Legal · Template v1.0

Business Associate Agreement

This is MyVaultMate's standard HIPAA Business Associate Agreement (BAA), published for review. An executed BAA is available for covered entities — contact sales to put one in place for your organization.

Notice: This page is a template provided for informational purposes and does not constitute legal advice, nor a binding agreement until signed by both parties. Have your counsel review it before execution.

This Business Associate Agreement (the “Agreement”) is entered into by and between the customer organization (“Covered Entity”) and CMTechSoftware LLC, doing business as MyVaultMate, located in Reno-Sparks, Nevada (“Business Associate”), effective as of the date of execution. It supplements and is incorporated into the parties’ agreement for the MyVaultMate service (the “Service”).

1. Definitions

Capitalized terms used but not defined herein have the meanings given in the HIPAA Rules — the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended (including by the HITECH Act). “PHI” means Protected Health Information, and “ePHI” electronic PHI, created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Scope & data minimization

The Service is architected to minimize PHI: by default MyVaultMate stores only metadata about findings (data type, severity, file location, compliance frameworks, and at most a short redacted sample) and does not store raw PHI values. This Agreement nonetheless governs any PHI that Business Associate creates, receives, maintains, or transmits for Covered Entity.

3. Permitted uses and disclosures

Business Associate may use or disclose PHI only: (a) as necessary to perform the Service; (b) as Required by Law; and (c) for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that disclosures are Required by Law or made with reasonable assurances of confidentiality and breach notification. Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity.

4. Safeguards

Business Associate will implement administrative, physical, and technical safeguards (including those required by the Security Rule with respect to ePHI) that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, and will limit uses and disclosures to the minimum necessary.

5. Reporting & breach notification

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Security Incident, and any Breach of Unsecured PHI, without unreasonable delay and no later than thirty (30) calendar days after discovery, together with the information reasonably available to enable Covered Entity to meet its notification obligations.

6. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement.

7. Individual rights

To the extent Business Associate maintains PHI in a Designated Record Set, it will: (a) make such PHI available to enable Covered Entity to meet access obligations under 45 CFR 164.524; (b) make amendments as directed under 45 CFR 164.526; and (c) maintain and make available the information required for an accounting of disclosures under 45 CFR 164.528.

8. Availability to the Secretary

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

9. Term and termination

This Agreement is effective on execution and continues until all PHI is returned or destroyed, or protections are extended as below. Covered Entity may terminate the underlying Service agreement if Business Associate materially breaches this Agreement and fails to cure within a reasonable period after written notice.

10. Return or destruction of PHI

Upon termination, Business Associate will, if feasible, return or destroy all PHI it maintains for Covered Entity and retain no copies. Where return or destruction is infeasible, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

11. Miscellaneous

This Agreement will be interpreted to permit compliance with the HIPAA Rules; in the event of a conflict, the HIPAA Rules control. There are no third-party beneficiaries. This Agreement is governed by the laws of the State of Nevada, without regard to conflict-of-laws principles. Amendments must be in writing and signed by both parties.

12. Signatures

Executed by the duly authorized representatives of the parties as of the dates written below.

Covered Entity — signature / date

CMTechSoftware LLC (MyVaultMate) — signature / date

MyVaultMate standard BAA · Template v1.0 · © 2026 CMTechSoftware LLC.