Business Associate Agreement

Last Updated: January 14, 2026

This Presto Business Associate Agreement (the "BAA") is incorporated by reference into the Presto Terms of Use (the "TOU") entered into by and between IntellixAI, Inc. ("HOPPR") and the user who has agreed to the Presto Terms of Use ("Customer"). HOPPR and Customer are each a "Party" and collectively, the "Parties".

RECITALS

The Parties have entered into the Presto Terms of Use (the "TOU") under which HOPPR will perform certain services on Customer's behalf (the "Services"). The Parties anticipate that HOPPR may from time to time receive, create, maintain, or transmit Protected Health Information for or on behalf of Customer.

This BAA applies solely to the extent Customer is a "Covered Entity", and HOPPR is a "Business Associate", each as defined in HIPAA, in connection with the performance of the Services. In such event, the Parties are required to comply with the Health Insurance Portability and Accountability Act of 1996 and all regulations promulgated thereunder ("HIPAA") and the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act and all regulations promulgated thereunder (the "HITECH Act").

In consideration of the Recitals above and the mutual covenants and conditions contained herein, HOPPR and Customer agree as follows:

1. Definitions

Capitalized terms shall have the meanings set forth below or elsewhere in this BAA or the Evaluation Agreement or, if not defined herein or therein, shall have the meanings set forth in HIPAA or the HITECH Act. The terms "use," "disclose", "discovery," and derivations thereof, although not capitalized, shall have the meanings set forth in HIPAA.

"Breach" has the meaning set forth in 45 C.F.R. 164.402.

"Covered Entity" and "Business Associate" mean Customer and HOPPR respectively solely to the extent that HIPAA defines them as such in connection with the performance of the Services.

"Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. 160.103; provided however, that, for the purposes of this BAA, such definition is limited to PHI created, received, maintained, or transmitted by Business Associate for or on behalf of Customer in connection with the Services.

"Security Incident" has the meaning set forth in 45 C.F.R. 164.304.

"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption) in the guidance issued under Section 13402(h)(2) of Public Law 111-5.

2. Use and Disclosure of PHI

Business Associate: (a) may use or disclose PHI as necessary to perform or provide the Services; (b) shall not use PHI other than as permitted or required by this BAA, the TOU, or Applicable Laws (defined below); (c) shall not use or disclose PHI in a manner that would violate Applicable Laws if Covered Entity used or disclosed PHI in that manner. Covered Entity acknowledges and agrees that Business Associate may rely on Covered Entity's instructions to determine if the uses and disclosures set forth in this BAA or otherwise in instructions provided by Covered Entity to Business Associate meet the foregoing requirements.

Business Associate may use PHI to de-identify such PHI in accordance with 45 C.F.R. 164.502(d) and 164.514(a)-(c). For the avoidance of doubt, such de-identified information is not PHI and may be used by Business Associate as permitted by the Presto TOU including to develop, enhance and improve its services. For clarity, Customer acknowledges and agrees that all data uploaded by Customer to the Services or generated by the Services will be retained by Business Associate pursuant to the TOU.

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.

Subject to the restrictions set forth in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate; provided that, (a) such disclosures are required by Applicable Laws or (b) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by Applicable Laws or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Business Associate Responsibilities

3.1 Safeguards

Business Associate shall employ appropriate administrative, technical, and physical safeguards to protect the confidentiality of PHI and to prevent Business Associate's use or disclosure of PHI other than in accordance with this BAA. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI other than as provided for by this BAA.

3.2 Security Incident and Breach Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI in violation of this BAA, including Breaches of Unsecured PHI as required by 45 C.F.R. 164.410 and any Security Incident of which it becomes aware. The Parties acknowledge and agree that this Section constitutes Business Associate's notice to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required, including pings and other broadcast attacks on a firewall, denial of service attacks, port scans, and unsuccessful login attempts. For all reporting obligations under this BAA, the Parties acknowledge that, due to the nature of the Services, Business Associate may not know the nature of PHI or the identities of the Individuals to whom such PHI relates. Consequently, Business Associate may have limited ability to provide information regarding the identities of Individuals who may have been affected by a Security Incident or Breach or to provide detailed information regarding what PHI was affected by a Security Incident or Breach.

3.3 Subcontractors

Business Associate shall enter into a written agreement with each subcontractor that has or shall create, receive, maintain, or transmit PHI in which such subcontractor agrees to be bound by the same types of restrictions, terms, and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.

3.4 Accounting Disclosures

Business Associate shall maintain and make available promptly after receipt of a written request by Covered Entity the information required for Covered Entity to respond to an Individual's request for an accounting of disclosures pursuant 45 C.F.R. § 164.528. If an Individual requests an accounting of disclosures directly from Business Associate, Business Associate shall direct the Individual to make the request directly to Covered Entity. Covered Entity shall be solely responsible for preparing and delivering any accountings to Individuals.

3.5 HHS Cooperation

Business Associate shall make available to the Secretary Business Associate's internal practices, books, and records relating to the use and disclosure of PHI for purposes of determining Covered Entity's compliance with HIPAA, subject to attorney-client and other applicable legal privileges.

3.6 Requests by Individuals Regarding Their PHI

Access Requests

To the extent Business Associate maintains PHI in a Designated Record Set, promptly after receipt of Covered Entity's written request, Business Associate shall make available to Covered Entity the applicable PHI in a Designated Record Set as necessary for Covered Entity to respond to a request by an Individual for access to PHI pursuant to 45 CFR 164.524.

If an Individual makes such a request directly to Business Associate, Business Associate shall direct the Individual to make the request directly to Covered Entity.

Covered Entity shall be solely responsible for determining whether to grant or deny an Individual's request for PHI. Covered Entity shall be solely responsible for its determination to deny such access, including resolution or reporting of all appeals or complaints arising from denials.

Amendment Requests

To the extent Business Associate maintains PHI in a Designated Record Set, promptly after receipt of Covered Entity's written request, Business Associate shall amend, or make available to Covered Entity to amend, such PHI as necessary for Covered Entity to respond to a request by an Individual to amend to PHI pursuant to 45 CFR 164.526.

If an Individual makes such a request directly to Business Associate, Business Associate shall direct the Individual to make the request directly to Covered Entity.

Covered Entity shall be solely responsible for determining whether to grant or deny an Individual's request to amend PHI. Covered Entity shall be solely responsible for its determination to deny such request, including resolution or reporting of all appeals or complaints arising from denials.

4. Covered Entity's Responsibilities

Covered Entity, including any individual entering into this BAA acting on their own or on behalf of any Covered Entity, represents, warrants, and covenants that:

1. it complies and shall comply with all applicable laws and regulations pertaining to PHI, including without limitation, under HIPAA and HITECH ("Applicable Laws");
2. it shall not request Business Associate to use or disclose PHI in any manner that would violate Applicable Laws, including those applicable if Covered Entity made such use or disclosure;
3. it has all rights, permissions, and consents required under Applicable Laws and any agreements between Covered Entity and any third party for it to provide PHI to Business Associate and to authorize Business Associate to create, receive, maintain, transmit, use and disclose PHI in accordance with this BAA and the TOU, including those required from Covered Entity's affiliates, patients, employers, and employees;
4. it shall notify Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI;
5. it shall notify Business Associate, prior to the effective date of change or revocation, of any changes in, or revocation of, an Individual's permission to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI;
6. it shall notify Business Associate, prior to the effective date of restriction, of any restriction on the use or disclosure of PHI to which Covered Entity has agreed or is required to abide by in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

Customer shall be solely responsible for its obligations to retain PHI under Applicable Laws.

5. Term and Termination

5.1 Term

The term of this BAA shall commence on the date that Customer accepts the TOU and shall terminate: (a) upon the expiration or termination of the TOU; (b) in accordance with Section 5.2; or (c) upon the date that all PHI has been destroyed or returned to Covered Entity or, if return or destruction is not feasible, Section 5.3(c) comes into effect.

5.2 Termination

A Party may terminate this BAA if the other Party has breached a material term of this BAA and such breach is not cured within thirty (30) days after the other Party's receipt of written notice of the alleged breach.

5.3 Effect of Termination

Upon the termination of this BAA for any reason, Business Associate shall:

a. retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
a. return or destroy all other PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form, and retain no copies of such information; and
a. if Business Associate determines that returning or destroying PHI is infeasible or Business Associate retains PHI pursuant to clause (a) above, Business Associate shall, for so long as Business Associate maintains such PHI, extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes described in clause (a) or that make the return or destruction infeasible and this Section 5.3(c) shall survive.

6. Miscellaneous

6.1 Interpretation

References in this BAA to Applicable Laws mean such Applicable Laws as in effect or as amended. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA and the HITECH Act.

6.2 Amendment

If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that requires amendment of this BAA to comply with them, the Parties shall cooperate in good faith to amend this BAA to the extent necessary to comply with such amendments or interpretations.

6.3 Waivers

A waiver by either Party of a breach or failure to perform hereunder shall not constitute a waiver of any subsequent breach or failure.