Business Associate Agreement (BAA)
Luffra Group LLC — KweLead Studio & SODIAX · Effective: March 29, 2026
1. Parties
This Business Associate Agreement (“BAA”) is entered into between the healthcare provider or therapist (“Covered Entity”) and Luffra Group LLC, operating KweLead Studio and SODIAX (“Business Associate”).
2. Purpose
The Covered Entity uses the SODIAX platform to manage patient health information, including clinical assessments, therapy notes, remote patient monitoring data, and crisis detection. This BAA establishes the permitted uses and disclosures of Protected Health Information (PHI) by the Business Associate.
3. Obligations of Business Associate
- Not use or disclose PHI other than as permitted by this BAA or as required by law.
- Use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including AES-256 encryption for data at rest and TLS encryption in transit.
- Report to the Covered Entity any use or disclosure of PHI not permitted by this BAA within 60 days of discovery.
- Ensure that any subcontractors who access PHI agree to the same restrictions and conditions (Supabase, Anthropic Claude, Twilio, Resend).
- Make PHI available to the Covered Entity as required under HIPAA’s right of access provisions.
- Make PHI available for amendment upon request by the Covered Entity.
- Maintain and make available an accounting of disclosures of PHI.
- Make internal practices and records relating to PHI available to the Secretary of HHS for compliance determination.
- At termination of this agreement, return or destroy all PHI received from the Covered Entity, or retain only as required by law.
4. Permitted Uses and Disclosures
The Business Associate may use or disclose PHI only for the following purposes:
- Performing clinical assessment delivery and scoring (PHQ-9, GAD-7, WHO-5, PCL-5, AUDIT, DAST-10)
- Generating AI-assisted clinical note drafts using de-identified data where possible
- Remote Patient Monitoring data collection, threshold alerting, and compliance tracking
- Crisis detection, safety plan management, and escalation workflows
- Insurance billing and claims generation (CPT 99453-99458)
- Secure messaging between practitioner and client
- Data analytics for treatment outcomes (aggregated and de-identified)
- As required by law or for public health activities
5. Security Measures
The Business Associate implements the following security measures:
- Encryption: AES-256-CBC for clinical notes, messages, and treatment plans at rest; TLS for all data in transit
- Access Controls: Role-based access, per-organization data isolation, practitioner-only clinical data access
- Audit Logging: All access to PHI is logged with actor, action, timestamp, and IP address
- Authentication: Multi-factor authentication support, session-based access with Supabase Auth
- Data Storage: Regional data storage (US, EU, Canada) with Supabase managed PostgreSQL
- Subprocessors: All subprocessors (Supabase, Anthropic, Twilio, Stripe, Resend) maintain their own HIPAA compliance and BAAs where applicable
6. Breach Notification
The Business Associate will notify the Covered Entity of any breach of unsecured PHI within 60 days of discovery. The notification will include the nature of the breach, the types of PHI involved, steps taken to mitigate harm, and recommended actions for the Covered Entity.
7. Term and Termination
This BAA remains in effect for the duration of the Covered Entity’s use of the SODIAX platform. Either party may terminate this BAA upon 30 days written notice if the other party materially breaches any provision.
Upon termination, the Business Associate will return or destroy all PHI. If return or destruction is not feasible, the Business Associate will extend the protections of this BAA to retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
8. Data Retention
- Clinical notes, assessments, and treatment plans: retained for 7-10 years per state and federal requirements
- Consent records: retained for the duration of the therapeutic relationship plus 6 years
- Audit logs: retained for 6 years per HIPAA requirements
- Non-clinical data (messages, recordings): erasable upon request
9. Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of Florida, United States, and applicable federal HIPAA regulations (45 CFR Parts 160 and 164).