HIPAA Services Addendum

This HIPAA Services Addendum (“Addendum”) applies only to Customers that have executed a Business Associate Agreement (“BAA”) with Vilulia. This Addendum is incorporated into and forms part of the Terms of Service and any Order Form for HIPAA-eligible Services.

1. HIPAA-Eligible Use

The Services are not intended for unrestricted storage of PHI. PHI may be uploaded or processed only in connection with workflows and configurations that Vilulia designates as HIPAA-eligible (for example, features explicitly labeled as HIPAA Basic or HIPAA Enhanced). Customer is responsible for ensuring that its use of the Services is appropriate for its compliance obligations.

2. Customer Responsibilities

Customer is solely responsible for:

• Determining what PHI is uploaded to the Services and ensuring it is limited to what is necessary.
• Configuring user access, roles, permissions, and authentication policies (including MFA).
• Ensuring its workforce members comply with HIPAA, including training and sanctions for violations.
• Maintaining endpoint, network, and credential security for users who access the Services.
• Reviewing and configuring retention, sharing settings, exports, and external integrations to prevent unauthorized disclosure.

3. HIPAA Service Levels

If Customer purchases HIPAA service tiers, the tiers may include additional safeguards, configurations, logging, and support commitments. Specific inclusions (and any exclusions) are described in the applicable Order Form and product documentation.

4. Misconfiguration and Customer-Caused Events

Vilulia is not responsible for incidents arising from Customer misconfiguration, compromised credentials, unauthorized sharing by Customer personnel, Customer devices, or Customer failure to follow security guidance or maintain appropriate access controls.

5. Suspension; Risk Mitigation

Vilulia may immediately suspend HIPAA-related access where continued operation would pose a security or compliance risk, including suspected compromise, misuse, or anomalous activity. Vilulia may require Customer to complete remediation steps before restoring access.