Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between RexRuby, Inc. ("Business Associate" or "RexRuby") and the covered entity identified in the RexRuby account registration ("Covered Entity" or "Customer"). This BAA is incorporated into and forms part of the RexRuby Terms of Service. By checking the BAA acceptance checkbox during onboarding, Customer agrees to this BAA on behalf of the covered entity. RexRuby is a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the HITECH Act amendments and the Omnibus Rule (45 C.F.R. Parts 160 and 164).

Terms used but not defined in this BAA have the meanings ascribed to them in HIPAA and the HITECH Act, including: "Protected Health Information" or "PHI" means individually identifiable health information created, received, maintained, or transmitted by RexRuby on behalf of Covered Entity. "Electronic PHI" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form. "Breach" has the meaning set forth in 45 C.F.R. § 164.402. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. "Minimum Necessary" means the least amount of PHI required to accomplish the intended purpose.

RexRuby may use and disclose PHI only as follows: (a) Services. RexRuby may use and disclose PHI to perform the services described in the Terms of Service, including AI-assisted appointment booking, patient communication, recall messaging, and intake document collection on behalf of Covered Entity. (b) Operations. RexRuby may use PHI for its own management and administration, provided such use is necessary or required by law. (c) Required By Law. RexRuby may disclose PHI as required by law, provided RexRuby notifies Covered Entity prior to disclosure to the extent permitted by law. (d) Minimum Necessary. RexRuby shall make reasonable efforts to use, disclose, and request only the minimum necessary amount of PHI to accomplish the intended purpose. RexRuby shall not use or disclose PHI for any purpose not listed above without prior written authorization from Covered Entity, except as required by law.

RexRuby agrees to: (a) Safeguards. Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 C.F.R. Part 164, Subpart C (Security Rule). (b) Subcontractors. Ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of RexRuby agrees to restrictions and conditions at least as protective as those in this BAA, through a written subcontractor BAA. (c) Access. Make available to Covered Entity, within 30 days of written request, PHI in a designated record set sufficient to enable Covered Entity to respond to individuals' rights requests under HIPAA. (d) Amendment. Make available PHI in a designated record set for amendment and incorporate any amendments the Covered Entity directs, consistent with 45 C.F.R. § 164.526. (e) Accounting. Make available to Covered Entity information required for an accounting of disclosures under 45 C.F.R. § 164.528. (f) Compliance. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA. (g) Mitigation. Report to Covered Entity any use or disclosure of PHI not provided for in this BAA, and mitigate, to the extent practicable, any harmful effect known to RexRuby.

RexRuby shall notify Covered Entity without unreasonable delay and in no event later than sixty (60) calendar days after discovery of a Breach of Unsecured PHI. Notification shall include, to the extent possible: (a) A description of what happened, including the date of the Breach and the date of discovery. (b) A description of the types of Unsecured PHI involved. (c) Any steps individuals should take to protect themselves from potential harm. (d) A brief description of what RexRuby is doing to investigate, mitigate, and prevent future Breaches. RexRuby's notification obligation is triggered by discovery of a Breach, not by a determination that the Breach meets a harm threshold. Notification of a Security Incident that does not constitute a Breach may be provided in summary form on a quarterly basis.

RexRuby implements and maintains the following safeguards for ePHI: Administrative Safeguards: • Designated security official responsible for HIPAA security policies. • Workforce training on PHI handling and security procedures. • Access management controls limiting PHI access to authorized personnel. • Contingency plan for data backup, disaster recovery, and emergency access. Physical Safeguards: • Facility access controls for data centers hosting ePHI (Supabase/AWS infrastructure). • Workstation use and device security policies for personnel accessing ePHI. Technical Safeguards: • Encryption of ePHI at rest (AES-256) and in transit (TLS 1.2+). • Unique user identification and automatic logoff. • Audit controls logging access and activity on systems containing ePHI. • Transmission security for all ePHI transmitted over electronic networks. RexRuby conducts periodic risk analyses and implements security measures to reduce identified risks to a reasonable and appropriate level.

Covered Entity agrees to: (a) Permissions. Notify RexRuby of any limitation in Covered Entity's Notice of Privacy Practices that would affect RexRuby's use or disclosure of PHI. (b) Individual Permissions. Notify RexRuby of any changes in, or revocation of, permission by an individual to use or disclose PHI. (c) Restrictions. Notify RexRuby of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522. (d) Lawful Requests. Not request RexRuby to use or disclose PHI in any manner that would not be permissible under HIPAA. (e) Minimum Necessary. Apply minimum necessary standards when submitting PHI to RexRuby for processing.

Term. This BAA is effective upon acceptance during onboarding and remains in effect for the duration of the RexRuby subscription. Termination for Cause. Either party may terminate this BAA if the other party materially breaches a provision and fails to cure the breach within thirty (30) days of written notice. Effect of Termination. Upon termination: (a) RexRuby shall return or destroy all PHI received or created on behalf of Covered Entity, if feasible. If return or destruction is not feasible, RexRuby shall extend the protections of this BAA to the PHI and limit further use or disclosure. (b) Client data export is available from Settings → Data & Privacy within 90 days of account termination. Survival. The obligations of RexRuby under this Section 8 survive termination.

RexRuby uses the following categories of subcontractors that may process ePHI on its behalf: • Cloud Infrastructure: Amazon Web Services (AWS) — data storage and compute via Supabase. • AI Processing: Anthropic, PBC — AI language model for conversation processing. Anthropic operates under a Data Processing Addendum that prohibits use of Customer data for model training. • Communications: Twilio Inc. — SMS, voice, and messaging infrastructure. • Payments: Stripe, Inc. — deposit and payment processing. Each subcontractor is bound by written agreements with protections at least as stringent as this BAA. RexRuby remains responsible for its subcontractors' compliance with the obligations of this BAA.

Entire Agreement. This BAA, together with the RexRuby Terms of Service, constitutes the entire agreement between the parties with respect to HIPAA compliance and supersedes all prior agreements on this subject. Amendment. RexRuby may amend this BAA as necessary to comply with changes in HIPAA, the HITECH Act, or their implementing regulations. Material amendments will be provided with 30 days' notice. No Third-Party Beneficiaries. Nothing in this BAA shall confer any rights or remedies upon any third party, including patients or individuals whose PHI is processed. Governing Law. This BAA is governed by federal law applicable to HIPAA and the laws of the State of Delaware. Interpretation. The parties agree to interpret this BAA to permit compliance with HIPAA. Any ambiguity shall be resolved to permit the parties to comply with HIPAA.

For HIPAA inquiries, privacy requests, or to report a Security Incident: RexRuby, Inc. — Privacy & Security legal@rexruby.ai https://www.rexruby.ai For patient rights requests (access, amendment, accounting of disclosures), contact your healthcare provider directly. RexRuby processes PHI on behalf of your provider and will direct such requests accordingly.