Dual Compliance BAA & Privacy Agreement

This Dual Compliance BAA & Privacy Agreement (“Agreement”) is entered into by and between the party accepting these terms (“Covered Entity” or “Health Information Custodian”), which may be a healthcare provider or an organization subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or Canadian privacy legislation, including the Personal Health Information Protection Act (Ontario) (“PHIPA”) and the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and Awake Technologies Inc., located at 66 West Flagler Street, Miami, Florida 33130, USA (“Business Associate” or “Service Provider”).

1. Purpose and Scope.

This Agreement governs the handling of Protected Health Information (“PHI”) by the Business Associate/Service Provider in the course of providing services to the Covered Entity/Health Information Custodian. It is designed to satisfy the requirements of both HIPAA (including the Privacy Rule, Security Rule, and Breach Notification Rule) and Canadian privacy laws (PHIPA, PIPEDA, or applicable provincial legislation). Any reference to PHI in this Agreement includes individually identifiable health information under HIPAA and personal health information under Canadian law.

2. Definitions.

Business Associate / Service Provider: An entity that creates, receives, maintains, or transmits PHI on behalf of the Covered Entity/Health Information Custodian. Under Canadian law, sometimes referred to as an “agent” or “processor.”

Covered Entity / Health Information Custodian: A healthcare provider or organization covered by HIPAA or Canadian privacy law that has lawful custody or control of PHI.

PHI (Protected Health Information): Individually identifiable health information as defined under HIPAA or Canadian privacy legislation, including PHIPA/PIPEDA.

All other capitalized terms have the meanings ascribed to them under the relevant U.S. and Canadian statutes and regulations.

3. Permitted Uses and Disclosures.

1. Scope: Business Associate/Service Provider shall use and disclose PHI only to the minimum extent necessary to provide services to the Covered Entity/Health Information Custodian or as otherwise required by law.

2. Management and Administration: Business Associate/Service Provider may use PHI for its own proper management and administration, or to carry out its legal responsibilities, only if such uses/disclosures are permissible under both U.S. and Canadian law.

3. Restrictions: Business Associate/Service Provider shall not use or disclose PHI in a manner that would violate HIPAA or Canadian law if done by the Covered Entity/Health Information Custodian.

4. Safeguards and Security Measures.

Business Associate/Service Provider agrees to implement appropriate administrative, technical, and physical safeguards to protect PHI from unauthorized access, use, or disclosure, including but not limited to:

• Compliance with the HIPAA Security Rule and any equivalent or stricter Canadian requirements;

• Encryption of PHI at rest and in transit, where feasible;

• Access controls to ensure only authorized personnel handle PHI;

• Policies and procedures that address secure storage, transmission, and disposal of PHI.

5. Subcontractors and Third Parties.

Business Associate/Service Provider shall:

1. Flow-Down Requirements: Ensure that any agent or subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to be bound by terms that are at least as protective as those in this Agreement.

2. List of Subprocessors: Maintain a list of all subcontractors/third parties with access to PHI and provide this list to the Covered Entity/Health Information Custodian upon request.

3. Liability: Remain fully responsible for the acts and omissions of its subcontractors/third parties.

6. Individual Rights and Access.

To the extent required by law, Business Associate/Service Provider shall:

1. Access: Make PHI available to the Covered Entity/Health Information Custodian within 30 days of a request so they can meet obligations under HIPAA or Canadian law to provide individuals access to their records.

2. Amendments: Accommodate any amendments or corrections to PHI as directed by the Covered Entity/Health Information Custodian within 30 days.

3. Accounting of Disclosures: Maintain records of disclosures and provide them upon request so the Covered Entity/Health Information Custodian can fulfill accounting obligations under both HIPAA and Canadian law. ⸻

7. Breach Notification Business Associate/Service Provider shall:

1. Notice Timing: Notify the Covered Entity/Health Information Custodian of any breach, unauthorized use, or disclosure of PHI without unreasonable delay and no later than 10 calendar days after discovery.

2. Content of Notice: Include in the notification, to the extent available:

• A brief description of the incident;

• The types of PHI involved;

• The number or approximate number of affected individuals;

• Steps taken to mitigate harm and prevent further breaches.

3. Regulatory Obligations: Cooperate with the Covered Entity/Health Information Custodian to fulfill any breach notification requirements under HIPAA and applicable Canadian laws (e.g., notifying privacy commissioners and impacted individuals).

8. Term and Termination

1. Effective Date: This Agreement is effective upon acceptance by the Covered Entity/Health Information Custodian.

2. Termination for Breach: The Covered Entity/Health Information Custodian may terminate this Agreement immediately upon discovering a material breach by the Business Associate/Service Provider.

3. Return or Destruction of PHI: Upon termination, Business Associate/Service Provider shall return or securely destroy all PHI within 30 days if feasible. If return or destruction is not feasible, protections under this Agreement shall survive termination.

9. Data Residency and Cross-Border Transfer

1. Location of Processing: The Covered Entity/Health Information Custodian acknowledges that PHI may be processed or stored in the United States or other jurisdictions.

2. Consent and Safeguards: Where Canadian law requires it, the Covered Entity/Health Information Custodian provides express consent to cross-border transfers, and the Business Associate/Service Provider ensures safeguards equivalent to Canadian requirements.

3. Notification: Business Associate/Service Provider shall promptly notify the Covered Entity/Health Information Custodian of any changes in data residency or additional cross-border processors.

10. Governing Law

1. U.S. Covered Entities: For obligations under HIPAA, this Agreement is governed by the laws of the State of Florida and applicable federal law.

2. Canadian Covered Entities: For obligations under PHIPA, PIPEDA, or similar provincial laws, this Agreement is governed by the laws of the Province of Ontario and the laws of Canada applicable therein, unless otherwise specified.

3. Conflict of Laws: If a conflict arises between HIPAA and Canadian law, the parties agree to comply with the requirement that provides the higher level of protection for PHI.

11. Authority and Acceptance

By accepting this Agreement, the individual signing on behalf of the Covered Entity/Health Information Custodian represents and warrants that they have the authority to legally bind their organization. The same applies to the person signing on behalf of the Business Associate/Service Provider.

IN WITNESS WHEREOF, the parties agree to the terms of this Dual Compliance BAA & Privacy Agreement as of the effective date of acceptance.