Platform Terms of Use - WriteLitely AI

Business Associate Agreement (BAA) and FERPA Addendum

Effective Date: December 1, 2025

Read this Business Associate Agreement and the optional FERPA Addendum carefully. By clicking the separate “Agree” button during account creation (which programmatically records an acceptance flag), you confirm that you have authority to bind the Covered Entity, accept the Platform Terms of Use together with this BAA as the full agreement governing WriteLitely AI’s handling of Protected Health Information (PHI) and, if applicable, FERPA‑Protected Records, and acknowledge that acceptance will be logged with timestamp, account identifier, and IP address for audit purposes.

Parties and Contacts

Business Associate: WriteLitely AI, a Delaware corporation, 1110 McClellan Street, Philadelphia, PA 19148; security and legal contact: contact@writelitely.ai.
Covered Entity: Covered Entity (this label is fixed and applies to all signatories).
Notice Method: Email is acceptable for incident notification and routine communications unless otherwise agreed.

Recitals

Covered Entity is a HIPAA‑covered entity or business associate under HIPAA and HITECH. Business Associate provides AI‑enabled documentation services and will create, receive, maintain, transmit, and otherwise process PHI on Covered Entity’s behalf. The Parties intend to comply with HIPAA, the HITECH Act, applicable state privacy laws, and, where applicable, FERPA and implementing regulations.

1 Definitions

Capitalized terms not defined herein have the meanings given in 45 CFR Parts 160 and 164. “PHI” means Protected Health Information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. “Unsecured PHI” has the meaning in HHS guidance. “FERPA‑Protected Records” means education records as defined under 20 U.S.C. § 1232g and 34 CFR Part 99.

2 Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as necessary to perform services described in the Platform Terms of Use and this BAA, to perform management and administrative activities related to those services, to comply with law, or as otherwise permitted in writing by Covered Entity.
All uses, disclosures, and requests of PHI will be limited to the minimum necessary to accomplish the purpose.
Business Associate may de‑identify PHI in accordance with 45 CFR § 164.514 and use or disclose de‑identified information without restriction.

3 Prohibited Uses and Disclosures

Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted by this BAA.
Business Associate will not sell PHI or use PHI for marketing.
Business Associate will not use PHI for research, product development, or any purpose unrelated to the services without Covered Entity’s prior written authorization.

4 Safeguards and Security Requirements

Business Associate will implement and maintain administrative, physical, and technical safeguards meeting or exceeding HIPAA, HITECH, and industry best practices, including designation of a security officer; documented information security program aligned to NIST or equivalent; least‑privilege and role‑based access controls; multi‑factor authentication for privileged accounts; encryption of PHI at rest and in transit; audit logging; integrity controls; tamper detection; vulnerability management; patching; secure configuration; secure key management; secure backup and recovery procedures; secure disposal and media handling; and workforce training on PHI handling and incident reporting.
Business Associate will maintain written policies and procedures implementing the foregoing safeguards and will provide summaries or evidence of such controls to Covered Entity upon reasonable request, subject to protection of Business Associate’s proprietary information.

5 Subcontractors and Agents

Business Associate will ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate executes a written agreement that imposes obligations at least as protective as those in this BAA, including breach notification, security controls, and rights of audit. Business Associate currently uses a core LLM provider that is covered by an existing BAA; Business Associate will maintain that BAA and require equivalent written HIPAA/HITECH protections from any replacement or additional core model provider.
Business Associate will monitor subcontractor compliance, promptly remediate any identified noncompliance, and, for any subcontractor that will handle PHI, will:
- notify Covered Entity in writing within 5 business days of engaging the subcontractor unless the subcontractor is a pre‑approved, core vendor (in which case Business Associate will notify Covered Entity within 10 business days of any material change to that subcontractor’s role or controls);
- provide the subcontractor’s name, role, and scope of PHI access upon request; and
- furnish, upon Covered Entity’s reasonable request, a copy of the subcontractor agreement or a certificate of compliance demonstrating the subcontractor’s obligations under HIPAA/HITECH and this BAA.
Business Associate will promptly address any subcontractor breach or noncompliance and will require immediate corrective action, suspension of access, or termination of the subcontractor relationship where necessary to protect PHI.

6 Breach Notification, Incident Response, and Forensics

Business Associate will report to Covered Entity any successful security incident or suspected or confirmed breach of Unsecured PHI without unreasonable delay and in no event later than 72 hours after discovery of the Breach, unless a different period is required by law. Notice will include a description of the incident, types of PHI involved, estimated number of affected individuals, actions taken to investigate and mitigate the incident, and contact information for follow‑up.
Business Associate will promptly investigate incidents, preserve evidence, implement containment and remediation measures, and provide Covered Entity with a written incident report and root‑cause analysis within 15 business days of initial notice, or sooner if reasonably requested.
Business Associate will cooperate with Covered Entity and regulatory authorities in breach investigations and notification processes and will provide reasonable assistance for Covered Entity’s breach notifications to individuals and regulators.
Business Associate will be responsible for reasonable costs directly resulting from Business Associate’s material breach or negligent failure to safeguard PHI, including notification and remediation costs, to the extent caused by Business Associate’s acts or omissions.

7 Individual Rights Assistance

Business Associate will make PHI available to Covered Entity as necessary for Covered Entity to satisfy its obligations under 45 CFR § 164.524 (access) and § 164.526 (amendment). Business Associate will comply with Covered Entity’s reasonable requests for access, amendment, or accounting of disclosures within 10 business days unless a different timeframe is required by law.
Business Associate will forward to Covered Entity any request it receives directly from an individual regarding PHI within 5 business days.

8 Audit, Records, and Security Assessments

Business Associate will permit Covered Entity, its authorized agents, and regulatory agencies, upon reasonable notice and subject to confidentiality protections, to inspect and copy records, books, and documentation related to compliance with this BAA and applicable law.
Business Associate will perform annual security risk assessments, periodic penetration testing, and vulnerability scans and will provide summaries and remediation plans to Covered Entity upon request.

9 Return, Transfer, and Destruction of PHI

Upon termination, expiration, or written request by Covered Entity, Business Associate will, at Covered Entity’s option, securely destroy all PHI created, received, maintained, or transmitted on behalf of Covered Entity and will certify in writing that return or destruction has been completed, except as provided below.
If return or destruction is infeasible, Business Associate will notify Covered Entity in writing, retain only the PHI required to comply with legal obligations, continue to protect the retained PHI in accordance with this BAA, and limit further uses and disclosures to those purposes that make retention necessary.

10 Term; Termination; Cure Rights

This BAA is effective as of the Effective Date and remains in effect until termination of the Platform Terms of Use and all PHI has been destroyed.
If either Party materially breaches this BAA, the non‑breaching Party may provide written notice and a 30‑day cure period. If the breach is not cured within the cure period, the non‑breaching Party may terminate the underlying Platform Terms of Use and pursue remedies available under law.
Either Party may immediately terminate if the other Party is subject to criminal proceedings for HIPAA violations or engages in conduct that poses a substantial risk to PHI security.
Sections 4, 6, 8, 9, 11, and this Section 10 survive termination.

11 Liability, Insurance, and Indemnity

Business Associate will indemnify, defend, and hold harmless Covered Entity from third‑party claims, liabilities, losses, and expenses arising from Business Associate’s breach of this BAA, negligent acts or omissions, or willful misconduct related to PHI handling.
Business Associate will maintain cyber liability insurance, privacy liability insurance, and professional liability insurance sufficient to cover liabilities arising from breaches, regulatory fines, and claims involving PHI and will provide evidence of coverage to Covered Entity upon request.
Except for liability arising from a Party’s gross negligence, willful misconduct, or breach of its obligations under Sections 4 (Safeguards and Security Requirements), 6 (Breach Notification, Incident Response, and Forensics), or 11 (Liability, Insurance, and Indemnity), each Party’s aggregate liability under this BAA will not exceed the total fees paid by Covered Entity to Business Associate under the Platform Terms of Use in the twelve (12) months preceding the event giving rise to the claim. In no event will either Party be liable for any indirect, incidental, consequential, special, exemplary, or punitive damages, including lost profits or business interruption, even if advised of the possibility of such damages.
Nothing in this BAA limits either Party’s right to seek equitable relief available under law.

12 Miscellaneous Provisions

This BAA is governed by federal HIPAA law and the substantive laws of the State of Delaware, excluding conflict‑of‑law provisions.
The Parties will amend this BAA as necessary to comply with changes in applicable law, including HIPAA and HITECH; amendments will be in writing and accepted electronically by both Parties.
This BAA, together with the Platform Terms of Use, constitutes the complete agreement between the Parties relating to PHI and supersedes prior contemporaneous agreements.
No third‑party beneficiaries are created by this BAA. If any provision is held invalid, the remainder of the BAA remains in effect.

13 Contact for Notices and Security Incidents (Constants)

Covered Entity security contact: The email address and phone number used to create your account
Business Associate security contact: contact@writelitely.ai
Notices may be delivered by email, certified mail, or other agreed methods; electronic notice is permitted for incidents.

14. Force Majeure

Neither Party will be liable for any delay or failure to perform its obligations under this BAA due to causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, civil unrest, labor disputes, governmental actions, internet or utility outages, or failures of third-party service providers, provided that the affected Party promptly notifies the other Party and uses reasonable efforts to mitigate the impact of such events.

15 Audit and Electronic Execution

By clicking the separate “Agree” button (which programmatically records a checked acceptance flag), the Covered Entity binds itself to this BAA. Acceptance is recorded with timestamp, account identifier, and IP address and constitutes a legally enforceable electronic signature for this BAA.

FERPA Addendum (If Applicable)

Acceptance of this Addendum is applicable only if Covered Entity represents that FERPA‑Protected Records will be provided to or processed by Business Associate. By clicking the separate “Agree” button (the same button as the BAA agree button), Covered Entity incorporates this Addendum into the BAA and accepts these additional obligations.

A Applicability and Roles

This Addendum applies only if Covered Entity provides FERPA‑Protected Records to Business Associate. Covered Entity is responsible for determining and documenting whether any records constitute FERPA‑Protected Records and for obtaining any required parental or eligible‑student consents prior to disclosure to Business Associate, unless another statutory exception applies. Business Associate will act as an agent or contractor of the educational institution for FERPA purposes.

B Permitted Uses and Restrictions

Business Associate will use and disclose FERPA‑Protected Records solely to perform the services described in the Platform Terms of Use and as otherwise permitted by Covered Entity in writing. Business Associate will not use FERPA‑Protected Records for commercial purposes, marketing, research outside the scope of the agreement, or sale. Business Associate will not combine FERPA‑Protected Records with other datasets for secondary purposes without Covered Entity’s prior written authorization.

C Safeguards

Business Associate will apply administrative, physical, and technical safeguards to FERPA‑Protected Records consistent with the protections in this BAA and will adhere to any additional FERPA‑specific obligations required by Covered Entity or applicable state law, including strict access controls, encryption, logging, retention limits, and secure destruction.

D Parental and Eligible Student Rights

Business Associate will assist Covered Entity in responding to requests from parents or eligible students to access, amend, or receive an accounting of disclosures of FERPA‑Protected Records, within the timeframes required by law and as otherwise set forth in the BAA. Business Associate will forward any direct requests from parents or eligible students to Covered Entity within 5 business days.

E Subcontractors

Business Associate will impose FERPA‑equivalent obligations on subcontractors or vendors with access to FERPA‑Protected Records and will provide Covered Entity with the identity and scope of access for such subcontractors upon request.

F Notice and Breach Response

Business Associate’s obligations under this Section F are limited to incidents caused by its material breach of this Addendum or its gross negligence or willful misconduct. In such cases, Business Associate will cooperate with Covered Entity in investigations and notifications and will reimburse Covered Entity’s reasonable, documented costs directly resulting from such incidents. Business Associate’s liability under this Addendum will be subject to the same limitations and exclusions set forth in Section 11 of the BAA.

G Return and Destruction

Upon termination, expiration, or written request, Business Associate will return or securely destroy FERPA‑Protected Records and certify completion, except where infeasible under law; if retention is required, Business Associate will notify Covered Entity and continue to protect the records and limit further use.

H Conflicting Laws

To the extent any state or local law applicable to FERPA‑Protected Records imposes greater protections, Business Associate will comply with the more protective requirements.

The platform’s sign‑up UI contains a separate “Agree” button which, when clicked, programmatically records acceptance and sets an internal consent flag equivalent to a checked checkbox. Clicking that button constitutes the Covered Entity’s electronic acceptance and binding signature for this BAA and the FERPA Addendum where applicable. Acceptance is logged with timestamp, account identifier, and IP address for audit purposes.

Execution Note

This BAA (and the FERPA Addendum if applicable) may be executed electronically. For institutional onboarding that requires a separate signed signature page or additional execution formats, contact: contact@writelitely.ai.