Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Version 1.0 | Last updated May 13, 2026 | Applicable to: United States (HIPAA-covered customers)

This Business Associate Agreement (“Agreement”) is entered between

_____________________ (“Covered Entity”) and AgentFlow AI GmbH (“Business Associate”).

Background

1. Pursuant to the parties’ separate Service Agreement (“Service Agreement”), Business Associate has agreed to perform certain services for or on behalf of Covered Entity that may involve the creation, maintenance, use, transmission or disclosure of protected health information within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 as they shall be amended (collectively the “HIPAA Rules”).

2. If and only to the extent that Business Associate is a “business associate” as defined in the HIPAA Rules, this Agreement supplements the Service Agreement and is intended to and shall be interpreted to satisfy the requirements for business associate agreements as set forth in the HIPAA Rules. If Business Associate is not a business associate as defined in the HIPAA

Rules, this Agreement shall be void notwithstanding any other terms to the contrary.

Definitions

1. General Definitions. The terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

2. Specific Definitions.

   1. Business Associate shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103, and in reference to the party to this Agreement.

   2. Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR § 160.103

   3. Protected Health Information shall generally have the same meaning as the term “protected health information” at 45 CFR § 160.103, and shall include any individually identifiable information that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity that relates to an individual’s past, present, or future physical or mental health, health care, or payment for health care, whether such information is in oral, hard copy, electronic, or any other form or medium.

   4. HIPAA Setting: As defined in Exhibit A, the HIPAA Setting is a configuration provided by the Business Associate to ensure compliance with HIPAA by preventing the persistent storage of PHI.

Agreement

1. Business Associate Responsibilities. Business Associate agrees to:

   1. Not use or disclose protected health information except as permitted by Section

2, below, or as otherwise required by law.

2. Use appropriate safeguards to prevent the use or disclosure of protected health information other than as permitted by this Agreement. To the extent applicable to business associates, Business Associate shall comply with the requirements in 45 CFR Part 164, Subpart C (“HIPAA Security Rule”), including the use of administrative, physical and technical safeguards to protect electronic protected health information.

3. Report to Covered Entity any use or disclosure of protected health information

not permitted by this Agreement of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR § 164.410, and any security incident as required by 45 CFR § 164.314(a)(2). The parties acknowledge that Business Associate is periodically subject to attempted but unsuccessful attempts to access its information system (e.g., typical “pings” or port scans), but that such unsuccessful attempts are trivial, routine, and do not constitute a material threat to the security of protected health information. The parties agree that further notice of such trivial but unsuccessful attempts shall not be required unless expressly required by Covered Entity.

4. Ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information as required by 45 CFR §§ 164.308(b)(2)-(3) and 502(e)(1)-(2). Business Associate may fulfill this requirement by having the subcontractors execute an agreement that incorporates the terms of this Agreement.

5. Within fifteen (15) days after Covered Entity’s request, make available to Covered Entity any protected health information in Business Associate’s control as necessary to enable Covered Entity to satisfy its obligations to provide an individual with access to certain protected health information under 45 CFR § 164.524.

6. Within thirty (30) days after Covered Entity’s request, make available to Covered

Entity any protected health information for amendment and incorporate any amendments to protected health information as necessary to enable Covered Entity to satisfy its obligations under 45 CFR § 164.526.

7. Within thirty (30) days after Covered Entity’s request, make available to Covered Entity the information required to provide an accounting of disclosures as necessary to enable Covered Entity to satisfy its obligations under 45 CFR § 164.528.

8. To the extent Business Associate is to carry out Covered Entity’s obligations

under 45 CFR Part 164, Subpart E (“HIPAA Privacy Rule”), comply with the requirements of the HIPAA Privacy Rule that apply to Covered Entity in the performance of such obligations.

9. Make Business Associate’s internal practices, books, and records relating to the

use and disclosure of protected health information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

10. The Business Associate will provide access to the HIPAA Setting as described in Exhibit A. The Business Associate’s liability for HIPAA compliance applies to where the Covered Entity has enabled the HIPAA Setting.

11. Uses and Disclosures by Business Associate.

2.1 Permissible Uses and Disclosures. Business Associate may use or disclose protected health information only as follows:

1. As necessary to perform the services set forth in the Service Agreement.

2. To de-identify protected health information in accordance with 45 CFR §164.514(a)-(c). Any information that has been de-identified as provided in this subsection shall not be subject to this Agreement and Business Associate shall be entitled to use it for its own purposes.

3. As required by law.

4. For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (i) any disclosures for these purposes are required by law, or (ii)(a) Business Associate obtains reasonable assurances from the entity to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the entity, and (b) the entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

5. To provide data aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR § 164.501.

6. The Covered Entity is responsible for enabling and maintaining the HIPAA Setting for all workflows involving PHI, as specified in Exhibit A.

2.2 Impermissible Uses or Disclosures. Business Associate may not use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity except for the specific uses and disclosures set forth in Sections

2. 1(d)-(e), above.

2.3 Minimum Necessary. Business Associate agrees to make uses and disclosures and requests for protected health information consistent with Covered Entity’s minimum necessary policies and procedures as disclosed by Covered Entity to Business Associate in advance.

3. Covered Entity Responsibilities.

   1. Representations and Warranties. Covered Entity represents and warrants that, prior to execution of this Agreement and at all times during this Agreement, (i) Covered Entity has obtained or will obtain any consent or authorization required by the HIPAA Rules or other law necessary for Business Associate to perform its duties pursuant to this Agreement; and (ii) Covered Entity has notified Business Associate of:

      1. Any limitation(s) in Covered Entity’s notice of privacy practices, policies, or agreements, or any order or other limitation imposed on Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.

      2. Any agreement by Covered Entity with an individual concerning the use or disclose the individual’s protected health information, to the extent that such agreements may affect Business Associate’s use or disclosure of protected health information.

      3. Any restriction on the use or disclosure of protected health information to which Covered Entity has agreed or with which Covered Entity is required to abide under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of protected health information.

      4. The Covered Entity is solely responsible for enabling and maintaining the HIPAA Setting for workflows involving PHI.

   2. Notice of Change by Covered Entity. Covered Entity agrees to immediately notify Business Associate of any non-compliance with the representations and warranties identified in Section 3.1, including any change in the limitations, agreements, or restrictions identified in Section 3.1. Covered Entity understands and agrees that Business Associate entered this Agreement in reliance on Covered Entity’s representations and warranties in Section 3.1, and that any non-compliance or change in limitations, agreements or restrictions may affect Business Associate’s performance under this Agreement and shall entitle Business Associate to immediately terminate this Agreement and/or the Service Agreement at Business Associate’s election. In addition, Covered Entity agrees to cover and/or reimburse any costs incurred by Business Associate that are caused by any changes to the limitations, agreements, or restrictions identified in Section 3.1 occurring after the Effective Date of this Agreement.

4. Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permitted under the HIPAA Privacy Rule if done by Covered Entity.

5. Term and Termination. Unless otherwise agreed in writing by the parties, this Agreement shall be effective as of the date executed by the parties and shall continue until terminated as provided below. The Services Agreement shall terminate concurrently with the termination of this Agreement.

   1. Termination. This Agreement may be terminated as follows:

      1. Either party may terminate this Agreement upon thirty (30) days prior written notice to the other party due to a material breach of this Agreement by the other party. The breaching party shall have the opportunity to cure the breach during the 30-day notice period. If the breaching party fails to cure the breach within the 30-day notice period, the non-breaching party may declare the Agreement terminated by providing written notice at the end of the 30-day period.

      2. Either party may terminate this Agreement if either party determines that the other party has violated any law or regulation and/or that continued performance under this Agreement may subject the party to adverse action by any governmental agency.

      3. Business Associate may terminate this Agreement pursuant to Section 3.2.

   2. Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

      1. Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities as described in Section 2.1(d).

      2. If feasible, return or destroy all other protected health information in Business Associate’s control.

      3. For any protected health information that is retained, continue to extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes permitted by this Agreement.

   3. Survival. Business Associate’s obligations under this Section shall survive the termination of this Agreement.

6. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

7. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to comply with the requirements of the HIPAA Rules and any other applicable law or, if the parties cannot agree on such amendment, to terminate this Agreement upon notice to the other party.

8. Governing Law. This Agreement shall be construed to comply with the requirements of the HIPAA Rules, and any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. All other aspects of this Agreement shall be governed under the laws of the State in which Business Associate maintains its principal place of business.

9. Assignment/Subcontracting. This Agreement shall inure to the benefit of and be binding upon the parties and their respective legal representatives, successors and assigns. Business Associate may assign or subcontract rights or obligations under this Agreement to subcontractors or third parties without the express written consent of Covered Entity. Covered Entity may assign its rights and obligations under this Agreement to any successor or affiliated entity.

10. Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of the HIPAA Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of HIPAA Rules or this Agreement; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this Agreement.

11. Relation to Service Agreement. This Agreement supplements the Service Agreement. The terms and conditions of the Service Agreement shall continue to apply to the extent not inconsistent with this Agreement. If there is a conflict between this Agreement and the Service Agreement, this Agreement shall control.

12. No Third Party Beneficiaries. Nothing in this Agreement is intended to nor shall it confer any rights on any other persons except Covered Entity and Business Associate and their respective successors and assigns.

13. Entire Agreement. This Agreement contains the entire agreement between the parties as it relates to the use or disclosure of protected health information, and supersedes all prior discussions, negotiations and services relating to the same to the extent such other prior communications are inconsistent with this Agreement.

14. Indemnification. If Covered Entity breaches any provision of this Agreement or violates any requirement of the HIPAA Rules applicable to Covered Entity, it shall indemnify, hold harmless and defend Business Associate from and against any and all claims, losses, liabilities, costs and other expenses incurred by the Business Associate as a result of such breach or violation.

15. Limitation on Liability. In no event shall Business Associate or any of its directors, officers, agents, parents, affiliates or subsidiaries (collectively “Business Associate”) be liable to Covered Entity or any third party for any special, consequential, incidental, or indirect loss or damages arising out Business Associate’s acts or omissions relating to this Agreement or the HIPAA Rules whether or not Business Associate has been advised of the possibility of such loss or damages. In all cases, Business Associate’s aggregate liability under any legal theory, including contract, tort, or other bases, shall not exceed the fees paid by Covered Entity to Business Associate pursuant to the Service Agreement during the six (6) month period prior to the first occurrence upon which liability is based.

COVERED ENTITY BUSINESS ASSOCIATE

Exhibit A

HIPAA Setting

1. Purpose of the HIPAA Setting 1.1. The Business Associate provides a proprietary HIPAA Setting designed to ensure compliance with HIPAA by preventing the storage of PHI on its systems. This configuration ensures PHI is not logged, recorded or stored persistently on disk or in the cloud. PHI may be temporarily stored in memory to perform services but is deleted immediately after processing.

2. Enabling the HIPAA Setting 2.1. The Covered Entity may only transmit or disclose PHI through the Business Associate’s platform if the HIPAA Setting is enabled. By default, the HIPAA Setting is disabled.
2.2. The Covered Entity is solely responsible for enabling the HIPAA Setting when transmitting or processing PHI. The Business Associate will not be held liable for HIPAA compliance if the HIPAA Setting is not enabled.

3. Monitoring and Verification 3.1. Enabling and maintaining the HIPAA Setting is the responsibility of the Covered Entity.
3.2. The Business Associate may assist with verifying that the HIPAA Setting is active upon request but does not assume responsibility for ongoing monitoring.

4. Limitation of Liability 4.1. The Business Associate’s liability for breaches involving PHI is limited to incidents where the HIPAA Setting was properly enabled at the time of the breach.