Back to Legal Hub
HIPAA Compliance

Business Associate Agreement

Updated:February 5, 2026
Version:2.0
Length:~4,500 words

Legal Document

This document constitutes part of your legal agreement with Scribeable. Please read it carefully.

Business Associate Agreement (Schedule A)

Version 2.0 — February 5, 2026

HIPAA Business Associate Agreement

Between Scribeable, Inc. and Covered Entity/Business Associate

Effective Date: Upon Execution

RECITALS

WHEREAS, Covered Entity (as defined below) and Scribeable, Inc. ("Business Associate") have entered into or will enter into the Platform Terms of Use (the "Underlying Agreement") pursuant to which Business Associate will provide certain services to Covered Entity;

WHEREAS, in connection with the services provided under the Underlying Agreement, Business Associate may create, receive, maintain, use, or transmit Protected Health Information (as defined below) on behalf of Covered Entity;

WHEREAS, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ("HITECH Act"), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules") require Covered Entity to enter into a business associate agreement with Business Associate prior to disclosing Protected Health Information to Business Associate;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained in this Business Associate Agreement ("BAA"), and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. DEFINITIONS

1.1 Terms used but not otherwise defined in this BAA shall have the meanings set forth in the HIPAA Rules. For convenience, certain key terms are defined or referenced below:

"Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Rules which compromises the security or privacy of the Protected Health Information, as defined in 45 C.F.R. § 164.402, subject to the exceptions set forth in such section.

"Business Associate" means Scribeable, Inc., a Delaware corporation, with its principal place of business at 600 Boulevard South SW Suite 104J, Huntsville, AL 35802.

"Covered Entity" means the healthcare provider, health plan, or healthcare clearinghouse that has entered into the Underlying Agreement with Business Associate.

"Designated Record Set" has the meaning set forth in 45 C.F.R. § 164.501.

"Electronic Protected Health Information" or "ePHI" has the meaning set forth in 45 C.F.R. § 160.103, limited to the Protected Health Information that Business Associate creates, receives, maintains, uses, or transmits on behalf of Covered Entity.

"Individual" means the person who is the subject of Protected Health Information and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

"Platform" means Scribeable's medical documentation software platform, including the iOS mobile application, web portal, browser extension, and all related services.

"Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103, limited to the information created, received, maintained, used, or transmitted by Business Associate on behalf of Covered Entity in connection with the services provided under the Underlying Agreement.

"Required by Law" has the meaning set forth in 45 C.F.R. § 164.103.

"Secretary" means the Secretary of the U.S. Department of Health and Human Services or his or her designee.

"Security Incident" has the meaning set forth in 45 C.F.R. § 164.304.

"Services" means the services and functions that Business Associate performs for or on behalf of Covered Entity pursuant to the Underlying Agreement.

"Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service other than in the capacity of a member of the workforce of Business Associate.

"Unsecured Protected Health Information" has the meaning set forth in 45 C.F.R. § 164.402.

2. PERMITTED AND REQUIRED USES AND DISCLOSURES OF PHI

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted by this BAA or as Required by Law. Specifically, Business Associate may use or disclose PHI:

(a) Performance of Services: To perform the Services set forth in, or contemplated by, the Underlying Agreement, including:

  • AI-powered clinical documentation generation
  • Voice transcription of clinical encounters
  • Clinical decision support and analysis
  • EHR integration and data synchronization
  • Secure web export of clinical summaries
  • Patient management and longitudinal record keeping
  • Practice analytics and usage reporting
  • Technical support and troubleshooting

(b) Management and Administration: For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that:

  • Such disclosure is Required by Law; or
  • Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

(c) Data Aggregation: To provide Data Aggregation services relating to the health care operations of Covered Entity, if such Data Aggregation services are set forth in the Underlying Agreement.

2.2 Prohibited Uses and Disclosures

Business Associate shall not:

(a) Use or Disclosure Limitations: Use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted by Section 2.1(b) or as otherwise permitted under this BAA.

(b) Sale of PHI: Directly or indirectly receive remuneration in exchange for PHI, except as permitted by 45 C.F.R. § 164.502(a)(5)(ii)(B)(2).

(c) Marketing Communications: Use or disclose PHI for marketing purposes without a valid authorization from the Individual, except as permitted by 45 C.F.R. § 164.508(a)(3).

(d) No Fundraising: Use or disclose PHI for fundraising purposes.

(e) AI Model Training: Use or disclose PHI to train artificial intelligence or machine learning models, except to the extent necessary to provide the specific Services to Covered Entity.

2.3 Minimum Necessary

Business Associate shall make reasonable efforts to limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, as required by the HIPAA Rules, except where an exception applies under 45 C.F.R. § 164.502(b).

2.4 De-Identification

Business Associate may de-identify PHI in accordance with the standards and implementation specifications set forth in 45 C.F.R. § 164.514(a)-(c). De-identified information is not subject to this BAA.

3. OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Compliance with HIPAA Rules

Business Associate shall comply with the applicable requirements of the HIPAA Rules in the performance of Services and with respect to PHI.

3.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as permitted by this BAA, and to comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 (the Security Rule) with respect to ePHI. Such safeguards include, but are not limited to:

(a) Encryption:

  • Encryption in transit using TLS 1.3 or higher
  • Encryption at rest using AES-256 or equivalent
  • End-to-end encryption for web export features
  • Secure key management practices

(b) Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication where technically feasible
  • Unique user identification for all system users
  • Automatic session timeout after inactivity
  • Secure password requirements

(c) Audit Controls:

  • Comprehensive audit logging of PHI access
  • Regular review of audit logs
  • Tamper-evident audit trail storage
  • Retention of audit logs for at least six years

(d) Data Integrity:

  • Mechanisms to ensure PHI is not improperly altered or destroyed
  • Version control for clinical documentation
  • Backup and disaster recovery procedures
  • Data validation and error checking

(e) Network Security:

  • Firewall protection
  • Intrusion detection and prevention systems
  • Regular security patching and updates
  • Secure network architecture
  • DDoS protection

(f) Device and Media Controls:

  • Policies for disposal of devices and media containing PHI
  • Secure deletion and sanitization procedures
  • Device encryption requirements
  • Media reuse policies

(g) Workforce Training:

  • Regular HIPAA and security training for workforce members
  • Incident response training
  • Secure coding practices
  • Security awareness programs

3.3 Reporting of Improper Uses and Disclosures

Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including any Breach of Unsecured PHI, or any Security Incident involving ePHI, of which Business Associate becomes aware. Such report shall be made:

(a) Timing:

  • Without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with 45 CFR § 164.410

(b) Content: The report shall include, to the extent known:

  • Identification of each Individual whose PHI was involved
  • Description of the incident, including date of occurrence and discovery
  • Type of PHI involved (e.g., name, SSN, diagnosis, treatment information)
  • Identity of the person who made the unauthorized use or disclosure
  • Actions taken to mitigate harm and prevent recurrence
  • Steps individuals should take to protect themselves
  • Contact information for individuals to obtain more information

(c) Investigation: Business Associate shall investigate all suspected or actual improper uses or disclosures and provide a written report of the investigation to Covered Entity.

(d) Security Incidents: The parties acknowledge that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of unsuccessful Security Incidents, including but not limited to pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and interception of encrypted information, for which no additional notice to Covered Entity shall be required.

3.4 Business Associate's Subcontractors

(a) Written Agreement Required: Business Associate shall enter into a written agreement with each Subcontractor that creates, receives, maintains, uses, or transmits PHI on behalf of Business Associate, containing terms substantially similar to this BAA, as required by 45 C.F.R. § 164.308(b)(2) and § 164.502(e)(1)(ii).

(b) Current Subcontractors: Business Associate's current Subcontractors that may have access to PHI include:

  • Anthropic PBC: AI language models (Claude API) for clinical documentation
  • Deepgram, Inc.: Voice transcription services
  • Google LLC: Cloud infrastructure (Firebase, Google Cloud Platform)
  • Additional Subcontractors as maintained at https://scribeable.ai/legal/subprocessors and updated in accordance with Section 5

(c) New Subcontractors: Business Associate shall provide Covered Entity with reasonable prior notice of any new Subcontractor that will have access to PHI, and Covered Entity may object to such Subcontractor within fifteen (15) business days.

(d) Liability: Business Associate is responsible for the acts and omissions of its Subcontractors to the same extent as if they were acts or omissions of Business Associate.

3.5 Access to PHI

Upon Covered Entity's request, and to the extent required by 45 C.F.R. § 164.524, Business Associate shall make available to Covered Entity or, as directed by Covered Entity, to an Individual, PHI maintained by Business Associate in a Designated Record Set, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524.

(a) Timing: Within thirty (30) days of a request, or such shorter period as may be required by applicable law.

(b) Format: In the form and format requested by the Individual, if readily producible, or in a readable hard copy or electronic format as agreed upon by Business Associate and Covered Entity.

(c) Fees: Business Associate may charge a reasonable, cost-based fee for providing such access, as permitted by 45 C.F.R. § 164.524(c)(4).

3.6 Amendment of PHI

Upon Covered Entity's request, and to the extent required by 45 C.F.R. § 164.526, Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526.

(a) Timing: Within thirty (30) days of Covered Entity's request.

(b) Process: Business Associate shall incorporate amendments into the appropriate record and shall identify the record as amended.

3.7 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity or, as directed by Covered Entity, to an Individual, information required to provide an accounting of disclosures as required by 45 C.F.R. § 164.528.

(a) Required Information: The accounting shall include:

  • Date of the disclosure
  • Name and address of the recipient (if known)
  • Brief description of the PHI disclosed
  • Brief statement of the purpose of the disclosure

(b) Timing: Within sixty (60) days of a request, with a possible thirty (30) day extension.

(c) Exclusions: Business Associate need not account for disclosures:

  • To carry out treatment, payment, or health care operations (except for disclosures through an electronic health record)
  • To the Individual or pursuant to the Individual's authorization
  • For national security or intelligence purposes
  • To correctional institutions or law enforcement officials
  • That occurred prior to the compliance date
  • That are otherwise excluded under 45 C.F.R. § 164.528(a)(1)

(d) Electronic Health Records: For PHI maintained in an electronic health record as of January 1, 2009, or later, Business Associate shall provide an accounting of disclosures for treatment, payment, and health care operations as required by the HITECH Act.

3.8 Availability of Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules. Business Associate shall provide such access within thirty (30) days of a request.

3.9 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

3.10 Policies and Procedures

Business Associate shall maintain written policies and procedures regarding:

  • Use and disclosure of PHI
  • Security safeguards
  • Breach notification and response
  • Workforce training
  • Subcontractor management
  • Individual rights

Business Associate shall make such policies and procedures available to Covered Entity upon reasonable request.

3.11 Business Continuity

Business Associate shall maintain and test business continuity and disaster recovery plans at least annually. Business Associate commits to the following service levels: (a) Recovery Time Objective (RTO): 4 hours for critical PHI systems; (b) Recovery Point Objective (RPO): 1 hour maximum data loss; (c) Encrypted backups stored in geographically separate facilities; (d) Annual disaster recovery testing with results available to Covered Entity upon request.

4. OBLIGATIONS OF COVERED ENTITY

4.1 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4.2 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and shall notify Business Associate of any changes to such Notice that affect Business Associate's use or disclosure of PHI.

4.3 Authorization and Consent

Covered Entity shall obtain all necessary authorizations, consents, and permissions from Individuals for Business Associate's use and disclosure of PHI as contemplated by this BAA and the Underlying Agreement.

4.4 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction affects Business Associate's use or disclosure of PHI.

4.5 Compliance with HIPAA Rules

Covered Entity shall comply with all applicable requirements of the HIPAA Rules and shall not cause Business Associate to violate the HIPAA Rules through any act or omission.

5. INDIVIDUAL RIGHTS

5.1 Right of Access

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide Individuals with access to their PHI as required by 45 C.F.R. § 164.524 and as set forth in Section 3.5.

5.2 Right to Amend

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make amendments to such PHI as directed by Covered Entity as required by 45 C.F.R. § 164.526 and as set forth in Section 3.6.

5.3 Accounting of Disclosures

Business Associate shall provide accountings of disclosures as required by 45 C.F.R. § 164.528 and as set forth in Section 3.7.

5.4 Right to Restrict Processing

Upon notification from Covered Entity that an Individual has restricted Covered Entity's disclosure of PHI to a health plan for purposes of payment or health care operations, and the PHI pertains solely to items or services for which the Individual has paid out of pocket in full, Business Associate shall not disclose such PHI to the health plan.

6. TERM AND TERMINATION

6.1 Term

This BAA shall become effective on the date both parties have executed the Underlying Agreement (the "Effective Date") and shall remain in effect until terminated as provided herein or until all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

6.2 Termination by Covered Entity

Covered Entity may terminate this BAA and the Underlying Agreement:

(a) Immediate Termination: Immediately upon written notice if Business Associate has breached a material term of this BAA and has not cured the breach (or provided a mutually agreeable plan to cure the breach) within thirty (30) days of receiving notice of the breach.

(b) Infeasibility: If termination is not feasible, Covered Entity shall report the violation to the Secretary.

6.3 Termination by Business Associate

Business Associate may terminate this BAA and the Underlying Agreement upon ninety (90) days' written notice if Covered Entity has breached a material term of this BAA and has not cured the breach within thirty (30) days of receiving notice.

6.4 Effect of Termination

(a) Return or Destruction of PHI: Upon termination of this BAA, Business Associate shall, at Covered Entity's option:

  • Return all PHI to Covered Entity in the form and format specified by Covered Entity; or
  • Destroy all PHI and certify in writing to Covered Entity that all PHI has been destroyed

(b) Retention: Notwithstanding the above, Business Associate may retain PHI if:

  • Return or destruction is not feasible; or
  • Business Associate is required by law to retain the PHI

If PHI is retained:

  • Business Associate shall continue to protect the PHI in accordance with this BAA
  • Business Associate shall limit further uses and disclosures to those purposes that make return or destruction infeasible
  • Business Associate shall return or destroy the PHI when feasible

(c) Subcontractor PHI: Business Associate shall ensure that all Subcontractors either return or destroy all PHI, or if not feasible, extend the protections of this section to such PHI.

7. BREACH NOTIFICATION

7.1 Discovery of Breach

Business Associate shall report to Covered Entity any Breach of Unsecured PHI following the discovery of such Breach, as required by 45 C.F.R. § 164.410.

7.2 Timing of Notification

Notification shall be made without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with 45 CFR § 164.410.

7.3 Content of Notification

The notification shall include, to the extent known:

  • A brief description of what happened, including date of Breach and date of discovery
  • A description of the types of Unsecured PHI involved
  • The identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, breached
  • Any steps Individuals should take to protect themselves from potential harm
  • A brief description of what Business Associate is doing to investigate, mitigate harm, and prevent further Breaches
  • Contact procedures for Covered Entity to obtain further information

7.4 Investigation and Mitigation

Business Associate shall:

  • Promptly investigate any suspected Breach
  • Take appropriate steps to mitigate any harmful effects
  • Document all actions taken in response to the Breach
  • Cooperate fully with Covered Entity's Breach response activities

7.5 Responsibility for Notification

Business Associate shall be responsible for:

  • Investigation and documentation of the Breach
  • Mitigation activities within Business Associate's control
  • Providing Covered Entity with information necessary for Covered Entity to fulfill its notification obligations under 45 C.F.R. § 164.404-§ 164.408

Covered Entity shall be responsible for:

  • Notifying affected Individuals
  • Notifying the Secretary (if required)
  • Notifying media (if required)

Unless otherwise agreed in writing, Business Associate shall not directly notify Individuals, the Secretary, or media.

8. INDEMNIFICATION

8.1 Business Associate Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

  • Business Associate's breach of this BAA
  • Business Associate's violation of the HIPAA Rules
  • Negligent or wrongful acts or omissions of Business Associate or its Subcontractors
  • Any Breach caused by Business Associate or its Subcontractors
  • Regulatory fines or penalties assessed against Covered Entity due to Business Associate's actions or omissions

8.2 Covered Entity Indemnification

Covered Entity shall indemnify, defend, and hold harmless Business Associate from and against any claims arising out of:

  • Covered Entity's breach of this BAA
  • Covered Entity's failure to obtain required authorizations or consents
  • Covered Entity's instructions to Business Associate that violate the HIPAA Rules
  • Inaccurate or incomplete information provided by Covered Entity

8.3 Notice and Cooperation

The indemnified party shall:

  • Promptly notify the indemnifying party of any claim
  • Cooperate reasonably with the indemnifying party in the defense
  • Allow the indemnifying party to control the defense and settlement (with reasonable consultation)

8.4 Insurance

Business Associate shall maintain: (a) Cyber liability insurance with minimum coverage of $2,000,000 per occurrence; (b) Errors and omissions (professional liability) insurance with minimum coverage of $2,000,000 per occurrence. Certificates of insurance shall be provided to Covered Entity upon request.

9. REGULATORY CHANGES

9.1 Amendment for Compliance

The parties agree to negotiate in good faith to amend this BAA as necessary to comply with changes in the HIPAA Rules or other applicable laws and regulations.

9.2 Regulatory References

Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.

9.3 Additional Obligations

If additional obligations are imposed on Business Associate by changes in the HIPAA Rules, such obligations shall be deemed incorporated into this BAA without further action by the parties.

10. MISCELLANEOUS

10.1 Interpretation

This BAA shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules. Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

10.2 No Third-Party Beneficiaries

Nothing in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

10.3 Relationship to Underlying Agreement

Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Underlying Agreement shall remain in full force and effect. In the event of a conflict between this BAA and the Underlying Agreement with respect to the use or disclosure of PHI, this BAA shall control.

10.4 Survival

The obligations of Business Associate under Sections 3.3 (Reporting), 3.5 (Access), 3.6 (Amendment), 3.7 (Accounting), 6.4 (Effect of Termination), 7 (Breach Notification), and 8 (Indemnification) shall survive the termination of this BAA.

10.5 Notices

All notices required or permitted under this BAA shall be in writing and delivered to:

For Covered Entity: As specified in Covered Entity's account information

For Business Associate: Scribeable, Inc. Attention: HIPAA Compliance Officer Email: [email protected]

10.6 Governing Law

This BAA shall be governed by the laws of the State of California, without regard to conflict of law principles, except to the extent preempted by federal law.

10.7 Severability

If any provision of this BAA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

10.8 Waiver

No waiver of any provision of this BAA shall be effective unless in writing and signed by the party against whom such waiver is sought to be enforced.

10.9 Entire Agreement

This BAA, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral.

10.10 Electronic Signatures

The parties agree that this Agreement may be executed electronically. Electronic signatures shall have the same legal effect as handwritten signatures pursuant to the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA).

10.11 Counterparts

This BAA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

11. SIGNATURE

This Business Associate Agreement is effective as of the Effective Date and is entered into by and between:

COVERED ENTITY:

Name: ________________________________

Title: ________________________________

Signature: ____________________________

Date: _________________________________

BUSINESS ASSOCIATE:

Scribeable, Inc.

Name: ________________________________

Title: ________________________________

Signature: ____________________________

Date: _________________________________

EXHIBIT A - PERMITTED USES AND DISCLOSURES

Business Associate may use and disclose PHI for the following purposes:

  1. AI-Powered Clinical Documentation:

    • Generate clinical summaries from consultation notes
    • Extract structured data from unstructured clinical text
    • Suggest diagnoses and ICD-10 codes
    • Generate treatment plans and recommendations
    • Provide clinical decision support

  2. Voice Transcription:

    • Convert audio recordings of clinical encounters to text
    • Apply medical vocabulary and terminology
    • Format transcriptions for clinical documentation

  3. EHR Integration:

    • Synchronize patient demographics and schedules
    • Pull clinical data from EHR systems
    • Push clinical notes and summaries to EHR systems
    • Facilitate bidirectional data exchange

  4. Practice Management:

    • Patient list management
    • Consultation tracking
    • Longitudinal patient records
    • Vital signs and lab result tracking

  5. Analytics and Reporting:

    • Usage analytics for Covered Entity
    • Quality improvement reporting
    • Billing optimization suggestions
    • Aggregated, de-identified analytics

  6. Technical Operations:

    • System maintenance and troubleshooting
    • Security monitoring and incident response
    • Backup and disaster recovery
    • Platform improvements (using de-identified data)

EXHIBIT B - TECHNICAL SAFEGUARDS

Business Associate implements the following technical safeguards:

Encryption:

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for web export
  • Encrypted database connections

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Automatic session timeout (15 minutes)
  • Strong password requirements
  • Account lockout after failed attempts

Audit Controls:

  • Comprehensive audit logging
  • Tamper-evident logs
  • 6-year log retention
  • Regular log review
  • SIEM integration

Data Integrity:

  • Data validation and sanitization
  • Cryptographic checksums
  • Version control
  • Backup verification
  • Disaster recovery testing

Infrastructure Security:

  • WAF (Web Application Firewall)
  • DDoS protection
  • IDS/IPS (Intrusion Detection/Prevention)
  • Regular vulnerability scanning
  • Penetration testing (annual)
  • Security patch management

© 2026 Scribeable, Inc. All rights reserved.

Questions?

Our legal team is available to help clarify any terms.