BUSINESS ASSOCIATE AGREEMENT

Between EnhancedDx, Inc. and [Provider / Organization]

This Business Associate Agreement (the “Agreement”) is entered into as of [Effective Date] (the “Effective Date”) by and between:

EnhancedDx, Inc., a Delaware corporation with its registered address at 8 The Green, Ste R, Dover, DE 19901, USA (“Business Associate”); and

[Provider / Organization], a [Entity Type] with its registered address at [Address] (“Covered Entity”).

Business Associate and Covered Entity are each a “Party” and collectively the “Parties.”

Recitals

WHEREAS, Covered Entity is a “covered entity” as defined at 45 C.F.R. § 160.103 under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the regulations promulgated thereunder;

WHEREAS, Business Associate provides clinical AI software, workflow automation services, virtual assistants, analytics, and related services to Covered Entity pursuant to one or more separate service agreements between the Parties (the “Underlying Agreement”);

WHEREAS, in connection with the Underlying Agreement, Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity and is therefore a “business associate” of Covered Entity within the meaning of HIPAA;

WHEREAS, Covered Entity is required under HIPAA to obtain satisfactory assurances that Business Associate will appropriately safeguard such Protected Health Information; and

WHEREAS, the Parties wish to set forth their respective rights and obligations with respect to such Protected Health Information.

NOW, THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

Capitalized terms used in this Agreement and not otherwise defined shall have the meanings ascribed to them in the HIPAA Rules (as defined below).

1.1 “HIPAA Rules” means, collectively, the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule, codified at 45 C.F.R. Parts 160 and 164, in each case as amended from time to time, including by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).

1.2 “Protected Health Information” or “PHI” has the meaning set forth at 45 C.F.R. § 160.103, limited to such information that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity under the Underlying Agreement.

1.3 “Electronic PHI” or “ePHI” means PHI that is transmitted or maintained in electronic media, as defined at 45 C.F.R. § 160.103.

1.4 “Breach” has the meaning set forth at 45 C.F.R. § 164.402.

1.5 “Unsecured PHI” has the meaning set forth at 45 C.F.R. § 164.402.

1.6 “Security Incident” has the meaning set forth at 45 C.F.R. § 164.304.

1.7 “De-identified Data” means health information that has been de-identified in accordance with 45 C.F.R. § 164.514(a) through (c), and which therefore is not individually identifiable health information and is not PHI.

1.8 “Services” means the products and services provided by Business Associate to Covered Entity under the Underlying Agreement, comprising: (a) clinical workflow automation, including AI agents for patient communication, intake, triage, scheduling, follow-up, and documentation assistance, in each case provided for or on behalf of Covered Entity; (b) virtual assistants and voice and chat agents serving Covered Entity’s patients, providers, and staff; (c) data analytics, dashboards, and operational reporting for Covered Entity; (d) implementation, configuration, and operation of software portal features for Covered Entity’s authorized users; and (e) personalization of the user experience for Covered Entity’s patients, providers, and staff.

1.9 “Secretary” means the Secretary of the U.S. Department of Health and Human Services or the Secretary’s designee.

1.10 “Anonymized Aggregate Data” means data derived from De-identified Data that has been combined, summarized, or otherwise processed such that it consists of aggregate statistics, model outputs, or other information that cannot reasonably be used, alone or in combination with other reasonably available information, to identify any individual, Covered Entity, or any specific record.

1.11 “Training Materials” means, collectively: (a) training, validation, and evaluation datasets and corpora compiled or curated by Business Associate that include De-identified Data; (b) artificial intelligence and machine learning models, including their weights, embeddings, hyperparameters, and configurations, developed, trained, fine-tuned, or evaluated in whole or in part using such datasets or other De-identified Data; (c) evaluation metrics, benchmarks, and analyses derived therefrom; and (d) any derivative works of any of the foregoing.

2. Obligations of Business Associate

2.1 Compliance with HIPAA. Business Associate shall comply with the applicable provisions of the HIPAA Rules and any other federal or state law governing the privacy or security of PHI to the extent applicable to Business Associate.

2.2 Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards, including a written information security program, risk analysis, risk management, access controls, encryption of ePHI at rest and in transit consistent with NIST guidance, workforce security, audit logging, incident response, and business continuity measures, in each case as required by 45 C.F.R. Part 164, Subpart C and reasonably designed to protect the confidentiality, integrity, and availability of PHI.

2.3 Mitigation. Business Associate shall use commercially reasonable efforts to mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate or its subcontractors in violation of this Agreement or the HIPAA Rules.

3. Permitted Uses and Disclosures by Business Associate

3.1 Performance of the Services. Business Associate may use and disclose PHI as necessary to perform the Services, including each of the activities described in the definition of Services in Section 1.8, and to undertake any activity reasonably related to those activities. Business Associate shall request, use, and disclose only the minimum necessary PHI reasonably required to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).

3.2 Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities. Business Associate may disclose PHI for such purposes provided that (a) the disclosure is required by law, or (b) Business Associate obtains reasonable written assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as required by law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any instance of which it becomes aware in which the confidentiality of the PHI has been breached.

3.3 De-identification. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a) through (c), using either the Safe Harbor method or the Expert Determination method. Such de-identification is hereby expressly permitted as a use of PHI under this Agreement.

3.4 Use of De-identified Data. De-identified Data is not PHI and is not subject to the use and disclosure restrictions of this Agreement or the HIPAA Rules. As between the Parties, Business Associate owns De-identified Data created by Business Associate from PHI received under this Agreement, together with any Anonymized Aggregate Data, Training Materials, and other derivative works created therefrom. Business Associate may use, retain, modify, combine with other data, create derivative works from, license, and disclose De-identified Data for any lawful purpose, including without limitation: (a) training, validation, testing, fine-tuning, evaluation, and improvement of artificial intelligence and machine learning models, including predictive, generative, and agentic models, for use in the Services, in Business Associate’s other products, or in products and services that Business Associate provides to its customers and licensees; (b) research and development of products, services, and features; (c) statistical analysis, benchmarking, quality improvement, and operational analytics; (d) creation of Training Materials, Anonymized Aggregate Data, de-identified datasets, reports, and other derivative works, in each case for internal use by Business Associate or for provision to Business Associate’s customers, licensees, and research collaborators; and (e) academic, scientific, and clinical publication of research findings, case studies, and methodological papers, provided that no individual is identified or identifiable in such publication. Once De-identified Data has been incorporated into Training Materials, it forms part of such Training Materials and is owned by Business Associate as intellectual property. Business Associate shall not disclose De-identified Data to any third party except pursuant to a written agreement (which may be Business Associate’s standard form of license, dataset, services, or non-disclosure agreement) that obligates the recipient: (i) not to attempt to re-identify the data or contact any individual who is the subject of the data; (ii) to limit further use and disclosure to the purposes for which the data was disclosed; and (iii) to apply reasonable safeguards to protect the data. Disclosures of Anonymized Aggregate Data or fully trained model outputs do not require such written agreement. Business Associate shall not knowingly disclose De-identified Data to any recipient that intends to use the data to attempt re-identification or to take adverse action against the individuals who are the subjects of the data. Business Associate shall not identify Covered Entity by name as a contributor to a specific dataset, model, or publication created from PHI received under this Agreement without Covered Entity’s prior written consent. The rights granted under this Section 3.4 shall survive termination or expiration of this Agreement.

3.5 Limited Data Sets. (a) Creation. Business Associate may create Limited Data Sets within the meaning of 45 C.F.R. § 164.514(e)(2) from PHI received under this Agreement. (b) Permitted Purposes. Business Associate may use and disclose Limited Data Sets only for the purposes of research, public health activities, and Health Care Operations of Covered Entity, in each case consistent with 45 C.F.R. § 164.514(e). (c) Internal Use. Business Associate may use Limited Data Sets internally for the purposes set forth in clause (b), subject to safeguards reasonably designed to protect the data. (d) Disclosure to Third Parties. Business Associate may disclose Limited Data Sets to third parties, including its customers, licensees, and research collaborators, for the purposes set forth in clause (b), provided that each such disclosure is made pursuant to a written Data Use Agreement satisfying the requirements of 45 C.F.R. § 164.514(e)(4), under which the recipient: (i) is permitted to use the Limited Data Set only for the purposes set forth in this Section; (ii) shall not attempt to re-identify the data or contact any individual who is the subject of the data; (iii) shall apply appropriate safeguards to protect the Limited Data Set, including administrative, physical, and technical measures consistent with the sensitivity of the data; (iv) shall report to Business Associate any use or disclosure of the Limited Data Set not provided for by the Data Use Agreement of which the recipient becomes aware; and (v) shall require any agents or subcontractors to whom it discloses the Limited Data Set to agree to restrictions at least as protective as those of the Data Use Agreement. (e) Transparency. Upon Covered Entity’s written request not more than once per calendar year, Business Associate shall provide Covered Entity with a list of categories of recipients of Limited Data Sets created from PHI received under this Agreement. Covered Entity shall hold such list as Business Associate’s confidential information. (f) Attribution. Business Associate shall not identify Covered Entity by name in connection with a Limited Data Set disclosure without Covered Entity’s prior written consent. (g) Required by Law. Nothing in this Section 3.5 shall prevent Business Associate from disclosing a Limited Data Set as required by law. (h) Survival of DUAs. Data Use Agreements entered into pursuant to this Section 3.5 prior to termination or expiration of this Agreement shall remain in effect in accordance with their terms.

3.6 Data Aggregation. Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity, as those terms are defined at 45 C.F.R. §§ 164.501 and 164.504(e)(2)(i)(B).

3.7 Required by Law. Business Associate may use or disclose PHI as required by law, consistent with 45 C.F.R. § 164.502(a)(1).

3.8 Prohibited Uses. Business Associate shall not sell PHI within the meaning of 45 C.F.R. § 164.502(a)(5)(ii) and shall not use or disclose PHI for marketing purposes within the meaning of 45 C.F.R. § 164.501, in each case except as expressly permitted by the HIPAA Rules and authorized in writing by Covered Entity. Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except for the activities expressly permitted by Sections 3.2 through 3.7 above. For the avoidance of doubt, the use and disclosure of De-identified Data is not a use or disclosure of PHI and is not restricted by this Section 3.8.

3.9 No Training on PHI. Notwithstanding any other provision of this Agreement, Business Associate shall not use PHI to train, validate, fine-tune, or evaluate any artificial intelligence or machine learning model. Business Associate shall train, validate, fine-tune, and evaluate such models only on De-identified Data, synthetic data, publicly available data, or other data that is not PHI. For the avoidance of doubt, Limited Data Sets remain PHI within the meaning of HIPAA and shall not be used by Business Associate for the training, validation, fine-tuning, or evaluation of any artificial intelligence or machine learning model under this Agreement. Business Associate shall maintain reasonable governance controls designed to enforce the restrictions in this Section.

4. Reporting Obligations

4.1 Reporting of Impermissible Use or Disclosure. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware, without unreasonable delay and in no event later than sixty (60) calendar days after discovery.

4.2 Breach of Unsecured PHI. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410, without unreasonable delay and in no event later than sixty (60) calendar days after discovery. The notification shall include, to the extent then available, the information specified at 45 C.F.R. § 164.410(c). Business Associate shall provide such additional information as becomes available and as Covered Entity reasonably requests for purposes of Covered Entity’s compliance with its obligations under 45 C.F.R. Part 164, Subpart D.

4.3 Security Incidents. Business Associate shall report to Covered Entity any Security Incident affecting ePHI of which Business Associate becomes aware and which results in unauthorized access, use, disclosure, modification, or destruction of ePHI, without unreasonable delay and in no event later than sixty (60) calendar days after discovery. The Parties acknowledge and agree that this Section 4.3 constitutes notice of, and Covered Entity is hereby deemed to have been notified of, the ongoing occurrence of unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction of ePHI and unsuccessful attempts at interference with information system operations (including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the foregoing) so long as no such attempt results in unauthorized access, use, disclosure, modification, or destruction of ePHI, and no further notice of such unsuccessful attempts shall be required.

5. Subcontractors

5.1 Flow-Down Obligations. Business Associate shall enter into a written agreement with any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, requiring such subcontractor to comply with restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement, in accordance with 45 C.F.R. § 164.502(e)(1)(ii).

5.2 List of Subcontractors. Upon Covered Entity’s written request not more than once per calendar year, Business Associate shall provide Covered Entity with a list of subcontractors that receive PHI under this Agreement. Covered Entity shall treat such list as Business Associate’s confidential information.

6. Individual Rights

6.1 Access. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity, or, at Covered Entity’s written direction, to the individual who is the subject of the PHI, within fifteen (15) business days after Covered Entity’s written request, to enable Covered Entity to satisfy its obligations under 45 C.F.R. § 164.524.

6.2 Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, upon Covered Entity’s written direction and within fifteen (15) business days after such direction, make any amendment to such PHI as directed by Covered Entity in accordance with 45 C.F.R. § 164.526.

6.3 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528, and shall make such documentation available to Covered Entity within thirty (30) business days after Covered Entity’s written request.

6.4 Forwarding of Individual Requests. If Business Associate receives a request directly from an individual or the individual’s personal representative for access to, amendment of, or an accounting of disclosures of the individual’s PHI, Business Associate shall forward such request to Covered Entity within ten (10) business days of receipt. Covered Entity shall be solely responsible for responding to such request.

7. Compliance and Audit

7.1 HHS Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. To the extent permitted by law, Business Associate shall promptly notify Covered Entity of any such request.

7.2 Independent Assessments. Upon Covered Entity’s written request not more than once per calendar year, Business Associate shall provide Covered Entity with a summary of its then-current independent third-party security assessments or certifications (such as SOC 2 Type II or HITRUST), to the extent maintained by Business Associate in the ordinary course of business. Covered Entity shall hold any such report in strict confidence and shall not redistribute it without Business Associate’s prior written consent.

8. Obligations of Covered Entity

8.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices, and of any restriction or change in, or revocation of, an individual’s authorization to use or disclose PHI, in each case to the extent such limitation, restriction, change, or revocation may affect Business Associate’s use or disclosure of PHI under this Agreement.

8.2 Permissible Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except to the extent that this Agreement expressly permits Business Associate to use or disclose PHI for Data Aggregation, management and administration, or the activities described in Sections 3.3, 3.4, and 3.5.

8.3 Authority to Disclose. Covered Entity represents and warrants that it has obtained all consents, authorizations, and permissions necessary under the HIPAA Rules and applicable law to disclose PHI to Business Associate and to permit Business Associate to use and disclose PHI as contemplated by this Agreement and the Underlying Agreement.

8.4 Appropriate Transmission. Covered Entity shall transmit PHI to Business Associate only through the channels and mechanisms designated by Business Associate in the Underlying Agreement or in supporting technical documentation. Covered Entity shall not transmit PHI to Business Associate through unsecured channels, and Business Associate shall not be liable for any consequences arising from Covered Entity’s transmission of PHI other than through designated channels.

9. Workforce Training

Business Associate shall provide training on HIPAA and on Business Associate’s privacy and security policies and procedures to members of its workforce who create, receive, maintain, or transmit PHI on behalf of Business Associate, as required by 45 C.F.R. §§ 164.308(a)(5) and 164.530(b)(1). Business Associate shall document that such training has been provided.

10. Term and Termination

10.1 Term. This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated as provided in this Section 10 or until the expiration or termination of the Underlying Agreement, whichever occurs later.

10.2 Termination for Cause. A Party may terminate this Agreement upon written notice to the other Party if the other Party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice describing the breach in reasonable detail, provided that, if the breach is not reasonably capable of cure, the non-breaching Party may terminate this Agreement immediately upon written notice. Termination of this Agreement under this Section 10.2 shall, at the non-breaching Party’s election, also terminate the Underlying Agreement.

10.3 Termination by Business Associate for Compliance. Business Associate may terminate this Agreement upon written notice to Covered Entity if Business Associate reasonably determines that continued performance would cause Business Associate to violate the HIPAA Rules or applicable law and the Parties are unable, after good-faith negotiations not to exceed thirty (30) days, to amend this Agreement to address such violation.

11. Effect of Termination

11.1 Return or Destruction. Upon termination or expiration of this Agreement, Business Associate shall, with respect to PHI in its possession or in the possession of its subcontractors: (a) retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, or that is contained in routine backups, archives, audit logs, or similar records the destruction of which is not reasonably feasible; (b) return to Covered Entity or, if directed by Covered Entity in writing, destroy all remaining PHI; (c) continue to apply the protections of this Agreement to any PHI retained pursuant to clause (a) for so long as such PHI is retained; and (d) limit further uses and disclosures of such retained PHI to the purposes that made return or destruction infeasible.

11.2 Retention of Anonymized Data and Training Materials. The return or destruction obligations of Section 11.1 apply only to PHI. They do not apply to, and Business Associate shall not be required to return, destroy, or curtail its use of: (a) De-identified Data; (b) Anonymized Aggregate Data; (c) Training Materials; or (d) any artificial intelligence and machine learning models, weights, embeddings, hyperparameters, evaluation metrics, derivative works, and improvements derived in whole or in part from any of the foregoing. As between the Parties, all such items are the intellectual property of Business Associate and may be retained and used by Business Associate in perpetuity in accordance with Sections 3.4 and 13.2, free of any obligation under this Agreement. Covered Entity acknowledges and agrees that the items in clauses (c) and (d) cannot reasonably be unwound, segregated, or reconstituted, and that Business Associate would suffer irreparable harm if required to delete, retrain, or reconstitute them.

11.3 Reporting to the Secretary. If termination of this Agreement for material breach is not feasible, the non-breaching Party may report the violation to the Secretary in accordance with 45 C.F.R. § 164.504(e)(1)(ii).

12. Limitation of Liability and Indemnification

12.1 Limitation of Liability. EXCEPT AS PROVIDED IN SECTION 12.2, EACH PARTY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STATUTE, OR OTHERWISE, SHALL NOT EXCEED THE GREATER OF (A) TWO TIMES THE AGGREGATE FEES PAID OR PAYABLE BY COVERED ENTITY TO BUSINESS ASSOCIATE UNDER THE UNDERLYING AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED THOUSAND U.S. DOLLARS (USD 100,000).

12.2 Excluded from Cap. The limitation in Section 12.1 shall not apply to liability arising out of or relating to: (a) a Party’s fraud, willful misconduct, or gross negligence; (b) Business Associate’s breach of its obligations in Section 3.4 not to attempt re-identification of De-identified Data; (c) a Party’s indemnification obligations under Section 12.4 for third-party claims; or (d) any amounts that cannot be limited or excluded under applicable law.

12.3 Exclusion of Damages. EXCEPT IN CASES OF FRAUD OR WILLFUL MISCONDUCT, AND NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT OR THE UNDERLYING AGREEMENT, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITIES, OR LOSS OF GOODWILL, ARISING OUT OF OR RELATING TO THIS AGREEMENT, WHETHER OR NOT THE POSSIBILITY OF SUCH DAMAGES WAS FORESEEABLE OR HAD BEEN COMMUNICATED TO THE OTHER PARTY.

12.4 Indemnification. Each Party (the “Indemnifying Party”) shall defend, indemnify, and hold harmless the other Party and its directors, officers, employees, and agents (each, an “Indemnified Party”) from and against any third-party claims, damages, fines, civil monetary penalties, and reasonable attorneys’ fees actually awarded against, or paid in settlement by, the Indemnified Party to the extent arising out of (a) the Indemnifying Party’s gross negligence or willful misconduct, or (b) the Indemnifying Party’s material breach of its obligations under this Agreement. The Indemnifying Party’s obligations under this Section 12.4 shall be reduced to the extent that the claim arises from the Indemnified Party’s own negligence, willful misconduct, or breach of this Agreement, including for the avoidance of doubt any failure by Covered Entity to comply with Section 8.

12.5 Indemnification Procedure. The Indemnified Party shall (a) promptly notify the Indemnifying Party in writing of the claim, (b) grant the Indemnifying Party sole control of the defense and settlement of the claim, provided that the Indemnifying Party shall not settle any claim that imposes liability or obligation on the Indemnified Party without the Indemnified Party’s prior written consent (not to be unreasonably withheld), and (c) provide reasonable cooperation at the Indemnifying Party’s expense. A failure to notify promptly shall not relieve the Indemnifying Party of its obligations except to the extent it is materially prejudiced by the delay.

12.6 Interaction with Underlying Agreement. The Parties intend the limitations and exclusions set forth in this Section 12 to apply to the maximum extent permitted by law. Nothing in this Agreement shall be construed to expand, modify, or supersede any limitation of liability, exclusion of damages, indemnification, or insurance requirement set forth in the Underlying Agreement, except where this Agreement is expressly more protective of the Indemnified Party or where required by HIPAA.

13. Data Ownership and Intellectual Property

13.1 Covered Entity Data. As between the Parties, Covered Entity owns all right, title, and interest in and to the PHI it discloses to Business Associate. Business Associate acquires no ownership interest in such PHI by virtue of this Agreement, except for the licenses and rights expressly granted herein.

13.2 Business Associate Materials. As between the Parties, Business Associate owns all right, title, and interest in and to (a) the Services, including all software, models, weights, embeddings, prompts, configurations, knowledge bases, infrastructure, and documentation comprising or supporting the Services; (b) De-identified Data and Anonymized Aggregate Data created by Business Associate from PHI received under this Agreement; (c) Training Materials, including training corpora, validation datasets, and evaluation datasets containing De-identified Data, together with all artificial intelligence and machine learning models, weights, embeddings, hyperparameters, evaluation metrics, derivative works, and improvements developed, trained, fine-tuned, or evaluated in whole or in part using such Training Materials or other De-identified Data; and (d) all feedback, suggestions, ideas, and improvements provided by Covered Entity relating to the Services. To the extent any rights in the foregoing vest in Covered Entity by operation of law, Covered Entity hereby assigns such rights to Business Associate.

14. Miscellaneous

14.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law principles, except to the extent preempted by federal law including HIPAA. The Parties consent to the exclusive jurisdiction and venue of the state and federal courts located in New Castle County, Delaware, for any dispute arising under this Agreement.

14.2 Notices. All notices under this Agreement shall be in writing and delivered by hand, by nationally recognized overnight courier, by certified mail (return receipt requested), or by email with confirmation of receipt, to the addresses set forth below or to such other address as a Party may designate by notice in accordance with this Section. Notices shall be deemed given upon receipt.

If to Business Associate:

EnhancedDx, Inc.

8 The Green, Ste R

Dover, DE 19901, USA

Email:

If to Covered Entity:

[Provider / Organization]

[Address]

Attn: [Privacy Officer / Medical Director]

Email: [designated address]

14.3 Amendment. This Agreement may be amended only by a written instrument signed by an authorized representative of each Party. The Parties shall negotiate in good faith to amend this Agreement from time to time as may be necessary to comply with the HIPAA Rules or other applicable law.

14.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules. Section headings are for convenience only and shall not affect the interpretation of this Agreement. References to statutes and regulations shall be deemed to refer to such statutes and regulations as amended from time to time, and to any successor provisions.

14.5 Survival. The provisions of Sections 1, 3.4, 3.5, 3.8, 3.9, 4 (with respect to matters arising prior to termination), 5, 7, 11, 12, 13, and 14 shall survive any termination or expiration of this Agreement.

14.6 Independent Contractors. The Parties are independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship.

14.7 No Third-Party Beneficiaries. Except as expressly provided in Section 12.4 with respect to Indemnified Parties, this Agreement is for the sole benefit of the Parties and their permitted successors and assigns and creates no rights in any third party.

14.8 Assignment. Neither Party may assign this Agreement without the other Party’s prior written consent (not to be unreasonably withheld), except that either Party may assign this Agreement to a successor in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets or equity, upon written notice to the other Party.

14.9 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be reformed to the minimum extent necessary to make it valid and enforceable while preserving the Parties’ original intent.

14.10 Entire Agreement; Conflict. This Agreement, together with the Underlying Agreement, constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior or contemporaneous communications. In the event of a conflict between this Agreement and the Underlying Agreement with respect to the use, disclosure, or protection of PHI, this Agreement shall control. In all other respects, including limitation of liability, the Underlying Agreement shall control.

14.11 Counterparts; Electronic Signatures. This Agreement may be executed in counterparts, including by electronic signature or PDF transmission, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

Signatures

IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date.