Legal

Business Associate Agreement

Template version: June 4, 2026 · Cleryn LLC · Questions: contact@somniq.live

About this document. This is Cleryn's standard Business Associate Agreement — the reference copy of the terms we execute with every customer. Cleryn acts as the Business Associate; the customer (a sleep diagnostic center or healthcare provider) acts as the Covered Entity. Before any Protected Health Information is processed, Cleryn and the customer sign a copy of this Agreement (a countersigned PDF, or an electronic signature). To request a copy for signature or review by your compliance team, contact contact@somniq.live.

Business Associate

Cleryn LLC

2654 W Horizon Ridge Pkwy, Ste B5, PMB# 305, Henderson, NV 89052 · contact@somniq.live

Covered Entity

The Customer

The sleep diagnostic center or healthcare provider named in the executed copy of this Agreement, identified by its authorized representative at signing.

Recitals

Covered Entity is a HIPAA-covered entity (or a business associate acting on behalf of a covered entity) that operates one or more sleep diagnostic centers. Business Associate provides an AI-assisted compliance review platform that requires access to Protected Health Information ("PHI") in order to perform its services. The parties enter into this Agreement to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder, including the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C), as each may be amended from time to time (collectively, "HIPAA Rules").

1. Definitions

Capitalized terms used but not defined in this Agreement have the meanings given to them in the HIPAA Rules. Key terms include:

"Breach" has the meaning set forth in 45 CFR §164.402.
"Business Associate" means Cleryn LLC.
"Covered Entity" means the Customer identified above.
"Electronic PHI" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.
"Protected Health Information" or "PHI" has the meaning set forth in 45 CFR §160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
"Required By Law" has the meaning set forth in 45 CFR §164.103.
"Services" means the compliance review platform described in the Terms of Service.
"Subcontractor" means a person or entity that creates, receives, maintains, or transmits PHI on behalf of Business Associate in the course of providing Services.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

To perform the Services described in the Terms of Service, specifically: receiving uploaded physician documents containing PHI, analyzing those documents using AI inference to produce compliance review reports, and returning those reports to authorized users of Covered Entity;
As Required By Law;
For the proper management and administration of Business Associate's business, provided that any disclosure is Required By Law or Business Associate obtains written assurances from the recipient that the PHI will remain confidential and be used only for the stated purpose;
To report violations of law to appropriate authorities, consistent with 45 CFR §164.502(j)(1).

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except as permitted by this Agreement.

Business Associate shall not use PHI to train, fine-tune, or improve AI models.

2.2 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include:

TLS 1.2 or higher encryption for all PHI in transit;
AES-256 encryption for all PHI at rest;
Access controls limiting PHI access to authorized personnel and systems;
Raw uploaded documents processed in memory only and never written to persistent storage;
Retention of de-identified review results for no longer than 90 days;
Audit logging of all PHI access and processing events;
Operation on Google Cloud infrastructure — including AI inference via Vertex AI — covered by a signed Google Cloud HIPAA BAA.

2.3 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement. Business Associate's current Subcontractors with PHI access are:

Google LLC (Google Cloud) — infrastructure, database, compute, authentication, and AI inference via Vertex AI (Claude models hosted within Google Cloud). Covered by a signed Google Cloud HIPAA BAA. PHI is not transmitted to any AI provider outside of Google Cloud.

Business Associate will notify Covered Entity of any material change to Subcontractors that have access to PHI at least 30 days in advance, or as soon as reasonably practicable in the event of an emergency change.

2.4 Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay and in no case later than 30 calendar days after discovery of a Breach of Unsecured PHI. Notification shall include, to the extent reasonably possible:

A description of the Breach, including the date of the Breach and the date of discovery;
A description of the types of PHI involved;
The identity of each individual whose PHI was involved, if known;
Steps individuals should take to protect themselves, if applicable;
A description of the steps Business Associate has taken to investigate and mitigate the Breach; and
Contact information for follow-up questions.

Business Associate shall also report to Covered Entity any Security Incident (as defined in 45 CFR §164.304) of which it becomes aware, to the extent required by applicable law.

2.5 Minimum Necessary

Business Associate shall make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the purpose for which it is used, disclosed, or requested, consistent with 45 CFR §164.514(d).

2.6 Individual Rights

Business Associate shall:

Make PHI available to Covered Entity to allow Covered Entity to fulfill individual access requests under 45 CFR §164.524;
Make PHI available to Covered Entity for amendment and incorporate any amendments directed by Covered Entity under 45 CFR §164.526;
Provide an accounting of disclosures of PHI as required by Covered Entity to fulfill requests under 45 CFR §164.528;
Make its internal practices, books, and records relating to PHI available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with HIPAA Rules.

3. Obligations of Covered Entity

Covered Entity shall:

Notify Business Associate of any limitation in its Notice of Privacy Practices that would affect Business Associate's use or disclosure of PHI;
Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures;
Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity;
Implement appropriate safeguards on Covered Entity's systems and devices used to access the Services, including using strong passwords and logging out of sessions when not in use;
Promptly notify Business Associate upon discovering any unauthorized access to the Services from Covered Entity's accounts or systems.

4. Term and Termination

4.1 Term

This Agreement is effective as of the date both parties execute it (the "Effective Date") and remains in effect until the earlier of: (a) termination of the underlying services arrangement between the parties; or (b) termination by either party as provided herein.

4.2 Termination for Cause

Either party may terminate this Agreement immediately upon written notice if the other party materially breaches any provision of this Agreement and fails to cure such breach within 30 days of receiving written notice of the breach. If cure is not possible, termination may be immediate.

4.3 Effect of Termination — Return or Destruction of PHI

Upon termination of this Agreement for any reason, Business Associate shall, to the extent feasible, return or destroy all PHI received from or created on behalf of Covered Entity. Business Associate shall not retain copies of PHI after return or destruction. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to any retained PHI and limit further use or disclosure to the purposes that make return or destruction infeasible.

Given Cleryn's data handling (raw documents are processed in memory only and are never persisted; review results are deleted within 90 days), residual PHI will be destroyed within 90 days of account termination without further action required by Covered Entity.

5. Miscellaneous

5.1 Amendment

The parties agree to amend this Agreement as necessary to comply with changes in HIPAA Rules. Any amendment must be in writing and signed by both parties. Cleryn will provide proposed amendments to Covered Entity at least 30 days before they are to take effect.

5.2 Interpretation

This Agreement shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules. Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. In the event of a conflict between this Agreement and the Terms of Service with respect to PHI, this Agreement controls.

5.3 No Third-Party Beneficiaries

Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.

5.4 Governing Law

This Agreement shall be governed by the laws of the State of Nevada, without regard to conflict of law principles, except to the extent preempted by federal law including HIPAA.

5.5 Entire Agreement

This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements relating to PHI.

5.6 Survival

The provisions of Sections 2 (Obligations of Business Associate), 4.3 (Effect of Termination), and 5 (Miscellaneous) shall survive termination of this Agreement.

5.7 Execution

This Agreement is executed by both parties. Execution may be by handwritten signature, by electronic signature, or by exchange of a countersigned copy (including a scanned or PDF copy), each of which is effective as an original signature. The Agreement may be executed in counterparts, which together constitute one agreement.

Each individual signing represents and warrants that he or she is authorized to bind the party on whose behalf he or she signs. The version of this Agreement that governs the parties is the copy they have executed; this published page is the reference template and is not itself a binding agreement until signed.

To request a copy of this Agreement for signature, or to discuss negotiated terms for a group or multi-site organization, contact contact@somniq.live.