JIL Sovereign Technologies, Inc.

A Delaware Corporation · jilsovereign.com

Business Associate Agreement

Form: JIL-BAA-CUST-2026-05
Issued: May 3, 2026
Owner: Office of the General Counsel, JIL Sovereign Technologies, Inc.

This Business Associate Agreement (this "Agreement"), dated as of [EFFECTIVE DATE] (the "Effective Date"), is entered into by and between [CUSTOMER LEGAL NAME], a [state] [entity type] ("Covered Entity"), and JIL Sovereign Technologies, Inc., a Delaware corporation ("Business Associate" and, together with Covered Entity, the "Parties" and each, a "Party").

Recitals

WHEREAS, Covered Entity and Business Associate have entered into one or more agreements pursuant to which Business Associate provides services to Covered Entity (the "Underlying Agreement"); and

WHEREAS, in performing the services under the Underlying Agreement, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, requiring the Parties to enter into a business associate agreement compliant with the Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA"); and

WHEREAS, the Parties intend to comply with the requirements of HIPAA as applicable to the relationship and to define the rights and obligations of each Party with respect to PHI;

NOW, THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

Capitalized terms used but not otherwise defined herein have the meanings ascribed to them under HIPAA. For purposes of this Agreement:

1. "Breach" has the meaning set forth at 45 C.F.R. § 164.402.
2. "Designated Record Set" has the meaning set forth at 45 C.F.R. § 164.501.
3. "Electronic Protected Health Information" or "ePHI" has the meaning set forth at 45 C.F.R. § 160.103, limited to the information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
4. "Individual" has the meaning set forth at 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
5. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
6. "Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, limited to information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
7. "Required by Law" has the meaning set forth at 45 C.F.R. § 164.103.
8. "Secretary" means the Secretary of the United States Department of Health and Human Services or the Secretary's designee.
9. "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304.
10. "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.
11. "Subcontractor" has the meaning set forth at 45 C.F.R. § 160.103.
12. "Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402.

2. Permitted Uses and Disclosures of PHI

2.1 Use and Disclosure for Performance of the Underlying Agreement

Business Associate may use and disclose PHI only to perform the services described in the Underlying Agreement and as set forth on Schedule A (Permitted Use Description), or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except where the use or disclosure is for the proper management and administration of Business Associate, or to carry out Business Associate's legal responsibilities, in each case to the extent permitted under 45 C.F.R. § 164.504(e)(4).

2.2 Minimum Necessary

Business Associate shall, with respect to its use or disclosure of PHI, comply with the minimum necessary standard at 45 C.F.R. § 164.502(b) and the related guidance issued by the Secretary.

2.3 Data Aggregation

Business Associate may use PHI to provide Data Aggregation Services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), but only to the extent agreed in writing in Schedule A.

2.4 De-identification

Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c), and information that has been so de-identified is not subject to this Agreement, except as expressly provided in Schedule A.

3. Obligations of Business Associate

3.1 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in compliance with the Security Rule and Subpart C of 45 C.F.R. Part 164. The current technical safeguards are summarized in Schedule B (Security Safeguards Statement).

3.2 Reporting

Business Associate shall report to Covered Entity, without unreasonable delay and in any event within seven (7) calendar days of Discovery (as that term is defined at 45 C.F.R. § 164.404(a)(2)):

1. any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware;
2. any Security Incident of which Business Associate becomes aware (provided that the Parties agree the periodic notice required by this clause for unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of ePHI is satisfied by an annual written summary); and
3. any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410.

3.3 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate enters into a written agreement that imposes the same restrictions and conditions on the Subcontractor with respect to PHI that apply to Business Associate under this Agreement, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2). The current Subcontractor inventory is published at JIL Subprocessor List and is incorporated by reference; Business Associate shall provide Covered Entity with thirty (30) days' prior written notice of any addition or change.

3.4 Access

Within fifteen (15) business days of a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set held by Business Associate to Covered Entity (or, if directed by Covered Entity, to the Individual or the Individual's designee) in accordance with 45 C.F.R. § 164.524.

3.5 Amendment

Within thirty (30) business days of a written request from Covered Entity, Business Associate shall make any amendment(s) to PHI in a Designated Record Set held by Business Associate as directed or agreed to by Covered Entity pursuant to 45 C.F.R. § 164.526.

3.6 Accounting

Business Associate shall maintain and make available to Covered Entity, within thirty (30) business days of a written request, the information necessary for Covered Entity to respond to an Individual's request for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

3.7 Audit

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary's determination of Covered Entity's compliance with HIPAA. Covered Entity's audit rights are governed by Section 7 of this Agreement.

3.8 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect of which it becomes aware that is the result of a use or disclosure of PHI by Business Associate in violation of this Agreement.

3.9 Compliance with Covered Entity Obligations

To the extent Business Associate is to carry out one or more of Covered Entity's obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).

4. Obligations of Covered Entity

Covered Entity shall:

1. provide Business Associate with the notice of privacy practices Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice;
2. provide Business Associate with any changes in, or revocation of, the permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures;
3. notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, if such restriction may affect Business Associate's use or disclosure of PHI; and
4. not request that Business Associate use or disclose PHI in a manner that would not be permissible under HIPAA if done by Covered Entity, except where Business Associate will use or disclose PHI for, and the contract includes provisions for, Data Aggregation or management and administration and legal responsibilities of the Business Associate.

5. Term and Termination

5.1 Term

This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated as provided herein or until the termination of the Underlying Agreement, whichever is later.

5.2 Termination for Cause

Upon Covered Entity's knowledge of a material breach by Business Associate of this Agreement, Covered Entity shall provide Business Associate with written notice of the breach and an opportunity for Business Associate to cure the breach within thirty (30) days. If Business Associate does not cure the breach within the cure period, Covered Entity may terminate this Agreement and the Underlying Agreement, if termination of the Underlying Agreement is feasible.

5.3 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

6. Breach Notification

The reporting obligations in Section 3.2 are supplemented by the following: with respect to a Breach of Unsecured PHI, Business Associate's report shall include, to the extent possible:

1. the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
2. a brief description of what happened, including the date of the Breach and the date of Discovery, if known;
3. a description of the types of Unsecured PHI involved;
4. any steps Individuals should take to protect themselves from potential harm;
5. a brief description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches; and
6. contact procedures for Individuals to ask questions or learn additional information.

Business Associate's customer-notification objective is sixty (60) minutes from confirmation of a Breach, recognizing that the statutory floor under 45 C.F.R. § 164.410 is sixty (60) days.

7. Audit and Inspection Rights

No more than once per twelve (12) month period (or more frequently in response to a confirmed Security Incident), Covered Entity may, at its expense and upon thirty (30) days' prior written notice, conduct or commission an audit of Business Associate's compliance with this Agreement. The scope, methodology, and confidentiality of any such audit shall be governed by the Right-to-Audit Clause attached as Schedule C (Right to Audit) or, in its absence, by industry-standard practices. Audit findings are Confidential Information and may not be disclosed to any third party other than Covered Entity's legal counsel, auditors, and Required by Law recipients without Business Associate's prior written consent.

8. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any third-party claims, damages, losses, and reasonable costs (including reasonable attorneys' fees) to the extent arising out of Business Associate's material breach of this Agreement or its grossly negligent or willful acts or omissions in performance of its obligations hereunder, subject to the limitations of liability set forth in the Underlying Agreement, which shall apply to this Agreement except to the extent expressly modified herein.

9. Insurance

Business Associate shall maintain commercial general liability, errors and omissions, and cyber liability insurance with limits not less than those set forth on Schedule D (Insurance), and shall provide Covered Entity with certificates of insurance evidencing such coverage upon request.

10. Miscellaneous

10.1 Regulatory References

A reference in this Agreement to a section of HIPAA means the section as in effect or as amended.

10.2 Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of HIPAA and any other applicable law.

10.3 Survival

The respective rights and obligations of Business Associate under Sections 3.1, 3.2, 3.7, 3.8, 5.3, 6, 7, 8, and this Section 10 shall survive termination of this Agreement.

10.4 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. The headings used in this Agreement are for convenience only and have no legal effect.

10.5 Counterparts; Electronic Signatures

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid execution.

10.6 Entire Agreement

This Agreement, together with the Underlying Agreement and the Schedules hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof. In the event of any conflict between this Agreement and the Underlying Agreement with respect to the use, disclosure, or protection of PHI, the terms of this Agreement shall control.

10.7 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of [GOVERNING LAW] without regard to its conflict-of-laws rules, and federal HIPAA shall apply to all matters within its scope.

Schedule A - Permitted Use Description

Business Associate is engaged to provide the following services that involve PHI:

1. Adversarial Validation and Adjudication (AVA™ Pro / AVA™ Pro+) - retroactive payment-integrity analysis of Covered Entity's claims data, producing sealed Court Ready Evidence Bundles (CREB™) for Covered Entity's counsel.
2. Tier 1 detection - automated detection scan against eight categories of free public data; output is a flat-fee per-record finding set.
3. Ava (agentic AI between Tier 1 and Tier 2) - cost-optimized routing of flagged records into Tier 2 substantiation queues.

PHI is tokenized at the ingest boundary using FF3-1 / FPE-AES; the analytical pipeline operates on tokenized data only; re-identification occurs at the customer-facing CREB™ output and only for the authenticated Covered Entity.

Schedule B - Security Safeguards Statement

Current technical, administrative, and physical safeguards include:

• Encryption. TLS 1.3 in transit; AWS KMS customer-managed keys at rest; CloudHSM (FIPS 140-2 Level 3) for the highest-sensitivity vault.
• Access control. WebAuthn (FIDO2 hardware key) primary authentication; TOTP secondary; no password-only access. Just-in-time operator elevation, time-boxed sessions, full audit log.
• Audit logs. S3 Object Lock Compliance mode, 15-year retention, anchored to the Company's L1 audit ledger.
• Network. VPC endpoints; no internet egress for inference; mutual TLS for internal service communication.
• Subcontractor inventory. AWS only as a PHI subprocessor (BAA executed). Full list at /docs/legal/JIL_Subprocessor_List.html.
• Compliance posture. HIPAA-aligned program; SOC 2 Type II observation period engaged; HITRUST CSF i1 readiness in flight; annual external penetration test scheduled.

Schedule C - Right to Audit

Reference the standalone clause at /docs/legal/JIL_Right_to_Audit_Clause.html; the Parties may attach the form clause directly to this Agreement.

Schedule D - Insurance