Customer BAA Template, Pointer
Date: 2026-05-14 Status: Outside counsel to provide signed-PDF-ready template , available on request through diligence room access.
A separate
CUSTOMER_BAA_TEMPLATE.pdfshould sit in this folder once outside counsel delivers it. This file is the pointer + summary.
1. Template outline (plain-English)
Standard Rōvn Customer BAA covers:
Definitions
- PHI as defined by HIPAA Privacy Rule
- Business Associate (Rōvn) vs Covered Entity (customer facility)
- Subcontractor (sub-processors per
05_security/SUB_PROCESSOR_REGISTRY.md)
Permitted uses
- Performing services described in the Master Services Agreement
- Verifying clinical credentials with source authorities on Customer's behalf
- AI executor / advisor operations under BAA + ZDR with Anthropic
- Audit log retention for 7 years
- De-identification per HIPAA Safe Harbor for benchmarking, only with customer consent
Prohibited uses
- Marketing or fundraising without customer consent
- Sale of PHI (categorically prohibited)
- Use beyond scope of MSA
Safeguards (Rōvn obligations)
- Administrative, physical, and technical safeguards per HIPAA Security Rule
- Sub-processor flow-down per
07_legal/SUB_PROCESSOR_FLOW_DOWN.md - Workforce training (founder + platform engineering partner under NDA embedded)
- Access control + audit log (per
03_engineering/ARCHITECTURE.md)
Breach notification
- Within 60 days of discovery of suspected or confirmed breach (HIPAA standard)
- Faster per individual customer SLA
- Full content per 45 CFR 164.410
Customer rights
- Right to audit (subject to confidentiality + reasonable notice)
- Right to terminate on uncured breach
- Right to receive PHI back or have it destroyed at termination
Termination
- Effective on MSA termination
- 30-day return-or-destroy window for PHI
- 7-year audit log retention persists (HIPAA requirement)
- Sub-processor BAA cascade terminates
Indemnity
- Standard mutual indemnity within MSA scope
- Carve-out for gross negligence / willful misconduct
- Cap aligns with MSA cap
Governing law
- Typically state of MSA governing law (set per customer)
2. Template variants
| Variant | Use |
|---|---|
| Pilot tier customer BAA | $12K 90-day Pilot facilities, simpler indemnity language scoped to the 90-day engagement |
| Core / Ops tier customer BAA | Standard full BAA |
| Platform tier customer BAA | Custom-negotiated; flows through enterprise contract |
3. Customer-facing addendum: Sub-Processor List
Every executed BAA includes an attached sub-processor list (per 05_security/SUB_PROCESSOR_REGISTRY.md). This list is:
- Hash-locked to the BAA execution date
- PDF-snapshotted to S3 audit bucket
- Referenced by Section [X] of the BAA body
4. Negotiable terms
Common customer negotiation requests: - Tighter breach notification window (e.g., 30 days instead of 60) - Specific sub-processor opt-out - Customer-specific data residency (e.g., US-only confirmation) - Enhanced audit rights - Cap on indemnity - Termination assistance scope
Rōvn's negotiation posture: flexible on cycle time and audit; firm on sub-processor essentials (AWS / Anthropic / Persona / Checkr) and 7-year audit log retention.
5. Storage of executed BAAs
Every executed customer BAA stored: 1. PDF original in AWS S3 audit bucket (with Object Lock) 2. Hash-chained audit log entry with reference to PDF 3. Customer-side copy mailed / emailed at execution
6. Open items
- Outside counsel to deliver signed-PDF-ready BAA template
- Founder + outside counsel to socialize template with at least one design-partner facility GC before publishing as standard
End of customer BAA template pointer.