Service Status: All Systems Operational — Safeguarded by our multi-cloud infrastructure.

HIPAA Business Associate Addendum

Reference form for approved enterprise customers only. This addendum is not effective unless separately signed by both parties.

This public copy is provided for review and contracting convenience only. It does not create a Business Associate Agreement by itself, and it is not a clickwrap or self-service addendum. This HIPAA Business Associate Addendum ("Addendum") supplements the Offenders.io Terms of Services, an applicable order form, or another written agreement between Provider and Customer only when it has been separately executed by authorized representatives of both parties. Self-service accounts, free trials, and standard API subscriptions do not include a Business Associate Agreement.

1. Applicability

1.1. This Addendum applies only to Customer's use of the Offenders.io API that Provider has expressly approved in writing for HIPAA-regulated workflows ("Approved Services"). Approved Services may be identified in an order form, security exhibit, signed statement of work, or other written approval from Provider.

1.2. Provider is a public-record API and data provider, not an electronic health record, clinical decision support tool, treatment service, care-management service, or medical advice provider.

1.3. This Addendum does not apply to self-service accounts, trial accounts, public website pages, public demo tools, documentation pages, support channels, or API keys and workflows that Provider has not approved in writing for HIPAA use.

1.4. The parties intend for any Protected Health Information ("PHI") or electronic Protected Health Information ("ePHI") processed under this Addendum to be limited to the minimum search parameters that Customer transmits to the API for an approved workflow. Registry data returned by the API is sourced from public records and is not medical advice or a clinical determination.

2. Definitions

2.1. Capitalized terms not defined in this Addendum have the meanings given to them in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including 45 C.F.R. Parts 160 and 164, as amended ("HIPAA").

2.2. "Customer" means the covered entity or business associate that has signed this Addendum. "Provider" means Offenders.io.

2.3. "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services.

3. Permitted Uses and Disclosures

3.1. Provider may use and disclose PHI only as necessary to provide the Approved Services to Customer, as permitted by this Addendum, as required by law, or as otherwise permitted in writing by Customer.

3.2. Provider will not use PHI for marketing, resale, unrelated analytics, product training, or any purpose outside the approved workflow unless permitted by HIPAA and authorized in writing by Customer.

3.3. Provider will use reasonable efforts to limit its use, disclosure, and requests for PHI to the minimum necessary to provide the approved services.

4. Provider Obligations

4.1. Provider will implement appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of ePHI that Provider creates, receives, maintains, or transmits on behalf of Customer.

4.2. Provider will not use or disclose PHI other than as permitted or required by this Addendum or as required by law.

4.3. Provider will report to Customer any Breach of Unsecured PHI without unreasonable delay and no later than 72 hours after Provider confirms that a Breach occurred. The report will include information reasonably available to Provider about the nature of the Breach, the types of PHI involved, mitigation steps taken, and steps Customer may take to address the Breach.

4.4. Provider will report Security Incidents involving ePHI to Customer as required by HIPAA. Unsuccessful, routine security events such as blocked scans, pings, or firewall denials may be reported in aggregate or made available through security documentation unless they result in unauthorized access to ePHI.

4.5. Provider will require any subcontractor that creates, receives, maintains, or transmits PHI on Provider's behalf to agree to substantially similar restrictions and safeguards.

4.6. Provider will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required by HIPAA.

5. Customer Obligations

5.1. Customer is responsible for determining whether its use of the API is subject to HIPAA or other healthcare privacy laws.

5.2. Customer will transmit PHI only through Approved Services, only using API keys or workflows that Provider has approved in writing for HIPAA use, and only in the minimum amount necessary for the approved purpose.

5.3. Customer will not send PHI through support tickets, email, chat, screen shares, sales calls, or other channels unless Provider expressly authorizes that channel in writing.

5.4. Customer is responsible for all required notices, permissions, restrictions, consents, and authorizations related to its use of PHI.

5.5. Customer will not use the API as a system of record for medical records, a Designated Record Set, an electronic health record, or a tool for diagnosis, treatment, or clinical decision-making.

6. Individual Rights and Designated Record Sets

6.1. The approved services are not intended to create or maintain a Designated Record Set on Provider's systems. If Provider receives a request from an individual relating to PHI, Provider will direct the individual to Customer unless otherwise required by law.

6.2. To the extent Provider maintains PHI in a Designated Record Set, Provider will reasonably assist Customer in responding to requests for access, amendment, or accounting of disclosures as required by HIPAA.

7. Termination

7.1. Either party may terminate this Addendum if the other party materially breaches this Addendum and fails to cure the breach within a reasonable period after written notice.

7.2. Upon termination, Provider will return or destroy PHI in its possession or control if feasible. If return or destruction is infeasible, Provider will continue to protect the PHI in accordance with this Addendum and limit further uses and disclosures to those purposes that make return or destruction infeasible.

8. Order of Precedence

8.1. If there is a conflict between this Addendum and the Terms of Services, an order form, or another agreement between the parties with respect to PHI, this Addendum controls only for that PHI-related conflict.

8.2. This Addendum does not make any self-service account, trial account, non-approved API key, or support channel HIPAA-eligible.

9. Signatures

The parties have caused this Addendum to be executed by their duly authorized representatives. This Addendum is effective only when signed by both parties.

Effective Date: _____________________________

Provider

Entity: Offenders.io

Signature: ______________________________

Print Name: _____________________________

Title: _________________________________

Date: _________________________________

Customer

Entity: _________________________________

Signature: ______________________________

Print Name: _____________________________

Title: _________________________________

Date: _________________________________