Subscribe to the Salt blog to learn about the latest developments in API Security

Business Associate Agreement

Effective: March 7, 2024

This Business Associate Agreement (“BAA”) is made by and between Salt Security, Inc., a Delaware corporation having its principal place of business at 3921 Fabian Way, Palo Alto, California 94303 (“Salt Security” and “Business Associate”) Covered Entity (defined below)and governs how PHI (defined below) is to be handled between Covered Entity and Business Associate.

Covered Entity” means an entity that accepts and agrees to the terms of this BAA as of the earlier date (“Effective Date”)where such a person for such entity either clicks a box indicating acceptance of this BAA or transmits PHI to Business Associate. Salt Security reserves the right to modify or update this BAA in its sole discretion, the effective date of such updates and/or modifications will be the earlier of: (i) 30 days from the date of such update or modification; or (ii) Covered Entity’s continued use of the Salt Security Platform and/or transmission of PHI to Salt Security.

IF YOU DO NOT ACCEPT THIS BAA, YOU MAY NOT ACCESS OR USE THE SALT SECURITY PLATFORM OR TRANSMIT PHI TO SALT SECURITY. THE SALT SECURITY PLATFORM IS INTENDED FOR COVERED ENTITY AND ITS AUTHORIZED USERS ONLY AND ARE NOT FOR USE BY CHILDREN UNDER 13 YEARS OF AGE. IF AN INDIVIDUAL IS ENTERING INTO THIS BAA ON BEHALF OF A COVERED ENTITY, SUCH PERSON REPRESENTS AND WARRANTS THAT IT HAS THE LEGAL AUTHORITY TO BIND SUCH COVERED ENTITY TO THIS BAA AND THIS BAA APPLIES TO SUCH ENTITY WHICH IS DEEMED THE COVERED ENTITY.

WHEREAS, the parties have entered into a master services agreement (“Agreement”) under which the Business Associate may receive PHI(as defined below) in its performance of the Services described in the Agreement or below. Any terms used, but not defined in this BAA, have the meaning as set forth in the Agreement or under applicable law;

WHEREAS,Covered Entity is or may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”)and the implementing regulations thereof (“HIPAA Regulations”). As used herein, “PHI” refers to Protected Health Information (as defined under HIPAA) maintained, transmitted, created or received by Business Associate for or from Covered Entity. Both parties are committed to complying with the privacy rules and regulations of HIPAA.

If Covered Entity and Business Associate have executed a written business associate agreement governing the disclosure and use of PHI by and between Covered Entity and Business Associate by means of the Services,then the terms of such signed agreement will govern and supersede this BAA.

NOW, THEREFORE, in consideration of the terms,conditions, covenants, agreements and obligations herein stated, the parties agree as follows:

  1. Salt Security Platform & Services. Pursuant to the Agreement, Business Associate provides the Salt Security Platform and other services (together, the “Services”) for the Covered Entity that involve the use and disclosure of PHI. Business Associate agrees to only use and disclose PHI as authorized by this Agreement.
  2. Privacy and Protected Health Information.
    1. Permitted Uses and Disclosures of PHI by Business Associate. Business Associate may use or disclose PHI received from Covered Entity: (i) to its officers, employees, subcontractors and agents: (a) for the purpose of providing Services to Covered Entity; (b) for proper management and administration to carry out its legal responsibilities; (c) as specified in this BAA and the Agreement; or (d) as permitted under applicable law; and (ii) as directed by Covered Entity. All other uses or disclosures not authorized by the Agreement or BAA are prohibited. To the extent Business Associate is to carryout an obligation of Covered Entity under the HIPAA Regulations, Business Associate shall comply with the requirements of the HIPAA Regulations that apply to Covered Entity in the performance of such obligation.
    2. Responsibilities of Business Associate. Regarding the use or disclosure of PHI, Business Associate agrees it will:
      1. Use or disclose to its subcontractors, agents or other third parties, only the minimum PHI necessary to perform or fulfill a specific function required for the Services or as permitted under this BAA or the Agreement;
      2. Only use or disclose PHI in a manner that would not violate the Regulations if done so by the Covered Entity. “Regulations” means Standards for Privacy & Security of Individually Identifiable Health Information promulgated by the Secretary of the Health and Human Services (also “Secretary”) pursuant to the Administrative Simplification subtitle of the Health Insurance Portability &Accountability Act of 1996;
      3. Use commercially reasonable efforts to maintain security of PHI, including without limitation,abiding by Covered Entity’s policies and procedures pertaining to security of PHI pursuant to Section 3(b)(iv) below;
      4. Establish and implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI Business Associate receives, maintains or transmits on behalf of Covered Entity and to mitigate, to the greatest extent possible under the circumstances, any deleterious effects from any improper use or disclosure of PHI that Business Associate reports to Covered Entity;
      5. Promptly report to Covered Entity’s designated officer in writing any security incident (i.e., any use or disclosure of Covered Entity’s PHI not permitted or authorized by this BAA) of which Business Associate becomes aware;
      6. Ensure that Business Associate’s subcontractors or agents agree: (a) to establish and implement reasonable and appropriate safeguards to protect the confidentiality,integrity, and availability of the electronic PHI that it receives, maintains,or transmits on behalf of Covered Entity; and (b) to restrictions and conditions no less protective than those that apply to Business Associate with respect to PHI;
      7. Make available all records, policies and procedures, relating to the use and disclosure of PHI for purposes of determining Business Associate’s compliance with this BAA and the Agreement, to: (a) the Secretary; and (b) Covered Entity during normal business hours at Business Associate’s offices, on no less than 15 business days advance written notice;
      8. Provide information to Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of disclosures within 15 days of receiving a written request from Covered Entity if Business Associate maintains a designated record set on behalf of Covered Entity; and
      9. At the request of, and in the time and manner designated by, Covered Entity if Business Associate maintains a designated record set on behalf of Covered Entity, Business Associate will: (a) provide access to the PHI maintained by Business Associate to Covered Entity or individual; or (b) make any amendment(s) to the PHI when directed by Covered Entity.
  3. Termination.
    1. Covered Entity’s Right to Terminate. Covered Entity is authorized to terminate this BAA and the Agreement immediately if Covered Entity determines that Business Associate has violated a material term of this Agreement that pertains to PHI and has failed to cure the breach or end the violation to the satisfaction of Covered Entity within 30 days.
    2. Effect of Termination. Termination of this BAA and the Agreement shall not affect any claims or rights that arise based on the acts or omissions of the parties prior to the effective date of termination.
    3. Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement.
    4. Duties of Business Associate Upon Termination. Upon termination of this BAA and the Agreement, the PHI that Business Associate received from Covered Entity must be destroyed or returned to Covered Entity including all PHI in the possession of Business Associate’s subcontractors or agents; provided, however,if Covered Entity determines that returning or destroying PHI is not feasible,Business Associate must maintain the privacy protections under this Agreement and according to applicable law for as long as Business Associate retains the PHI, and Business Associate may only use or disclose the PHI for the specific uses or disclosures that make it necessary for Business Associate to retain the PHI. If after consultation with Business Associate Covered Entity determines that it is infeasible for Business Associate to obtain PHI in the subcontractor or agent’s possession, Business Associate must provide a written explanation to Covered Entity of such reasons and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors or agents’ use or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses or disclosures for the purposes that make the return or destruction of the PHI infeasible.
  4. Damages.The limitations on liability set forth in the Agreement apply to this BAA.
  5. Miscellaneous. Section 15 (Miscellaneous) of the Agreement applies to this BAA. The parties recognize and agree that this BAA and their activities are governed by federal, state, and local laws, including the Social Security Act; regulations, rules, and policies of the U.S. Department of Health and Human Services; various state laws; among others, and including but not limited to HIPAA and the accompanying Regulations. The parties further recognize and agree that this BAA is subject to new legislation, as well as amendments tog government regulations, rules, and policies, and agree to amend this BAA accordingly.