This HIPAA Services Addendum ("Addendum") applies only to Customers that have executed a Business Associate Agreement ("BAA") with Vilulia. This Addendum is incorporated into and forms part of the Terms of Service and any Order Form for HIPAA-eligible Services. In the event of a conflict between this Addendum and the Terms of Service on matters related to HIPAA-eligible Services, this Addendum controls.

Shared responsibility for HIPAA compliance: Vilulia is committed to providing a secure, HIPAA-eligible platform and maintaining the technical and organizational safeguards required of a Business Associate. Achieving full HIPAA compliance also requires Customers to fulfill their own obligations as Covered Entities or Business Associates, including access configuration, workforce training, and PHI governance. This Addendum describes how responsibility is shared between the parties.

1. HIPAA-Eligible Use

The Services include HIPAA-eligible configurations designed to support Customers with HIPAA obligations. PHI may be uploaded or processed only in connection with workflows and configurations that Vilulia designates as HIPAA-eligible (for example, features explicitly labeled as HIPAA Basic or HIPAA Enhanced in the applicable Order Form). Customer is responsible for ensuring that its specific workflows and configurations are appropriate for its HIPAA compliance obligations. If you are uncertain whether a particular workflow is HIPAA-eligible, contact vilulia.com/contact before uploading PHI.

2. Vilulia's Commitments for HIPAA-Eligible Plans

For Customers on HIPAA-eligible plans with an executed BAA, Vilulia will:

Maintain technical safeguards consistent with the HIPAA Security Rule, including encryption in transit and at rest, audit logging, and access controls.
Limit access to PHI to personnel who require it to perform services and who are bound by confidentiality obligations.
Report Breaches of Unsecured PHI within 72 hours of discovery, as described in the BAA.
Impose equivalent data protection obligations on subcontractors who access PHI.
Support Customer's access, amendment, and accounting-of-disclosures obligations as described in the BAA.
Not use PHI to train AI models or for any purpose beyond providing the Services.

3. Customer Responsibilities

Achieving HIPAA compliance is a shared responsibility. Customer is responsible for:

Determining what PHI is uploaded to the Services and ensuring it is limited to what is necessary for the intended workflow.
Configuring user access, roles, permissions, and authentication policies (including enabling MFA where available).
Ensuring its workforce members receive appropriate HIPAA training and are subject to sanctions for violations.
Maintaining security of endpoints, networks, and credentials used to access the Services.
Reviewing and configuring retention, sharing settings, exports, and any external integrations to prevent unauthorized disclosure.
Promptly notifying Vilulia of any suspected compromise of credentials or unauthorized access to the Services.

4. Shared Responsibility Summary

Area	Vilulia's Responsibility	Customer's Responsibility
Infrastructure security	Encryption, access controls, audit logging, monitoring	MFA enablement, credential security, endpoint security
PHI governance	Processing PHI only as permitted by BAA	Determining what PHI to upload; minimizing PHI scope
Workforce	Training and binding Vilulia personnel with access to PHI	Training and sanctioning Customer's own workforce
Breach response	Detecting, reporting within 72 hours, and mitigating breaches	Notifying Vilulia of suspected credential compromise; cooperating in investigation
Configuration	Providing HIPAA-eligible configurations and controls	Properly configuring access, sharing, and integrations

5. HIPAA Service Levels

If Customer purchases HIPAA service tiers, the tiers include additional safeguards, configurations, logging, and support commitments beyond the standard plan. Specific inclusions and any exclusions are described in the applicable Order Form and product documentation. Contact vilulia.com/contact for details on what is included in each tier.

6. Customer-Caused Incidents

Vilulia implements and maintains the safeguards described in this Addendum and the BAA. However, Vilulia is not responsible for security incidents or compliance failures that arise primarily from: Customer misconfiguration of access controls or permissions; compromise of Customer-controlled credentials; unauthorized sharing by Customer's own personnel; security failures on Customer-controlled devices or networks; or Customer's failure to follow Vilulia's security guidance. Where an incident results from a combination of factors, the parties will work cooperatively to assess the cause and response.

7. Suspension; Risk Mitigation

Vilulia may immediately suspend HIPAA-related access where continued operation would pose a security or compliance risk, including suspected compromise, misuse, or anomalous activity. Vilulia will notify Customer as promptly as practicable after any suspension and will work with Customer to restore access following completion of reasonable remediation steps. Vilulia will not suspend HIPAA access for reasons unrelated to security or compliance without providing advance notice and an opportunity to cure under the Terms of Service.