Legal

Business Associate Agreement

Last updated: May 28, 2026

A signed BAA is available for Enterprise customers. To request execution, contact hello@forg.pro or your account manager.

This Business Associate Agreement ("BAA") is entered into between UpgradIQ, Inc. ("Business Associate") and the Covered Entity identified in the applicable Order Form ("Covered Entity") and is incorporated into and made a part of the Agreement between the parties.

1. Definitions

Terms used but not defined in this BAA have the meaning given in HIPAA. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and implementing regulations at 45 CFR Parts 160 and 164.

"PHI" means Protected Health Information as defined by HIPAA. "ePHI" means electronic PHI.

2. FORG and PHI

FORG processes metadata about AI tool usage — token counts, latency, model identifiers, and cost. FORG does not process the content of AI interactions (prompts, completions, or file contents). In a standard FORG deployment, ePHI is not transmitted to or processed by FORG.

However, if a Covered Entity uses FORG in an environment where AI tool usage may incidentally generate signals that contain dimension tags referencing PHI-related projects, or if the Covered Entity otherwise determines that this BAA is required, this BAA governs UpgradIQ's obligations.

3. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or applicable law
  • Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI
  • In accordance with 45 CFR § 164.502(e)(1)(ii), ensure that any subcontractors agree to the same restrictions
  • Make PHI available for access, amendment, and accounting of disclosures as required by HIPAA
  • Make internal practices available to the Secretary of HHS for compliance determination
  • Upon termination, return or destroy all PHI received from Covered Entity

4. Permitted uses and disclosures

Business Associate may use or disclose PHI only: (a) for the proper management and administration of Business Associate or to carry out its legal responsibilities; (b) as required by law; or (c) as otherwise permitted by this BAA.

5. Security safeguards

Business Associate implements the following safeguards for ePHI:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions and least privilege
  • Audit logging of all access to ePHI
  • Incident response procedures and breach notification within 60 days of discovery
  • Regular risk assessments and security training

6. Breach notification

Business Associate will notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery, including the information required by 45 CFR § 164.410(c).

7. Term and termination

This BAA is in effect for the duration of the Agreement. Upon termination, Business Associate will return or destroy all PHI within 30 days. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures.

8. Miscellaneous

This BAA is governed by the laws of the State of Delaware. In the event of a conflict between this BAA and the Agreement, this BAA controls with respect to PHI.

Contact

For BAA execution or HIPAA compliance inquiries:
hello@forg.pro