Business Associate Agreement

Template · Last updated: April 24, 2026

Dental practices, medical spas, and other HIPAA-covered customers must execute this BAA before production use of any TechStack product with real patient data. Request a countersigned copy at hello@techstackllc.info. This page is the public template.

This Business Associate Agreement ("BAA") supplements and forms part of the Terms of Service between TechStack LLC ("Business Associate") and the customer organization ("Covered Entity"). Capitalized terms used without definition have the meanings assigned in HIPAA.

1. Purpose

Covered Entity may disclose Protected Health Information ("PHI") to Business Associate for the services described in the Terms of Service. This BAA ensures Business Associate's compliance with HIPAA as amended by HITECH.

2. Permitted uses

Business Associate may use PHI:

To perform services for Covered Entity as described in the Terms of Service.
For Business Associate's proper management and administration.
To carry out its legal responsibilities.

Business Associate will not use PHI for marketing to Covered Entity's patients, sale of PHI, or any purpose not expressly permitted.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably protect PHI confidentiality, integrity, and availability, including:

AES-256 encryption at rest; TLS 1.3 in transit.
Role-based access controls; MFA for privileged accounts.
Audit logging of access to PHI.
Regular security assessments.
Employee training on PHI handling.

4. Subcontractors

Business Associate will enter written BAAs with all subcontractors that may access PHI (Supabase, Hostinger, Stripe, etc., as disclosed in the Privacy Policy). Business Associate remains responsible for subcontractor compliance.

5. Breach notification

Business Associate will notify Covered Entity of any Breach of Unsecured PHI within 72 hours of discovery. Notice will include: nature of the Breach, individuals affected, types of PHI involved, and remediation actions taken.

6. Individual rights

Business Associate will assist Covered Entity in responding to individual requests for access, amendment, accounting, and restriction of PHI within the timeframes required by HIPAA.

7. Return or destruction

Upon termination, Business Associate will return or destroy all PHI in its possession within 90 days, and will continue to protect any PHI that cannot reasonably be returned or destroyed.

8. Term and termination

This BAA is effective on the date of execution and remains in effect until terminated. Covered Entity may terminate immediately upon material breach if Business Associate does not cure within 30 days of notice.

9. Amendment

The parties will amend this BAA as necessary to comply with changes to HIPAA or related law.

10. Execution

This BAA becomes binding on execution by both parties. To request execution, email hello@techstackllc.info with your legal entity name, billing address, and a HIPAA privacy officer contact.

Legal review note: This BAA template follows HIPAA's standard structure but must be reviewed by healthcare counsel before use. Add any state-level attachments (e.g. California patient-data provisions) as needed. Sign separately per customer; do not use as a click-through.