for notifying affected Individuals, HHS, and the media as required by 45 CFR §§164.404 through 164.408, unless SecurelyFax and Customer separately agree in writing that SecurelyFax will provide such notice on Customer's behalf.

7. Individual Access, Amendment, and Accounting

(a) Access. When PHI is held in a Designated Record Set, SecurelyFax will make such PHI available to Customer within fifteen (15) business days after Customer's written request so that Customer may comply with its obligations under 45 CFR §164.524.

(b) Amendment. SecurelyFax will incorporate amendments to PHI that Customer directs SecurelyFax to make within fifteen (15) business days after Customer's written request, to the extent the PHI is within a Designated Record Set under SecurelyFax's control.

(c) Accounting. SecurelyFax will document and make available to Customer, within thirty (30) days after Customer's written request, the information required to enable Customer to respond to an Individual's request for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.

(d) Limits. Customer is responsible for routing Individual access, amendment, and accounting requests to SecurelyFax. SecurelyFax has no obligation to respond directly to Individuals or to investigate Individual requests independently of Customer's direction.

8. Access by the Secretary of HHS

SecurelyFax will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer's compliance with HIPAA, in accordance with 45 CFR §164.504(e)(2)(ii)(I). SecurelyFax will give Customer reasonable prior notice of any such request unless prohibited by law.

9. Storage Term Tied to Active Subscription; No Indefinite Storage Obligation

(a) Storage Contingent on Subscription. SecurelyFax's obligation to store PHI on Customer's behalf exists only while Customer maintains an active, paid HIPAA-tier Subscription. SecurelyFax has no legal or contractual obligation to retain, host, or make available PHI after Customer's Subscription has expired, lapsed, been terminated by either Party, or been suspended for non-payment. Customer acknowledges that storage is a service Customer purchases from SecurelyFax and not a continuing obligation that survives the commercial relationship.

(b) Pre-Termination Notice. Before any deletion of PHI under Section 9(c) or Section 10, SecurelyFax will provide Customer with at least thirty (30) days' prior notice by email to the address on file for the Customer account. The notice will inform Customer of the scheduled deletion date and instruct Customer how to export PHI from the Service prior to that date.

(c) Disposition After Subscription Lapse. If Customer's Subscription lapses or terminates for any reason, SecurelyFax will:

1. Maintain PHI in a read-only "wind-down" state for thirty (30) calendar days following the lapse or termination date, during which Customer may sign in to the Service to export PHI, subject to Customer being current on any reasonable wind-down service fees SecurelyFax may charge;
2. At the end of the wind-down period, securely delete all PHI from SecurelyFax's production systems and instruct SecurelyFax's subcontractors with PHI access (currently AWS) to do the same, in accordance with their respective data-disposition policies; and
3. Provide Customer with a written certification of destruction upon written request.

(d) Customer Responsibility to Export. Customer is solely responsible for exporting PHI from the Service before the end of the wind-down period. SecurelyFax provides export tooling in the Service. SecurelyFax has no liability for Customer's failure to timely export PHI before the wind-down period ends.

10. Storage Limits and Overages

(a) Fair-Use Cap. The HIPAA tier Subscription includes a fair-use storage allowance of fifty gigabytes (50 GB) of cumulative PHI storage per Customer organization, or such other amount as SecurelyFax may from time to time publish on the SecurelyFax pricing page or in the Service.

(b) Approaching the Cap. SecurelyFax will provide email notifications to Customer's administrative contacts when Customer's storage usage reaches eighty percent (80%) and ninety percent (90%) of the applicable cap, so that Customer may take action.

(c) Exceeding the Cap. If Customer's PHI storage exceeds the applicable cap, SecurelyFax may, after notice, (i) suspend new inbound or outbound fax acceptance until Customer's storage falls below the cap (existing PHI access continues), or (ii) negotiate a paid overage with Customer. SecurelyFax will not delete Customer's existing PHI as a consequence of cap overage without Customer's written direction or as otherwise permitted by Section 9 or Section 11.

(d) Customer Purge Right. Customer may at any time direct SecurelyFax (through the Service's purge tooling or by a written request to hipaa@securelyfax.com) to delete specific PHI or to delete all PHI older than a specified date. SecurelyFax will execute the purge within fifteen (15) business days, log the deletion in its audit logs, and confirm completion to Customer.

11. Term and Termination

(a) Term. This BAA becomes effective on the date Customer accepts it in the Service and continues in effect for so long as Customer maintains an active HIPAA-tier Subscription, unless terminated earlier under this Section 11.

(b) Termination for Cause. Either Party may terminate this BAA upon written notice to the other Party if the other Party has materially breached this BAA and has failed to cure the breach within thirty (30) days after receipt of written notice describing the breach. If a material breach of this BAA by SecurelyFax is not feasible to cure (for example, because the conduct has already occurred and cannot be undone), Customer may terminate this BAA and the Underlying Agreement immediately. Customer's sole and exclusive remedy on termination for SecurelyFax's uncured material breach is termination plus the remedies expressly available under this BAA and the Underlying Agreement; consequential damages are excluded as set forth in Section 15.

(c) Termination on Loss of Subscription. This BAA terminates automatically and without notice upon termination, lapse, expiration, or non-payment-suspension of Customer's HIPAA-tier Subscription, subject to the wind-down rights and obligations set out in Section 9.

(d) Effect of Termination. Upon termination of this BAA, SecurelyFax will follow the disposition procedure in Section 9. If SecurelyFax determines that return or destruction of PHI is not feasible (for example, because PHI persists in backup tapes or immutable system logs maintained for HIPAA Security-Rule compliance), SecurelyFax will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as SecurelyFax maintains such PHI.

12. Mitigation

SecurelyFax agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to SecurelyFax of a use or disclosure of PHI by SecurelyFax in violation of this BAA.

13. Customer Responsibilities and Acknowledgments

(a) Customer's Use of the Service. Customer will not request SecurelyFax to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer, except to the extent SecurelyFax expressly permits as a Business Associate.

(b) Tier Restriction. Customer will transmit PHI only through the HIPAA-tier Service. Customer will not transmit PHI through the SecurelyFax Personal, Business, free, pay-as-you-go, "quick fax," shared-inbound-number, or anonymous-send paths. SecurelyFax has no Business Associate obligation to Customer for any PHI transmitted outside the HIPAA tier.

(c) Workforce Accounts. Customer will require each of its workforce members who access the Service to use a unique account, will not share credentials, and will enable two-factor authentication for each account.

(d) Notice Email. Customer will provide and maintain a current notice email address with SecurelyFax for HIPAA-related notices, including breach notification.

(e) Customer's Compliance Program. Customer remains solely responsible for its own HIPAA compliance program, risk analysis, workforce training, and Individual access processes. SecurelyFax is not Customer's privacy officer, security officer, or HIPAA counsel.

14. No Third-Party Beneficiaries

This BAA creates no rights in or for any third party (including, without limitation, any Individual whose PHI is transmitted through the Service), other than to the extent expressly required by HIPAA. Nothing in this BAA is intended to confer, or shall be construed as conferring, any rights or remedies of any kind on any person other than the Parties.

15. Limitation of Liability

(a) Cap. EXCEPT FOR (I) A PARTY'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 16, (II) A PARTY'S VIOLATION OF SECTION 2 (PERMITTED USES AND DISCLOSURES), AND (III) A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS BAA WILL NOT EXCEED THE GREATER OF (A) THE FEES PAID BY CUSTOMER TO SECURELYFAX FOR THE HIPAA-TIER SERVICE IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR (B) UNITED STATES ONE THOUSAND DOLLARS (US$1,000).

(b) Excluded Damages. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATED TO THIS BAA, WHETHER UNDER CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

(c) Allocation. The Parties acknowledge that the limitations and exclusions in this Section 15 are a fundamental basis of the bargain between them and would not have entered into this BAA without them.

16. Indemnification

(a) Customer Indemnification. Customer will defend, indemnify, and hold harmless SecurelyFax and its officers, directors, employees, and agents from and against any third-party claim, demand, action, or proceeding, and any related losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees), arising out of or related to (i) Customer's transmission of PHI through any non-HIPAA-tier path of the Service, (ii) Customer's failure to maintain an active HIPAA-tier Subscription, (iii) Customer's breach of Section 13, or (iv) the acts or omissions of Customer's workforce members, agents, or business associates other than SecurelyFax.

(b) SecurelyFax Indemnification. SecurelyFax will defend, indemnify, and hold harmless Customer and its officers, directors, employees, and agents from and against any third-party claim, demand, action, or proceeding, and any related losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees), arising out of or related to SecurelyFax's violation of Section 2 (Permitted Uses and Disclosures), subject to the limitations in Section 15.

(c) Procedure. The indemnified Party will (i) promptly notify the indemnifying Party in writing of any claim for which indemnification is sought, (ii) give the indemnifying Party sole control of the defense and settlement of the claim (provided that no settlement may impose any non-monetary obligation on the indemnified Party without the indemnified Party's prior written consent), and (iii) provide reasonable cooperation at the indemnifying Party's expense.

17. Insurance

SecurelyFax will maintain, at its own expense, (a) commercial general liability insurance with limits of not less than US$1,000,000 per occurrence and US$2,000,000 in the aggregate, and (b) cyber-liability or technology-errors-and-omissions insurance with limits of not less than US$1,000,000 per claim and US$1,000,000 in the aggregate, covering claims arising out of unauthorized acquisition of or access to PHI. SecurelyFax will provide a certificate of insurance evidencing such coverage upon written request from Customer no more frequently than annually.

18. Audit Rights

SecurelyFax's compliance with this BAA is audited by independent third parties through SecurelyFax's SOC 2 Type II program (or successor certification). SecurelyFax will make the most recent SOC 2 Type II report (or summary thereof) available to Customer upon written request and upon Customer's execution of SecurelyFax's standard non-disclosure agreement. This BAA does not grant Customer any right to conduct an on-site audit, network scan, penetration test, or other intrusive examination of SecurelyFax's systems or facilities. SecurelyFax will reasonably cooperate with Customer-led documentary audits limited to the operations of the Service as it pertains to Customer's PHI, no more frequently than once per calendar year, with reasonable prior notice, and at Customer's expense.

19. Independent Contractor

SecurelyFax is an independent contractor and not a partner, joint venturer, employee, or agent of Customer. Nothing in this BAA shall be construed to create an agency, partnership, or fiduciary relationship between the Parties.

20. Amendment

The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for SecurelyFax to comply with the requirements of HIPAA. SecurelyFax may also amend this BAA from time to time by posting a revised version at this URL and providing reasonable notice to Customer; Customer's continued use of the HIPAA-tier Service after the effective date of the revised BAA constitutes Customer's acceptance of the revised terms.

21. Governing Law; Venue

This BAA is governed by the laws of the State of Delaware, excluding its conflict-of-laws rules, and by HIPAA. Any dispute arising out of or related to this BAA will be resolved exclusively in the state or federal courts located in Delaware, and each Party irrevocably consents to the jurisdiction of such courts and waives any objection to venue.

22. Notices

All notices required or permitted under this BAA must be in writing and will be deemed received (a) upon delivery if delivered by hand or by overnight courier, (b) three (3) days after deposit in the U.S. mail, postage prepaid, certified or registered mail, return receipt requested, or (c) upon transmission if delivered by email, to the address each Party most recently designated in writing to the other for HIPAA notices. Initially, notices to SecurelyFax must be sent to hipaa@securelyfax.com with a copy to legal@securelyfax.com.

23. Interpretation

Any ambiguity in this BAA will be resolved to permit compliance with HIPAA. This BAA constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior or contemporaneous agreements, understandings, or representations, whether written or oral, on that subject matter, except for the Underlying Agreement, which remains in full force and effect. If any provision of this BAA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

24. Survival

Sections 1, 6, 8, 9(d), 11(d), 12, 14, 15, 16, 19, 21, 22, and 23 survive termination of this BAA.

EXECUTED by Customer's authorized representative through Customer's acceptance of this BAA in the SecurelyFax HIPAA-tier sign-up flow or by upload of a signed counterpart to /app/baa. SecurelyFax accepts by countersignature recorded in SecurelyFax's records and reflected in Customer's account as "BAA on file."

This template is provided for informational purposes only. It is not legal advice. Customer should consult its own healthcare counsel before executing any BAA. SecurelyFax does not represent that this template satisfies the requirements of any state-specific overlay (e.g., California Confidentiality of Medical Information Act, Texas Medical Records Privacy Act) that may apply to Customer.