# Annotate Business Associate Agreement Addendum

Status: healthcare buyer draft for counsel review and signature. Annotate should not be used for production PHI unless this BAA is executed and the customer has approved a PHI-safe implementation plan.

## Permitted Uses and Disclosures

Annotate may use or disclose PHI only to provide the contracted feedback/bug-report service, operate security and reliability controls, perform support requested by the customer, and meet legal obligations. Annotate may not use PHI for advertising or unrelated product analytics.

## Safeguards

- Require privacy-first widget settings for PHI-adjacent deployments: explicit consent, sensitive selectors, and least-diagnostic capture.
- Restrict production support access to authorized personnel.
- Encrypt integration secrets at rest and screenshots in provider-managed object storage.
- Keep audit logs for access-sensitive workflows.
- Maintain backup and restore evidence before production PHI use.

## Reporting and Mitigation

Annotate will report discovered unauthorized uses, disclosures, and security incidents to the customer without undue delay and will cooperate on mitigation and accounting obligations.

## Subcontractors

Subcontractors that create, receive, maintain, or transmit PHI must agree to substantially similar restrictions and safeguards before PHI production use.

## Termination

At termination, Annotate will return or destroy PHI where feasible and retain only data required by law or temporary backup-retention constraints.

References: HHS sample BAA provisions and required contract elements, https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions