Business Associate Agreement

Parties

This Business Associate Agreement ("Agreement") is entered into as of the date accepted by the Covered Entity ("Effective Date"), between iamclara.ai ("Business Associate") and the enrolling dental practice ("Covered Entity"), a HIPAA-covered entity.

1. Definitions

Terms used but not defined in this Agreement have the meanings given in HIPAA (45 C.F.R. Parts 160 and 164).

"PHI" means Protected Health Information as defined under HIPAA.

"Services" means the AI dental receptionist and related services provided by Business Associate to Covered Entity under a separately executed service agreement.

2. Obligations of Business Associate

2.1 Use Limitations. Use or disclose PHI only as permitted by this Agreement or required by law — and only to the minimum extent necessary.

2.2 Safeguards. Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, consistent with 45 C.F.R. § 164.308, 164.310, and 164.312. Specific measures include: AES-256 encryption at rest, TLS 1.2+ in transit, row-level security on all database tables, TOTP multi-factor authentication for staff access, automatic purge of call recordings after 90 days and stale PHI after configurable retention windows.

2.3 Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf agrees to the same restrictions and conditions applicable to Business Associate under this Agreement. Current subprocessors with PHI access: Amazon Web Services (RDS/S3, BAA in place).

2.4 Breach Notification. Report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery, and any Security Incident of which Business Associate becomes aware.

2.5 Access and Amendment. To the extent Business Associate holds a Designated Record Set, make PHI available to Covered Entity or individuals as required by 45 C.F.R. § 164.524 and § 164.526.

2.6 Accounting. Maintain and provide an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528.

2.7 Government Access. Make its internal practices, books, and records relating to PHI available to the Secretary of HHS for determining compliance.

2.8 Return or Destruction. Upon termination, return or destroy all PHI received from, or created or received on behalf of, Covered Entity within 30 days.

3. Permitted Uses and Disclosures

Business Associate may use and disclose PHI as necessary to perform the Services on behalf of Covered Entity, for proper management and administration of Business Associate, and to de-identify PHI in accordance with 45 C.F.R. § 164.514(b). Business Associate will not use PHI for marketing, model training, or any purpose beyond direct service delivery.

4. Obligations of Covered Entity

Covered Entity agrees to: (a) notify Business Associate of any restriction on the use or disclosure of PHI it has agreed to with an individual, to the extent it may affect Business Associate's permitted uses; (b) not request Business Associate to use or disclose PHI in any manner that would violate HIPAA; (c) obtain any consents or authorizations required prior to furnishing PHI to Business Associate.

5. PHI Data Elements

The following PHI may be received or processed by Business Associate in connection with the Services:

• Patient first & last name — caller identification, scheduling (retained for duration of service agreement) • Phone number — callback coordination (retained for duration of service agreement) • Date of birth — patient matching in practice management system when integrated (retained for duration) • Reason for call — routing and lead scoring (retained for duration) • Call recordings (when enabled) — quality assurance and transcription (deleted after 90 days) • Appointment details — scheduling confirmation (retained for duration)

Business Associate does NOT collect: SSN, insurance member IDs, payment card data, clinical notes, or radiographic data.

6. Term and Termination

This Agreement is effective upon acceptance and remains in effect until terminated. Either party may terminate upon 30 days written notice for material breach that is not cured within the notice period. Covered Entity may terminate immediately if Business Associate has breached a material term and cure is not possible. Upon termination, Business Associate will return or destroy all PHI within 30 days.

7. Miscellaneous

This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA. Any ambiguity shall be resolved in favor of the meaning that best complies with HIPAA. Business Associate will amend this Agreement as necessary to remain in compliance with applicable law — continued use of the Services constitutes acceptance. This Agreement is governed by the laws of the State of Maryland and applicable federal law.