HIPAA Business Associate Agreement Required

1.Covered Entity and Business Associate Relationship

For the purposes of this BAA and as those terms are defined at 45 CFR 160.103, the customer organization is the Covered Entity (or, where applicable, a Business Associate acting on behalf of a Covered Entity), and RANKIGI Inc. is the Business Associate. RANKIGI creates, receives, maintains, or transmits PHI on behalf of the Covered Entity solely to provide the Service. This BAA is the written contract required by 45 CFR 164.504(e). The Covered Entity remains responsible for its own obligations under the HIPAA Privacy, Security, and Breach Notification Rules.

2.PHI Handling Under the Service

By default, RANKIGI hashes event payloads on receipt and does not persist a separate raw payload field. RANKIGI retains a canonical event record containing structured metadata (action type, tool invoked, timestamps, policy outcomes, agent identifiers) used to compute and verify the tamper-evident chain hash, and a keyed payload fingerprint (HMAC-SHA-256, derived per tenant). The Covered Entity should not transmit raw PHI in event payloads unless encrypted evidence retention is enabled. Covered Entities requiring reconstructable PHI evidence may enable encrypted evidence retention on the applicable subscription tier, under which the canonical event record is encrypted using AES-256-GCM before persistence with a per-organisation key derived via HKDF from a master key held in RANKIGI’s key management system. RANKIGI staff cannot access plaintext canonical records under this mode without an explicit customer-authorised reveal operation, which is logged to an immutable audit trail. Customer-managed keys (BYOK) are the upgrade path for full HIPAA encryption safe harbor and ship in Q3 2026; contact enterprise@rankigi.com. RANKIGI does not run language models or perform inference on Covered Entity PHI; the Service is a passive cryptographic audit layer.

3.Permitted Uses and Disclosures

RANKIGI may use and disclose PHI only as necessary to perform the Service for the Covered Entity, as permitted or required by this BAA, or as Required by Law. RANKIGI will not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity. RANKIGI may use PHI for the proper management and administration of RANKIGI and to carry out its legal responsibilities, and may make such disclosures only where Required by Law or where RANKIGI obtains reasonable assurances of confidentiality and breach notification from the recipient. RANKIGI does not sell PHI and does not use PHI to train machine learning models.

4.Security Safeguards and Data Protection

Canonical event records for customers on encrypted tiers are protected by AES-256-GCM encryption. RANKIGI holds the encryption key but cannot access plaintext without a logged reveal operation. Customers requiring BYOK for full HIPAA encryption safe harbor should contact enterprise@rankigi.com.

RANKIGI implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI, consistent with 45 CFR 164.308, 164.310, and 164.312. Technical safeguards include: RANKIGI-managed encryption keys (AES-256-GCM encryption). Customer-managed key (BYOK) support is targeted for Q3 2026. HMAC-SHA-256 keyed payload fingerprints derived per tenant; a SHA-256 hash chain providing tamper-evident integrity; TLS 1.3 for data in transit; row-level security enforced at the database layer; role-based access control; and an append-only event ledger with database-level immutability. Administrative safeguards include workforce confidentiality obligations, access provisioning controls, and incident response procedures. Physical safeguards are provided through RANKIGI’s hosting subcontractors.

5.Breach Notification

RANKIGI will notify Customer of a confirmed breach within 72 hours of discovery. The report will include, to the extent known, the nature of the incident, the PHI involved, and the remedial actions taken, sufficient to enable the Covered Entity to meet its obligations under 45 CFR 164.404 through 164.410.

6.Subcontractor Flowdown

In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), RANKIGI will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on RANKIGI’s behalf agrees in writing to restrictions and conditions at least as protective as those that apply to RANKIGI under this BAA.

7.Right to Audit

RANKIGI will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Covered Entity, and to the Secretary of the U.S. Department of Health and Human Services, for purposes of determining compliance with the HIPAA Rules. The Covered Entity may audit RANKIGI’s compliance with this BAA annually with 30 days written notice, subject to reasonable confidentiality obligations.

8.Termination and Return or Destruction of PHI

Customer data is deleted within 90 days of subscription termination. Cryptographic hash records are retained for the period specified in the customer's subscription tier (7 to 730 days) and cannot be deleted as they form the integrity of the audit chain.

Upon termination of this BAA, RANKIGI will, where feasible, return or destroy all PHI received from, or created or received on behalf of, the Covered Entity, and retain no copies. Where return or destruction is not feasible, RANKIGI will extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Pre-image PHI is destroyed or crypto-shredded (nulling any retained payload, rotating the per-tenant HMAC key, and destroying customer-managed encryption keys for encrypted evidence), while the immutable hashes, timestamps, and minimal metadata remain on the chain as integrity tombstones that do not contain PHI.

9.HHS Access

RANKIGI will make PHI and its related practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services as required for the Secretary to determine the Covered Entity’s and RANKIGI’s compliance with the HIPAA Rules.

10.Contact

Requests, notices, and signed BAAs should be directed to privacy@rankigi.com. RANKIGI Inc. is a Delaware C-Corp. This BAA is the written contract required by 45 CFR 164.504(e); RANKIGI is the Business Associate as defined at 45 CFR 160.103.

A.Schedule A: Sub-Processors

RANKIGI engages the following sub-processors in connection with the Service. Each sub-processor is bound by written terms at least as protective as those in this BAA with respect to any PHI they may receive, consistent with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

• Supabase - database and auth (US)
• Railway - compute (US)
• Stripe - billing (US)
• Resend - email (US)
• Upstash - rate limiting and queues (US)
• Sigstore Rekor - public transparency log (US)
• FreeTSA - RFC 3161 timestamp authority (AT)

B.Signatures

RANKIGI Inc.
By: _______________
Name: Wesley Snow
Title: Founder and Chief Executive
Date: _______________

Customer
By: _______________
Name: _______________
Title: _______________
Date: _______________