Business Associate Agreement

Recitals

This AI Processing Addendum ("Addendum") supplements and is incorporated into the Business Associate Agreement ("BAA") between Glass Box Solutions, Inc. ("Business Associate") and the undersigned law firm or legal entity ("Covered Entity" or "Customer") (collectively, the "Parties").

WHEREAS, the BAA governs Business Associate's use and disclosure of Protected Health Information ("PHI") on behalf of Customer;

WHEREAS, Business Associate provides legal AI services through the Adjudica.AI platform that involve AI processing of PHI;

WHEREAS, the Parties wish to address AI-specific considerations for the handling of PHI;

NOW, THEREFORE, the Parties agree as follows:

---

1. Definitions

"AI Processing" means the use of artificial intelligence, machine learning, large language models, or similar technologies to analyze, summarize, extract information from, or generate content based on PHI.

"AI Provider" means a third-party provider of artificial intelligence services used by Business Associate. As of the Effective Date, the sole AI Provider is Google.

"AI Output" means any text, analysis, summary, calculation, or other content generated through AI Processing.

"Model Training" means the use of data to train, fine-tune, improve, or develop artificial intelligence or machine learning models.

"Prompt" means any query, instruction, or input provided to an AI system, which may include PHI.

---

2. Permitted AI Processing

2.1 Authorized Uses

Business Associate may engage in AI Processing of PHI solely for the following purposes:

• Document analysis and information extraction
• Case summarization and legal research
• Permanent disability rating calculations
• Generation of source-attributed legal analysis
• Other services expressly authorized by Customer

2.2 Minimum Necessary Standard

Business Associate shall implement reasonable measures to ensure that AI Processing involves only the minimum necessary PHI to accomplish the intended purpose.

2.3 De-identification

Where feasible without materially diminishing the utility of the Services, Business Associate shall implement measures to de-identify PHI prior to AI Processing.

---

3. Prohibition on Model Training

3.1 No Training Without Consent

Business Associate shall not use PHI for Model Training without the prior written authorization of Customer and affected individuals.

3.2 AI Provider Restrictions

Business Associate shall ensure, through written agreements with AI Providers, that:

• PHI contained in Prompts is not used for Model Training
• PHI contained in AI Output is not used for Model Training
• AI Providers do not retain PHI beyond what is necessary to process the request

3.3 Certification

Upon Customer's request, Business Associate shall provide written certification of its compliance with this Section 3.

---

4. AI Provider Subcontractors

4.1 Authorized AI Providers

The following AI Providers are authorized subcontractors under this Addendum:

Provider	Service	Primary Use
Google Cloud	Gemini, Vertex AI, Document AI	Document analysis, legal reasoning, OCR
Pinecone	Vector Database	Information retrieval

4.2 Subcontractor Agreements

Business Associate has entered into, or shall enter into, written agreements with each AI Provider that impose obligations consistent with this Addendum, including:

• Prohibition on Model Training using Customer data
• Appropriate security safeguards
• Restrictions on further disclosure
• Breach notification requirements

4.3 New AI Providers

Business Associate shall notify Customer at least thirty (30) days before engaging any new AI Provider to process PHI. Customer may object to a new AI Provider by providing written notice within fifteen (15) days of receiving notification.

---

5. Data Handling for AI Processing

5.1 Prompts and Queries

PHI contained in Prompts shall be:

• Encrypted in transit using TLS 1.3 or equivalent
• Transmitted only to authorized AI Providers
• Not retained by AI Providers beyond request processing (where technically feasible)
• Subject to audit logging

5.2 AI Output

AI Output that contains or is derived from PHI shall be:

• Treated as PHI and protected accordingly
• Subject to the use and disclosure restrictions of the BAA
• Available for access, amendment, and accounting requests
• Retained in accordance with the BAA retention requirements

5.3 Vector Embeddings

To the extent vector embeddings are created from PHI:

• Such embeddings shall be treated as PHI if they are capable of being linked to an individual
• Embeddings shall be stored with appropriate encryption
• Access to embeddings shall be logged

---

6. Security Safeguards for AI Processing

6.1 Technical Safeguards

Business Associate shall implement the following technical safeguards for AI Processing:

• Encryption of PHI in transit to AI Providers (TLS 1.3)
• Access controls limiting who may submit PHI for AI Processing
• Audit logging of all AI Processing requests involving PHI
• Secure deletion of temporary files created during AI Processing

6.2 Administrative Safeguards

Business Associate shall:

• Maintain policies and procedures governing AI Processing of PHI
• Train workforce members on appropriate AI Processing practices
• Conduct periodic assessments of AI Provider compliance

---

7. Accuracy and Limitations

7.1 No Guarantee of Accuracy

Business Associate does not guarantee the accuracy of AI Output. AI Processing may produce errors, omissions, or inaccuracies.

7.2 Verification Responsibility

Customer acknowledges and agrees that:

• AI Output must be verified before reliance
• Customer is responsible for reviewing AI Output
• AI Output does not constitute legal advice
• Business Associate is not liable for decisions made based on unverified AI Output

7.3 AI Transparency Disclosure

Customer acknowledges receipt of Business Associate's AI Transparency Disclosure, which describes AI capabilities, limitations, and verification responsibilities.

---

8. Breach Notification

8.1 AI-Related Breaches

In addition to the breach notification requirements of the BAA, Business Associate shall notify Customer if:

• An AI Provider experiences a breach affecting Customer's PHI
• PHI is used for Model Training in violation of this Addendum
• Unauthorized access to AI Processing systems occurs

8.2 Timeline

Notification of AI-related security incidents shall be provided within ten (10) calendar days of discovery.

---

9. Audit Rights

9.1 AI Processing Audit

Customer may, upon reasonable notice, request:

• Documentation of AI Provider agreements
• Logs of AI Processing involving Customer's PHI
• Evidence of compliance with Model Training prohibitions
• AI Provider security certifications

9.2 Cooperation

Business Associate shall reasonably cooperate with Customer's audits related to AI Processing.

---

10. Term and Termination

10.1 Term

This Addendum is effective as of the Effective Date and continues for the term of the BAA.

10.2 Effect of Termination

Upon termination:

• AI Processing of Customer's PHI shall cease
• PHI in AI Provider systems shall be deleted (to the extent technically feasible)
• Audit logs shall be retained as required by the BAA

---

11. Miscellaneous

11.1 Conflict

In the event of a conflict between this Addendum and the BAA, this Addendum shall control with respect to AI Processing.

11.2 Amendments

This Addendum may be amended only by written agreement signed by both Parties.

11.3 Entire Agreement

This Addendum, together with the BAA, constitutes the entire agreement between the Parties regarding AI Processing of PHI.

---

Signatures

GLASS BOX SOLUTIONS, INC.

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

---

CUSTOMER

Entity Name: _______________________________

Signature: _______________________________

Name: _______________________________

Title: _______________________________

Date: _______________________________

---

This AI Processing Addendum is effective as of the date last signed by both Parties.