Business Associate & Data Processing Agreement

1. Parties and Scope

This Business Associate and Data Processing Agreement ("Agreement") is entered into between:

• Covered Entity / Health Information Custodian ("You"): The licensed Speech-Language Pathologist, clinic, or organization that subscribes to the Service and is responsible for the collection and custody of patient health information.
• Business Associate / Agent ("Vochella"): Vochella Technologies Inc., a corporation incorporated under the laws of Canada, operating the Vochella platform.

This Agreement supplements the Terms of Service and Privacy Policy. In the event of a conflict between this Agreement and the Terms of Service regarding the handling of Protected Health Information, this Agreement prevails.

2. Definitions

• "PHI" (Protected Health Information) means individually identifiable health information as defined under HIPAA (45 C.F.R. § 160.103), personal health information under PHIPA (s. 4), and personal information relating to health under PIPEDA.
• "Breach" means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, as defined under HIPAA, PHIPA, and PIPEDA respectively.
• "Service" means the Vochella platform, including the mobile application, web application, and associated edge functions and APIs.
• "Sub-processor" means a third party engaged by Vochella to process PHI on behalf of the Covered Entity.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI, or interference with system operations in a system that contains PHI.

3. Jurisdictional Application

This Agreement applies the following frameworks based on your jurisdiction:

Where you operate across multiple jurisdictions, all applicable frameworks apply concurrently, and Vochella will comply with the most protective standard in case of conflict.

4. Permitted Uses and Disclosures

Vochella may use and disclose PHI only as follows:

• To provide, maintain, and support the Service as described in the Terms of Service
• To generate AI-assisted clinical documentation (SOAP note drafts, session summaries, progress reports) by processing clinical data through sub-processors under BAA, applying the minimum necessary standard and stripping direct identifiers where technically feasible
• To comply with legal obligations, respond to lawful requests, or as otherwise required by applicable law
• As directed by You in writing

Vochella will not:

• Use or disclose PHI for any purpose other than as permitted by this Agreement or as required by law
• Sell PHI or use PHI for marketing purposes
• Use identifiable PHI to train machine learning models, develop new products, or for any purpose beyond providing the Service to You
• De-identify PHI for Vochella's own commercial purposes without Your separate, written authorization

5. Safeguards

Vochella implements and maintains the following administrative, physical, and technical safeguards:

• Encryption: All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access control: Row-level security (RLS) policies enforce that users access only their own data at the database level. Role-based access control limits functionality by user type (clinician, client, admin).
• Authentication: Secure session tokens with automatic expiration and refresh. Support for multi-factor authentication.
• Audit logging: Access to sensitive data (receipts, progress reports, PHI exports) is logged before data is returned.
• Infrastructure: The Service runs on Supabase (SOC 2 Type II certified, ISO 27001) for database, authentication, storage, and edge functions.
• Secrets management: API keys and credentials are stored exclusively in edge functions (server-side) and are never embedded in client-side code.
• Signed URLs: Access to PHI files (videos, audio recordings, documents) requires time-limited signed URLs that expire after 1 hour.
• Minimum necessary: Vochella applies the minimum necessary standard to all uses and disclosures of PHI. Queries fetch only the fields required for the specific function.

6. Sub-processors

Vochella engages the following sub-processors to provide the Service. Each sub-processor is bound by a BAA or equivalent data processing agreement:

Vochella will notify You before engaging any new sub-processor that processes PHI. You may object to a new sub-processor by notifying us within 30 days; if the objection cannot be resolved, You may terminate the Service.

7. Breach Notification

Upon discovering a Breach or Security Incident involving PHI, Vochella will:

• Investigate and contain the incident as quickly as possible
• Notify You without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach
• Provide a description of the incident, the types of PHI involved, the individuals likely affected, the steps Vochella is taking to mitigate harm, and recommended actions You can take
• Cooperate with You in fulfilling Your notification obligations to affected individuals and regulatory authorities, including the U.S. Department of Health and Human Services (HIPAA), the Information and Privacy Commissioner of Ontario (PHIPA), and the Office of the Privacy Commissioner of Canada (PIPEDA)
• Maintain a record of all Breaches and Security Incidents and provide this record to You upon request

Vochella's notification obligation applies to confirmed Breaches involving PHI. For unsuccessful Security Incidents (e.g., failed login attempts, port scans) that do not result in unauthorized access, Vochella will log and monitor these events but is not required to provide individual notice.

8. Your Obligations

As the Covered Entity or Health Information Custodian, You agree to:

• Obtain all necessary consents from clients, patients, or their guardians before entering their PHI into the Service
• Use the Service in compliance with HIPAA, PHIPA, PIPEDA, and all other applicable privacy laws
• Not request that Vochella use or disclose PHI in a manner that would violate applicable law
• Notify Vochella promptly of any restrictions on the use or disclosure of PHI that You have agreed to with a patient, to the extent such restrictions affect Vochella's obligations
• Maintain appropriate credentials security and notify Vochella immediately of any unauthorized access to Your account

9. Individual Rights

Vochella will cooperate with You to fulfill individual rights requests, including:

• Access: Vochella will make PHI available to You for inspection and provide copies as needed to fulfill access requests from individuals.
• Amendment: Vochella will incorporate amendments to PHI in the Service as directed by You.
• Accounting of disclosures: Vochella will maintain audit logs sufficient to provide an accounting of disclosures as required under HIPAA (45 C.F.R. § 164.528).
• Data portability: You may export Your complete data set (client records, session notes, progress data, attachments) in standard formats at any time through the Service.

10. Term and Termination

This Agreement is effective upon Your first use of the Service under a paid subscription and remains in effect for as long as Vochella processes PHI on Your behalf.

Upon termination of the Service or this Agreement:

• Vochella will provide You a reasonable period (at least 30 days) to export Your data
• After the export period, Vochella will return or destroy all PHI in its possession, except where retention is required by applicable law or for legal compliance purposes
• Where return or destruction is not feasible (e.g., data in encrypted backups), Vochella will extend the protections of this Agreement to any retained PHI and limit further use or disclosure to the purposes that make return or destruction infeasible

Material breach: Either party may terminate this Agreement upon 30 days' written notice if the other party materially breaches this Agreement and fails to cure the breach within that period. In the case of a breach by Vochella that cannot reasonably be cured, You may terminate immediately.

11. Audit Rights

Upon reasonable written request (no more than once per calendar year, except in the case of a Breach), You may request that Vochella provide documentation or a written summary of its security practices, safeguards, and compliance measures relevant to this Agreement. Vochella will respond within 30 days. If a regulatory authority requires direct access to Vochella's records or facilities in connection with PHI You have entrusted to the Service, Vochella will cooperate with such review to the extent required by law.

12. Liability

The limitation of liability provisions in the Terms of Service apply to this Agreement, except that neither party excludes or limits liability for breaches of this Agreement that result from gross negligence or willful misconduct in the handling of PHI.

13. Amendments

Vochella may update this Agreement from time to time to reflect changes in applicable law, sub-processors, or security practices. We will notify You of material changes at least 30 days before they take effect via email or in-app notification. Your continued use of the Service after the effective date of an amendment constitutes acceptance. If You do not agree, You may terminate the Service.

14. Governing Law

This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, except to the extent preempted by HIPAA or other applicable U.S. federal law for Covered Entities located in the United States.

15. Contact

For questions about this Agreement, to request execution of a signed copy, or to report a Security Incident: