BUSINESS ASSOCIATE AGREEMENT
QuantaSeal Pty Ltd — Template v1.0 — May 2026
================================================================

IMPORTANT: This is a template document. The final executed BAA will be
tailored to your organisation's specific requirements. Contact
hipaa@quantaseal.io to initiate the BAA process.

================================================================

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement" or "BAA") is entered into
as of [EFFECTIVE DATE] ("Effective Date") by and between:

  Covered Entity: [COVERED ENTITY LEGAL NAME]
  Address: [ADDRESS]
  ("Covered Entity")

and

  Business Associate: QuantaSeal Pty Ltd
  ABN: [ABN]
  Address: Adelaide, South Australia, Australia
  ("Business Associate" or "QuantaSeal")

================================================================

RECITALS

Covered Entity is a "covered entity" as defined under the Health
Insurance Portability and Accountability Act of 1996 and its
implementing regulations (collectively, "HIPAA").

Business Associate provides post-quantum cryptography middleware,
credential vault, and encrypted data proxy services to Covered Entity
pursuant to a Master Services Agreement dated [MSA DATE] ("Services
Agreement"), in the course of which Business Associate may create,
receive, maintain, or transmit Protected Health Information ("PHI") on
behalf of Covered Entity.

The parties therefore enter into this Agreement to comply with 45 CFR
§164.504(e) and other applicable HIPAA requirements.

================================================================

ARTICLE 1 — DEFINITIONS

1.1  "Breach" has the meaning given in 45 CFR §164.402.

1.2  "Business Associate" has the meaning given in 45 CFR §160.103.

1.3  "Designated Record Set" has the meaning given in 45 CFR §164.501.

1.4  "Electronic Protected Health Information" or "ePHI" means PHI
     transmitted by or maintained in electronic media.

1.5  "HIPAA Rules" means the Privacy, Security, Breach Notification, and
     Enforcement Rules at 45 CFR Parts 160 and 164.

1.6  "Protected Health Information" or "PHI" has the meaning given in
     45 CFR §160.103, limited to PHI created, received, maintained, or
     transmitted by Business Associate on behalf of Covered Entity.

1.7  "Required by Law" has the meaning given in 45 CFR §164.103.

1.8  "Subcontractor" means a person or entity that creates, receives,
     maintains, or transmits PHI on behalf of Business Associate.

================================================================

ARTICLE 2 — OBLIGATIONS OF BUSINESS ASSOCIATE

2.1  Use and Disclosure Limitations. Business Associate agrees to not use
     or disclose PHI other than as permitted or required by this Agreement
     or as Required by Law.

2.2  Appropriate Safeguards. Business Associate agrees to implement
     administrative, physical, and technical safeguards that reasonably
     and appropriately protect the confidentiality, integrity, and
     availability of ePHI that it creates, receives, maintains, or
     transmits on behalf of Covered Entity, as required by the HIPAA
     Security Rule (45 CFR Part 164, Subpart C). QuantaSeal's specific
     safeguards include:

     (a) ML-KEM-768 (NIST FIPS 203) post-quantum key encapsulation for
         all ePHI at rest and in transit;
     (b) AES-256-GCM authenticated encryption for all ePHI payload
         storage;
     (c) ML-DSA-65 (NIST FIPS 204) digital signatures on all audit log
         entries;
     (d) Per-covered-entity AWS KMS Customer Master Keys (CMKs) with
         automatic 365-day rotation;
     (e) SHA3-256 hash-chained immutable audit log stored in S3 WORM;
     (f) Role-based access control (RBAC) with MFA and FIDO2 passkeys.

2.3  Reporting. Business Associate agrees to report to Covered Entity:

     (a) Any use or disclosure of PHI not provided for by this Agreement
         of which it becomes aware, including Breaches of Unsecured PHI
         as required at 45 CFR §164.410, without unreasonable delay and
         in no case later than 60 calendar days after discovery;
     (b) Any Security Incident of which it becomes aware, as defined in
         45 CFR §164.304.

     QuantaSeal's automated incident response engine will generate a
     preliminary incident report within 1 hour of anomaly detection.

2.4  Subcontractors. Business Associate agrees to ensure that any
     Subcontractor that creates, receives, maintains, or transmits PHI
     on behalf of Business Associate agrees to restrictions and conditions
     at least as stringent as those applicable to Business Associate under
     this Agreement.

2.5  Access to PHI. To the extent Business Associate maintains PHI in a
     Designated Record Set, Business Associate agrees to make available
     to Covered Entity such PHI in accordance with 45 CFR §164.524.

2.6  Amendment of PHI. To the extent Business Associate maintains PHI in
     a Designated Record Set, Business Associate agrees to make available
     PHI for amendment and to incorporate any amendments in accordance
     with 45 CFR §164.526.

2.7  Accounting of Disclosures. Business Associate agrees to make
     available information required to provide an accounting of
     disclosures in accordance with 45 CFR §164.528.

2.8  Access to Books and Records. Business Associate agrees to make its
     internal practices, books, and records available to the Secretary of
     the U.S. Department of Health and Human Services for determining
     Covered Entity's compliance with HIPAA.

2.9  Minimum Necessary. Business Associate agrees to request, use, and
     disclose only the minimum PHI necessary to accomplish the intended
     purpose.

================================================================

ARTICLE 3 — PERMITTED USES AND DISCLOSURES

3.1  Except as otherwise limited by this Agreement, Business Associate
     may use or disclose PHI to perform Functions, Activities, or
     Services as specified in the Services Agreement, provided that such
     use or disclosure would not violate HIPAA if done by Covered Entity.

3.2  Business Associate may use PHI for the proper management and
     administration of Business Associate or to carry out legal
     responsibilities of Business Associate, provided that disclosures
     are Required by Law or Business Associate obtains reasonable
     assurances from the recipient that PHI will be held confidentially.

3.3  Business Associate may use PHI to provide data aggregation services
     relating to the health care operations of Covered Entity.

================================================================

ARTICLE 4 — OBLIGATIONS OF COVERED ENTITY

4.1  Covered Entity agrees to notify Business Associate of any limitation
     in its Notice of Privacy Practices that affects Business Associate's
     use or disclosure of PHI.

4.2  Covered Entity agrees to notify Business Associate of any changes
     in, or revocation of, permission by an Individual to use or disclose
     PHI that affects Business Associate.

4.3  Covered Entity agrees to notify Business Associate of any
     restriction to the use or disclosure of PHI agreed to by Covered
     Entity.

4.4  Covered Entity shall not request Business Associate to use or
     disclose PHI in a manner that would not be permissible under HIPAA
     if done by Covered Entity.

================================================================

ARTICLE 5 — TERM AND TERMINATION

5.1  Term. This Agreement is effective as of the Effective Date and
     terminates when all PHI has been returned or destroyed, or upon
     termination of the Services Agreement, whichever is earlier.

5.2  Termination for Cause. Covered Entity may terminate this Agreement
     if Business Associate breaches a material term, provided that
     Covered Entity provides written notice and a reasonable opportunity
     to cure. If cure is not possible, Covered Entity may terminate.

5.3  Obligations on Termination. Upon termination, Business Associate
     shall, at Covered Entity's election, either return or destroy all
     PHI. If return or destruction is infeasible, protections extend
     until return or destruction is possible.

================================================================

ARTICLE 6 — MISCELLANEOUS

6.1  Regulatory References. Reference to HIPAA provisions means the
     provision as in effect at the time of the relevant conduct.

6.2  Amendment. The parties agree to amend this Agreement to comply with
     requirements of HIPAA as amended or supplemented by guidance issued
     by HHS.

6.3  Interpretation. This Agreement shall be interpreted as broadly as
     necessary to comply with HIPAA. In the event of conflict, this
     Agreement supersedes the Services Agreement with respect to PHI.

6.4  Governing Law. This Agreement is governed by the laws of South
     Australia, Australia, except to the extent federal HIPAA
     requirements apply.

6.5  Entire Agreement. This Agreement, together with the Services
     Agreement, constitutes the entire agreement between the parties
     regarding the subject matter hereof.

================================================================

SIGNATURE PAGE

IN WITNESS WHEREOF, the parties have executed this Agreement as of the
Effective Date.

COVERED ENTITY:

Signature: _______________________________
Name:      _______________________________
Title:     _______________________________
Date:      _______________________________


QUANTASEAL PTY LTD:

Signature: _______________________________
Name:      _______________________________
Title:     _______________________________
Date:      _______________________________

================================================================

For questions, contact hipaa@quantaseal.io
QuantaSeal Pty Ltd — quantaseal.io/legal/hipaa-baa
BAA Template v1.0 — Last revised May 2026

================================================================