Last updated: October 12, 2025

BUSINESS ASSOCIATE AGREEMENT UNDER HIPAA AND APPLICABLE

FOREIGN LAWS. This Section 1 applies to the extent that (a) Client is a “Covered Entity” as defined in 45 CFR §160.103 (for the purposes of this Addendum, “Covered Entity” includes “health information custodians”, “trustees”, and any other similar term under local applicable legislation); (b) Codent AI is, with respect to Client, a “Business Associate” as defined in 45 CFR §160.103 (for the purposes of this Policy, “Business Associate” includes “agents”, “affiliates”, “information managers”, and any other similar term under local applicable legislation); and (c) Codent AI receives PHI (as defined below) from Client. The parties acknowledge that in carrying out obligations under the Software License Agreement, Codent AI, and its subcontractors, employees, affiliates, agents, or representatives may have reason to collect, access, use, create, maintain, disclose or transmit PHI for or on behalf of Client. Certain PHI may be transmitted by or maintained in electronic media as Electronic PHI (as defined below). The parties agree to comply with any applicable federal, state, provincial and territorial law governing the privacy and security of the PHI and Electronic PHI including, without limitation, HIPAA and the HITECH Act (as defined below), as well as any other similar applicable legislation, in accordance with the Software License Agreement and this Addendum (the “Addendum”).

DEFINITIONS. Capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Services Agreement or applicable regulation.

“Breach”, as it relates to information, has the same meaning as the term “breach” in Section 13400 of the HITECH Act, namely the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, and any other similar term under local applicable legislation.

“Designated Record Set” has the same meaning as the term “designated record set” in 45 CFR §164.501, namely a group of records maintained by or for a Covered Entity that is either i) medical records and billing records about individuals maintained by or for a health care provider, ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan or iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals, and any other similar term

under local applicable legislation.

“Electronic PHI” has the same meaning as the term “electronic protected health information” in 45 CFR §160.103, and any other similar term under local applicable legislation, limited to the information created or received by Codent AI from or on behalf of Client.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), and the regulations promulgated thereunder, as each may be amended from time to time.

“individual” has the same meaning as the term “individual” in 45 CFR §160.103, namely a person who is the subject of protected health information, and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g) and any similar term under local applicable legislation.

“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, and any other similar term, standards and rules under local applicable legislation.

“PHI” has the same meaning as the term “protected health information” in 45 CFR §160.103, and any other similar term under local applicable legislation, limited to the information created or received by Codent AI from or on behalf of Client.

“Secretary” means the Secretary of the Department of Health and Human Services or his designee, and any other similar term, individual or regulator under local applicable legislation.

“Security Rule” means the Security Standards at 45 CFR Part 160 and Part 164, and any other similar term, standards and rules under local applicable legislation.

“Unsecured PHI” has the same meaning as the term “unsecured protected health information” in Section 13402(h) of the HITECH Act, namely PHI that is not secured through the use of a technology or methodology specified by the Secretary.

1.1 Obligations and Activities of Business Associate. As a Business Associate, Codent AI shall have the following obligations:

(a) Codent AI agrees to not use or disclose PHI other than as permitted or required by the Services Agreement or as Required by Law. Except as otherwise limited in the Services Agreement, Codent AI may use or disclose PHI to perform functions, activities, or services for, or on behalf of Client as specified in Software License Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Client or the minimum necessary policies and procedures of Client of which Codent AI has been informed.

• Codent AI agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by Services Agreement, including the implementation of administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Security Rule.

• Codent AI agrees to mitigate, to the extent practicable, any harmful effect that is known to Codent AI of a use or disclosure of PHI by Codent AI in violation of the requirements of HIPAA or any other similar local applicable legislation.

• Codent AI agrees to report to Client any use or disclosure of the PHI that it becomes aware of that is not permitted by this Business Associate Agreement or any Breach or other type of security incident. Further, Codent AI agrees to notify Client of any Breach of Unsecured PHI of which it becomes aware and otherwise comply with the notification requirements set forth in Section 45 CFR § 164.410 (or in any other similar local applicable legislation). Notwithstanding anything herein to the contrary, notice is hereby deemed provided, and no further notice will be given, with respect to ongoing unsuccessful attempts at unauthorized access to PHI that are trivial such as pings and other broadcast attacks on firewalls, denial of service attacks, failed login attempts, and port scans, unless such notice is required under local applicable legislation.

• Codent AI agrees to ensure that any subcontractor to whom Codent AI assigns or delegates its rights or obligations under this Addendum or the Services Agreement has agreed in writing to the same restrictions and conditions as Codent AI with respect to PHI.

• Codent AI agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Codent AI on behalf of Client available to the Secretary, at a reasonable time designated by the Secretary, for purposes of the Secretary determining Client’s compliance with the Privacy Rule.

(g) Codent AI agrees to document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528 and any local applicable legislation.

• Codent AI agrees to provide to Client or an Individual, within the time periods and in the manner provided for under local applicable law (or, in the absence of such requirements in time and manner agreed by the parties), information collected in accordance with Section 1(g) of this Addendum, to permit Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528 and any other similar local applicable legislation.

• Codent AI agrees not to exchange any PHI of an Individual for remuneration except where Codent AI has obtained a valid authorization from the individual or as otherwise permitted under Section 13405(d) of the HITECH Act or applicable local law.

• To the extent Codent AI agrees in the Services Agreement to maintain any PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Client, Codent AI agrees to make such information available to Client pursuant to 45 CFR § 164.524 and any other similar local applicable legislation, in time and manner agreed by the parties.

Subject to applicable law, if, in the performance of its obligations set forth in Sections 1(f) through 1(j) above, Codent AI expends time and materials, Codent AI will provide Client with an estimate of the fee for such time and materials.

Following agreement by the parties as to such fees, Codent AI will invoice Client, and Client shall pay Codent AI such fees.

Except as otherwise limited in the Software License Agreement, and to the extent permitted by applicable law, Codent AI may use or disclose PHI for the proper management and administration of the Services or to carry out Codent AI’s legal obligations, provided the disclosures are required by law, or Codent AI obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Codent AI of any instances of which it is aware in which the confidentiality of the information has been breached.

To the extent permitted under applicable law, Codent AI may use PHI to de-identify such PHI so that such information is not individually identifiable

information as provided in 45 C.F.R. § 164.514, as amended. The parties agree

that such de-identified information is not PHI and not subject to this Addendum, unless locally applicable law specifies otherwise.

Codent AI may use PHI to provide data aggregation services to Client if such services are required under the Services Agreement.

To the extent permitted by applicable law, Codent AI may seek a valid authorization from an Individual for the disclosure of their PHI disclosed or access by Codent AI pursuant to this Addendum and the Software License Agreement for Codent AI's business purposes.

1.2 Obligations of Covered Entity. Client shall have the following obligations:

1. Client shall use the encryption features in the Services to encrypt any and all PHI that is provided to Codent AI. In addition to the indemnification obligations set forth in the Software License Agreement, Client shall defend and indemnify Codent AI from and against any damages and costs arising from or relating to the failure of Client to encrypt the PHI.

2. To the extent permitted under applicable law, Client shall notify Codent AI of any limitation(s) in its notice of privacy practices of Client in accordance with 45 CFR §164.520 and local applicable law, to the extent that such limitation may affect Codent AI’s use or disclosure of PHI.

3. Client shall notify Codent AI of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Codent AI’s use or disclosure of PHI in providing the Services.

4. To the extent permitted under applicable law, Client shall notify Codent AI of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR §164.522 or local applicable law, to the extent that such restriction may affect Codent AI’s use or disclosure of PHI in providing the Services.

5. Client shall not request Codent AI to use or disclose PHI in any manner that would not be permissible under HIPAA or local applicable law if done by Client. Client shall permit Codent AI to seek a valid authorization for the disclosure of PHI for Codent AI's business purposes from Individuals whose PHI is accessed by or disclosed to Codent AI pursuant to this Addendum and the Services Agreement

6. Client represents and warrants that: (a) it has the right and authority to provide PHI to Codent AI for Codent AI to perform its obligations and provide the Services to Client, (b) that Codent AI’s collection, storage, use and disclosure of any PHI in providing the Services to Client is permitted

under Client’s privacy policy that Client maintains with its Patient and under applicable law, and (c) Client has obtained all consents from Individuals as required by applicable laws to permit the above collections, storage, uses and disclosures.

1.3 Term and Termination

1. Term. The term of this Addendum shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Client to Codent AI, or created or received by Codent AI on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section and in any local applicable legislation.

2. Termination for Cause. In addition to any termination rights set forth in the Software License Agreement and the Terms and Conditions, if Codent AI materially breaches the Business Associate Terms, Client may terminate the Services if Codent AI fails to cure such breach within thirty (30) days after receiving written notice of such breach or immediately terminate the Services if cure is not possible.

3. Effect of Termination.

• (i) Except as provided in Section 1.3(c)(ii) below, upon termination of this Addendum, for any reason, Codent AI shall return or destroy all PHI received from Client, or created or received by Codent AI on behalf of Client in accordance with the terms of the Software License Agreement. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Codent AI. Codent AI shall retain no copies of the PHI.

• In the event that Codent AI determines that returning or destroying the PHI is infeasible, Codent AI shall provide to Client notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, Codent AI shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Codent AI maintains such PHI.

d. Termination Upon Change in Law. If the Secretary provides guidance, clarification or interpretation of HIPAA or the HITECH Act or any local applicable legislation or there is a change in HIPAA or the HITECH Act or any local applicable legislation such that the service relationship between Codent AI and Client is not considered a Business Associate relationship as defined in HIPAA or any similar local applicable legislation, this Addendum shall terminate and be null and void.

1.4. Miscellaneous

Regulatory References. A reference in this Agreement to a section in a regulation means the section as in effect or as amended.

The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Client to comply with the requirements of HIPAA or of any other local applicable legislation.

In the event of a conflict between the terms of this Business Associate Agreement Terms Addendum (the “BAA” or the “Addendum”) or any other agreement or understanding between the parties and this Addendum, this BAA shall control.

The respective rights and obligations of Codent AI under this Addendum shall survive the termination of this Agreement.

Any ambiguity in this Addendum shall be resolved to permit Client to comply with HIPAA or other local applicable legislation.