Business Associate Agreement.

All capitalized terms not otherwise defined have the meanings ascribed to them in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”), as amended.

• “Business Associate” means YK Holdings LLC, a Virginia limited liability company doing business as “Audra.”
• “Covered Entity” means the entity entering into this Agreement with Audra(YK Holdings LLC being the Business Associate).
• “PHI” means Protected Health Information transmitted to or created or received by Audra from or on behalf of Covered Entity in connection with the Services.
• “Services” means the medical-bill audit, appeal-letter generation, and related software services Audra provides to Covered Entity's members or patients.

Audra may use or disclose PHI only to perform the Services described in the underlying agreement with Covered Entity, or as Required By Law. Audra will not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity, except where expressly permitted by 45 C.F.R. § 164.504(e).

Audra will implement and maintain administrative, physical, and technical safeguards designed to prevent the unauthorized use or disclosure of PHI, including:

• AES-256 encryption at rest for every bill upload, with per-record envelope encryption keys.
• TLS 1.2+ for all data in transit.
• Role-based access control with least-privilege defaults; production database access logged.
• Quarterly third-party security review (or annual penetration test, whichever applies).
• Daily encrypted backups retained for 30 days with integrity-verification canaries (see Section 7).

Audra will notify Covered Entity in writing within forty-eight (48) hours of discovering any Breach of Unsecured PHI. Notice will include, to the extent known: a description of the Breach, the date discovered, the types of PHI involved, the steps Audra is taking to investigate and mitigate, and a designated contact for further coordination.

Audra will not disclose PHI to any subcontractor that has not first entered into a written agreement imposing materially the same protections required by this BAA. Audra's current production subcontractors include:

• Supabase, Inc. (database, authentication, storage)
• Vercel, Inc. (application hosting + edge CDN)
• Amazon Web Services, Inc. (Textract OCR for bill images)
• Anthropic, PBC (large-language-model inference for audit analysis)
• Stripe, Inc. (payment processing — billing data only, no PHI)
• Resend, Inc. (transactional email)

Audra maintains current BAAs with each subcontractor that processes PHI on its behalf where required by HIPAA.

Audra will, within fifteen (15) business days of a written request, make PHI available to Covered Entity for access, amendment, or accounting of disclosures as required by 45 C.F.R. §§ 164.524, 164.526, and 164.528, respectively.

Audra maintains an immutable audit log of every access to PHI within the application, retained for a minimum of six (6) years. Covered Entity may request an excerpt covering its members' PHI at any time on fourteen (14) days' notice.

Upon termination of the underlying agreement for any reason, Audra will return or destroy all PHI within sixty (60) days, except where return or destruction is infeasible (in which case Audra will extend the protections of this BAA to such PHI and limit further uses to those that make return or destruction infeasible).

This BAA may be amended only by a written instrument signed by both parties. The terms here will be interpreted in a manner consistent with the requirements of HIPAA. Headings are for convenience only.