-
Notifications
You must be signed in to change notification settings - Fork 317
baa page #2893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
eldadfux
wants to merge
1
commit into
main
Choose a base branch
from
feat/trademarks-legal-page
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+133
−0
Open
baa page #2893
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| --- | ||
| layout: policy | ||
| title: Business Associate Agreement | ||
| description: HIPAA Business Associate Agreement for Appwrite Pro or Enterprise customers with HIPAA support. Supplemental to the Terms of Service and applicable order or subscription. | ||
| --- | ||
|
|
||
| **Last updated: April 16, 2026** | ||
|
|
||
| This Business Associate Agreement ("**BAA**") applies to Pro or Enterprise customers that have added HIPAA support to their subscription, as described in Appwrite documentation, and that use Appwrite services in a manner involving Protected Health Information ("**PHI**") as defined in 45 CFR 160.103. | ||
|
|
||
| This BAA is entered into by and between the customer entity that has entered into or accepted the [Terms and Conditions](/terms), any order form, checkout, or other agreement governing use of Appwrite services (collectively, the "**Agreement**") ("**Customer**," "**Covered Entity**"), and Appwrite Code Inc. ("**Company**," "**Business Associate**"). Customer and Company are each a "**Party**" and together the "**Parties**." | ||
|
|
||
| This BAA is **supplemental to** the Agreement and forms an integral part of it. It sets forth the terms and conditions pursuant to which PHI will be handled by Company (if any PHI is shared with Business Associate) and certain third parties, as applicable, during this BAA and the Agreement and upon termination, cancellation, expiration, or other conclusion. | ||
|
|
||
| **Effective date.** This BAA is effective as of the effective date of the Agreement, or - if later - the date Customer first meets the eligibility criteria above (the "**Effective Date**"). By maintaining Pro or Enterprise with HIPAA support and using the Services in a way that involves PHI, or by otherwise accepting this BAA where presented in the Appwrite Console or checkout, Customer agrees to this BAA. | ||
|
|
||
| **If Customer does not accept this BAA or is not eligible, Customer must not submit PHI to the Services.** | ||
|
|
||
| Whereas, Customer may be subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("**HITECH**"), and as may be further modified or superseded from time to time (collectively, "**HIPAA Rules**"), and among other obligations under HIPAA may be required to enter into agreements with respect to the use, disclosure, and safeguarding of PHI. | ||
|
|
||
| Whereas, the Parties desire to enter into this BAA in order to set forth the terms and conditions pursuant to which PHI will be handled by Company during the term of this BAA and the Agreement and upon its termination, cancellation, expiration, or other conclusion. | ||
|
|
||
| Now, therefore, in consideration of the conditions contained herein and the continued provision of PHI by Customer to Company under the Agreement and this BAA, the Parties agree as follows: | ||
|
|
||
| # 1. Definitions | ||
|
|
||
| The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Breach Notification Rule, De-Identify, Data Aggregation, Designated Record Set, Disclosure, Electronic PHI, Individual, Protected Health Information ("PHI"), Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. | ||
|
|
||
| # 2. Company's obligations and activities | ||
|
|
||
| ## 2.1 | ||
|
|
||
| The Company agrees to: | ||
|
|
||
| Use and Disclose PHI as permitted or required by this BAA or by applicable law to provide the Services to Customer or as otherwise permitted under this BAA. Company may Use and/or Disclose PHI (i) for conducting the Company's business, (ii) for management and administrative services, (iii) to carry out the legal responsibilities of the Company, or (iv) on a de-identified, aggregated, and/or anonymous basis for the purpose of analyzing the usage and performance of the Company's proprietary technology (for internal and/or external purposes), including, without limitation, for market research and to provide analytics to Customer and further developing and improving Company's products and services. | ||
|
|
||
| ## 2.2 | ||
|
|
||
| Use appropriate physical, technical, and administrative safeguards (a) to prevent Use or Disclosure of PHI other than as permitted under this BAA or as required by applicable law, and (b) to reasonably protect the confidentiality, integrity, and availability of the PHI. Company will use commercially reasonable efforts to implement industry standard safeguards to prevent the Use or Disclosure of PHI other than as provided by the Agreement and/or this BAA. | ||
|
|
||
| ## 2.3 | ||
|
|
||
| Report to Customer any Security Incident or Breach of Unsecured PHI, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. Such report shall be in accordance with 45 CFR 164.410(c). Company will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Company of any Security Incident and/or Breach of Unsecured PHI. The obligations herein shall not apply to incidents that are caused by Customer or Customer's users or are otherwise unrelated to the provision of the Services by Company. | ||
|
|
||
| ## 2.4 | ||
|
|
||
| Use commercially reasonable efforts to ensure that its Subcontractors that process PHI on Company's behalf are subject to substantially the same restrictions and conditions concerning the processing of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any PHI. Customer hereby agrees that Company may disclose PHI to Subcontractors and others who assist in the provision of services to Customer. | ||
|
|
||
| ## 2.5 | ||
|
|
||
| Within ten (10) business days, reasonably assist the Customer to comply with Individuals' requests related to their PHI in accordance with the HIPAA Rules requirements (for example, to make available in a designated record set to the Customer to meet Customer's obligations under 45 CFR 164.524 or make any amendment(s) to PHI in a designated record set as agreed to by the Customer pursuant to 45 CFR 164.526); provided that Customer informs Company in writing of the applicable request. | ||
|
|
||
| ## 2.6 | ||
|
|
||
| Make its internal practices, books, and records available to the Secretary for purposes of determining Customer's and/or Company's compliance with HIPAA Rules. Nothing in this Section waives any applicable privilege or protection. | ||
|
|
||
| # 3. Customer obligations and activities | ||
|
|
||
| ## 3.1 | ||
|
|
||
| Customer agrees not to request Company to Use or Disclose PHI or take any other action in any manner that would not be permissible under HIPAA Rules and/or that will imply the breach or violation of any applicable law and/or Individuals' rights. | ||
|
|
||
| ## 3.2 | ||
|
|
||
| Customer agrees to notify Company of any limitation or restriction related to the relevant PHI, to the extent that such limitation may affect Company's Use or Disclosure of PHI (including, without limitation, 45 CFR 164.520 and 45 CFR 164.522). | ||
|
|
||
| ## 3.3 | ||
|
|
||
| Customer agrees to provide all notices and obtain all required consents from an Individual to allow Company to use the PHI as set forth in this BAA. Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Company's Use or Disclosure of PHI. | ||
|
|
||
| ## 3.4 | ||
|
|
||
| Customer acknowledges that any Use or Disclosure of PHI or action made by Company at the request of Customer is made in reliance that such request and/or action is permissible and that Customer is requesting the minimum necessary to accomplish the intended Use or Disclosure of the PHI. | ||
|
|
||
| ## 3.5 | ||
|
|
||
| Customer agrees to indemnify and hold harmless Company from and against all liabilities, losses, damages, and expenses (including reasonable attorney's fees) arising from Customer's breach of this BAA, including this section. | ||
|
|
||
| # 4. Term and Termination | ||
|
|
||
| ## 4.1 Term | ||
|
|
||
| This BAA will become effective as of the Effective Date, and shall continue until the earliest of: (a) all of the PHI provided by Customer to Company is deleted, destroyed, and/or de-identified; (b) this BAA is terminated in writing by the Parties; or (c) the Agreement is completed, concluded, or otherwise terminated, in which case this BAA will terminate automatically and without the need for any further action or notice on the part of either Customer or Company. | ||
|
|
||
| ## 4.2 Termination for cause | ||
|
|
||
| Both Parties may terminate immediately this BAA and/or the applicable sections of the Agreement, if a Party makes a determination that the other Party has breached a material term of this BAA and such breach is incurable or was uncured within thirty (30) days following the other Party's written notification. | ||
|
|
||
| ## 4.3 Effect of Termination | ||
|
|
||
| Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Company will be returned to Customer or destroyed. Company shall be allowed to retain a copy of the de-identified data, as permitted in Section 2.1. In any event, to the extent required or allowed by applicable law, Company may retain one copy of the PHI for evidence purposes and/or for the establishment, exercise, or defense of legal claims and/or to comply with applicable laws and regulations. This Section, and Sections 5 and 6, will survive any termination of this BAA. | ||
|
|
||
| # 5. Limitation of liability | ||
|
|
||
| Notwithstanding anything to the contrary in the Agreement and/or in any other agreements between the Parties and to the maximum extent permitted by law: (A) Company's (including Company's Affiliates') entire, total, and aggregate liability related to personal data, information or PHI, privacy, or for breach of this BAA and/or HIPAA Rules, including, without limitation, if any, any indemnification obligation, shall be limited to the amounts paid to Company under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Company and/or Company's Affiliates and/or their subcontractors be liable under, or otherwise in connection with, this BAA for: (i) any indirect, exemplary, special, consequential, incidental, or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to, data, reputation, revenue, or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Company, Company's Affiliates, or subcontractors have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this BAA fails of its essential purpose; and (iii) regardless of the form, theory, or basis of liability (such as, but not limited to, breach of contract or tort). | ||
|
|
||
| # 6. Miscellaneous | ||
|
|
||
| ## 6.1 Notice | ||
|
|
||
| All communications and notices shall be in writing, delivered personally, by email, or sent through any mailing services to the addresses and contacts set forth in the Agreement or as otherwise designated by a Party for such purpose. | ||
|
|
||
| ## 6.2 Effect of BAA | ||
|
|
||
| This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern with respect to the subject matter of PHI and HIPAA compliance. In the event of any conflict between the provisions of this BAA and the provisions of the Agreement, the provisions of this BAA shall prevail over the conflicting provisions of the Agreement with respect to such subject matter. | ||
|
|
||
| ## 6.3 Amendments | ||
|
|
||
| This BAA may be amended solely by a written instrument duly signed by both Parties. | ||
|
|
||
| ## 6.4 Severability | ||
|
|
||
| The provisions of this BAA shall be deemed severable and if any portion shall be held invalid, illegal, or unenforceable for any reason, the remainder of this BAA shall be effective and binding upon the Parties. | ||
|
|
||
| ## 6.5 Interpretation | ||
|
|
||
| Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. | ||
|
|
||
| ## 6.6 No Third Party Beneficiaries | ||
|
|
||
| Nothing contained herein, whether express or implied, is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. | ||
|
|
||
| ## 6.7 Assignment | ||
|
|
||
| Neither Party may assign this BAA without the other Party's prior written consent, provided that the consent shall not be unreasonably withheld. Notwithstanding the foregoing, Company may assign this BAA in the event of a merger, change of control, or sale or transfer of all or substantially all of its assets, without requiring Customer's consent. | ||
|
|
||
| ## 6.8 Governing Law | ||
|
|
||
| This BAA shall be governed and construed in accordance with the law of the jurisdiction stated in the Agreement. Any dispute, controversy, or claim arising out of, or in relation to, this BAA shall be settled amicably between the Parties. If the dispute cannot be resolved by the Parties, the Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this BAA. Notwithstanding anything to the contrary, the Company may seek interim relief before any court of competent jurisdiction worldwide. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The BAA identifies the company as
Appwrite Code Inc., but all other legal documents on this site (privacy/+page.markdoc,cookies/+page.markdoc) consistently useAppwrite Code Ltd.This inconsistency could undermine the enforceability of the agreement or create confusion about which legal entity is the contracting party. Please verify and align the entity name.