Effective Date: January 1, 2025

This Master Service Agreement (the “Agreement”) is entered into by and between:

1. AI Health Studio LLC d/b/a MedRecords AI, a Wyoming corporation with its principal place of business at [30 North Gould Street Sheridan, Wyoming, 82801 , United States of America] (“Service Provider”), and

2. [Client Name], having its principal place of business at [Address] (“Client”).

The Service Provider and Client are collectively referred to as the “Parties” and individually as a “Party.”

Effective Date: This Agreement becomes effective on the date last signed by the Parties (the “Effective Date”).

1. Purpose

1.1. Scope of Services

Service Provider operates an AI‐powered software platform that receives, organizes, and summarizes medical records (“Services”). The Services may also facilitate chat functionality based on the medical record data. This Agreement, together with any Statements of Work (“SOW”) or service descriptions the Parties enter into, governs the provision of these Services to the Client.

1.2. HIPAA & CCPA Compliance

Because the Services involve receiving and processing protected health information (“PHI”), Service Provider shall comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, as well as the California Consumer Privacy Act (“CCPA”), to the extent applicable.

1.3. Canada Operations

If the Client or its end users are located in Canada, the Service Provider will handle personal information in a manner consistent with the relevant Canadian privacy laws (e.g., Personal Information Protection and Electronic Documents Act, “PIPEDA,” if applicable) and any contractual obligations regarding data handling or cross‐border transfers.

2. Definitions

• “PHI” or “Protected Health Information”: Any individually identifiable health information, as defined under HIPAA (45 C.F.R. § 160.103).

• “Business Associate”: Defined under HIPAA (45 C.F.R. § 160.103), referring to any entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.

• “BAA”: The Business Associate Agreement attached hereto as Exhibit A, which governs the use and disclosure of PHI.

• “Data Processing”: Any operation performed on personal data, including collection, storage, use, disclosure, or destruction.

• “Applicable Law”: All relevant U.S. federal and state laws and regulations (including HIPAA, HITECH, CCPA) and any Canadian federal or provincial laws regulating the handling of personal information, if and as applicable to the Services.

3. Service Deliverables & User Consent

3.1. Data Capture and Platform Use

• At sign‐up or upon initial access, end users shall be presented with a clear and conspicuous Terms of Service and Privacy Policy (“ToS/PP”) referencing HIPAA‐ and CCPA‐related disclosures and consents.

• The ToS/PP will detail how data is collected, processed, stored, and potentially transferred between the U.S. and Canada, including any “Canada Visa Disclosure” or cross‐border transfer notification if required by applicable Canadian law.

3.2. Opt‐In and Opt‐Out Mechanisms

• Service Provider shall offer users a mechanism to opt in or out of marketing communications and other optional data uses. These mechanisms must be easily accessible and comply with any relevant federal, state, or provincial regulations.

3.3. Cookies and Tracking

• If the Client uses Service Provider’s web‐based Services, a cookie banner or similar notice shall be implemented to inform end users about cookies or tracking technologies, allowing them to consent or decline, consistent with CCPA requirements and any Canadian equivalents.

3.4. BAA Execution

• Because Client may be a Covered Entity under HIPAA, and Service Provider may act as a Business Associate, the Parties shall execute the BAA (Exhibit A) prior to Service Provider handling any PHI. The BAA is incorporated by reference and governs any handling of PHI.

4. Business Associate Agreement (BAA)

4.1. Application

• The BAA applies when Service Provider creates, receives, maintains, or transmits PHI on behalf of the Client. It outlines the specific requirements for safeguarding PHI and ensuring compliance with HIPAA.

4.2. Conflict

• In the event of any conflict between the terms of this Agreement and the BAA regarding PHI, the BAA shall control.

5. Compliance with Laws

5.1. HIPAA

• Each Party shall comply with all HIPAA rules and regulations to the extent applicable to its respective role (Covered Entity or Business Associate).

5.2. CCPA

• If any California resident data is processed, each Party shall comply with the CCPA as applicable. Service Provider agrees not to “sell” personal information as defined by CCPA and shall honor consumer rights and opt‐out requests in accordance with the law.

5.3. Canadian Privacy Law

• If handling Canadian residents’ personal data, the Service Provider shall comply with any applicable federal or provincial privacy laws (e.g., PIPEDA), including securing valid consent where required and providing cross‐border transfer disclosures if necessary.

6. Confidentiality & Proprietary Rights

6.1. Confidential Information

• Each Party acknowledges that during the course of performing this Agreement, it may have access to the other Party’s Confidential Information, including but not limited to PHI, trade secrets, or proprietary business information. Each Party agrees to keep such information confidential and use it only for the purposes of this Agreement.

6.2. Exclusions

• Confidential Information does not include information that: (a) was already known by the receiving Party without obligation of confidentiality; (b) becomes publicly available without the fault of the receiving Party; (c) is lawfully received from a third party without restriction; or (d) is independently developed by the receiving Party without use of the disclosing Party’s Confidential Information.

6.3. Intellectual Property

• Service Provider retains all intellectual property rights to its software, AI algorithms, and related documentation. Client retains all rights to its own data, including any PHI provided to Service Provider.

7. Data Security & Breach Notification

7.1. Safeguards

• Service Provider shall implement and maintain reasonable administrative, physical, and technical safeguards to protect PHI and personal data, in accordance with HIPAA Security Rule standards and other Applicable Laws.

7.2. Breach Notification

• Service Provider shall notify the Client within twenty‐four (24) hours of discovering any Data Breach involving PHI or other sensitive data. “Data Breach” includes any unauthorized access, use, or disclosure of PHI or personal information that is reportable under Applicable Law.

• Following such notice, Service Provider shall promptly take all reasonable steps to mitigate the harmful effects and prevent further unauthorized disclosure.

• Service Provider shall cooperate with Client on any legally required breach notifications to affected individuals, government agencies, or other parties.

8. Representations & Warranties

8.1. Service Provider Warranties

• Service Provider represents and warrants that:

(a) It has the authority and expertise to perform the Services;

(b) The Services will be performed in a professional manner consistent with industry standards;

(c) It will comply with all Applicable Laws governing the Services, including HIPAA and CCPA;

(d) It will not “sell” personal information (under CCPA) or otherwise use it for any purpose not authorized by the Client.

8.2. Client Warranties

• Client represents and warrants that:

(a) It has the authority to engage Service Provider to perform the Services and to provide Service Provider with any necessary data or access;

(b) It will cooperate with Service Provider to provide or obtain any user consents necessary under HIPAA, CCPA, or Canadian privacy laws;

(c) It will provide accurate instructions regarding data processing requirements.

9. Indemnification

9.1. By Service Provider

• Service Provider shall indemnify, defend, and hold harmless Client and its officers, directors, and employees from and against any and all losses, liabilities, damages, claims, costs, and expenses (including reasonable attorneys’ fees) arising out of any third‐party claim relating to Service Provider’s material breach of this Agreement or the BAA, its gross negligence, or willful misconduct.

9.2. By Client

• Client shall indemnify, defend, and hold harmless Service Provider and its officers, directors, and employees from and against any and all losses, liabilities, damages, claims, costs, and expenses (including reasonable attorneys’ fees) arising out of any third‐party claim relating to Client’s material breach of this Agreement or the BAA, its gross negligence, or willful misconduct.

9.3. Procedure

• Each Party’s indemnification obligations under this Agreement are contingent upon the indemnified Party (a) promptly notifying the indemnifying Party in writing of any such claim, (b) granting sole control of the defense or settlement to the indemnifying Party, and (c) cooperating in such defense.

10. Limitation of Liability

10.1. Disclaimer of Certain Damages

To the maximum extent permitted by law, neither Party shall be liable for any indirect, incidental, consequential, special, or punitive damages, including but not limited to loss of profits, loss of use, loss of data, or interruption of business, even if advised of the possibility of such damages.

10.2. Aggregate Liability Cap

Service Provider’s total liability arising out of or related to this Agreement, whether in contract, tort, or under any other theory of liability, shall not exceed the total amount of fees paid by Client to Service Provider in the three (3) months immediately preceding the event giving rise to the claim, or one thousand U.S. dollars (US$1,000), whichever is less.

11. Term & Termination

11.1. Term

This Agreement commences on the Effective Date and continues until terminated as provided herein or until all SOWs or service descriptions referencing this Agreement have expired or been terminated.

11.2. Termination for Cause

Either Party may terminate this Agreement (including any related SOW) if the other Party materially breaches any term of this Agreement or the BAA and fails to cure such breach within thirty (30) days after receiving written notice.

11.3. Termination for Convenience

Either Party may terminate this Agreement or any SOW for convenience upon ninety (90) days’ prior written notice to the other Party unless a different notice period is specified in a SOW.

11.4. Effect of Termination

Upon termination or expiration of this Agreement, Service Provider shall cease all processing of Client’s data (including PHI) and return or securely destroy all such data in its possession or control, unless otherwise required by law to retain it.

12. Dispute Resolution, Governing Law & Venue

12.1. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Wyoming, without regard to conflict of laws principles.

12.2. Venue

Any dispute, claim, or controversy arising out of or relating to this Agreement shall be resolved exclusively in the state or federal courts located in Sheridan County, Wyoming, and each Party consents to the personal jurisdiction and venue of such courts.

13. General Provisions

13.1. Notices

Any notices required or permitted by this Agreement shall be in writing and sent to the addresses of the Parties set forth above (or any other address a Party designates in writing). Notices are deemed received (a) upon personal delivery, (b) one (1) business day after delivery by a nationally recognized overnight courier, or (c) three (3) business days after mailing by certified or registered mail.

13.2. Entire Agreement

This Agreement, together with any SOWs and Exhibit A (BAA), represents the entire agreement between the Parties concerning the subject matter, and supersedes all prior agreements, understandings, or representations.

13.3. Amendments

This Agreement may be amended only by a writing signed by both Parties.

13.4. Assignment

Neither Party may assign or transfer this Agreement without the prior written consent of the other Party, which shall not be unreasonably withheld. Any unauthorized assignment is void.

13.5. Independent Contractors

The Parties are independent contractors. Nothing in this Agreement shall be construed as creating a partnership, joint venture, franchise, or any other form of legal association that would impose liability on one Party for the act or failure to act of the other.

13.6. Severability

If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.

13.7. Force Majeure

Neither Party shall be liable for delays or failures in performance due to causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, civil disturbance, labor shortages, or governmental actions.

SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Master Service Agreement by their duly authorized representatives as of the Effective Date.

SERVICE PROVIDER (Business Associate)

By: AI Health Studio LLC

Name: Ahmed Jemaa

Title: CEO

Date:______________________________

CLIENT

By:________________________________

Name:______________________________

Title:______________________________

Date:______________________________

EXHIBIT A

BUSINESS ASSOCIATE AGREEMENT (BAA)

This Business Associate Agreement (“BAA”) is entered into by and between Service Provider and Client, and is incorporated by reference into the Master Service Agreement (“Agreement”). In the event of any conflict between the Agreement and this BAA concerning the use or disclosure of PHI, the terms of this BAA shall control.

1. Definitions

Capitalized terms used but not otherwise defined herein shall have the meanings set forth in HIPAA, 45 C.F.R. Parts 160 and 164.

• “Covered Entity”: The Client, if and to the extent it qualifies as a Covered Entity under HIPAA.

• “Business Associate”: The Service Provider, if and to the extent it performs functions or activities on behalf of the Client that involve the use or disclosure of PHI.

2. Permitted Uses & Disclosures of PHI

2.1. Permitted Uses

• Service Provider may use PHI solely to perform the Services described in the Agreement, consistent with HIPAA’s Privacy Rule and Security Rule requirements, and as further specified in this BAA.

2.2. Prohibited Uses

• Service Provider shall not use or disclose PHI in any manner that would violate HIPAA if done by the Client, except as expressly permitted by this BAA or required by law.

3. Obligations of Business Associate

3.1. Safeguards

• Service Provider shall implement and maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI in compliance with the HIPAA Security Rule.

3.2. Subcontractors

• Service Provider shall ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Service Provider agree in writing to the same restrictions and conditions that apply to Service Provider under this BAA.

3.3. Reporting

• In the event of a breach of unsecured PHI, Service Provider shall notify the Client within twenty‐four (24) hours of discovery, in accordance with the Breach Notification Rule at 45 C.F.R. §§ 164.400–414.

3.4. Access to PHI

• Service Provider shall make PHI available to Client as necessary to fulfill Client’s obligations under the Privacy Rule, including responding to individuals’ requests for access to PHI, amendment of PHI, or accounting of disclosures, where applicable.

3.5. Mitigation

• Service Provider shall mitigate, to the extent practicable, any harmful effect of an unauthorized use or disclosure of PHI.

4. Obligations of Covered Entity

4.1. Notice of Privacy Practices

• Client shall provide Service Provider with any relevant limitations or changes in its Notice of Privacy Practices, or any restrictions on the use or disclosure of PHI that could affect Service Provider’s permitted or required uses and disclosures.

4.2. Permissions & Authorizations

• Client shall obtain any consent or authorization that may be required under HIPAA before providing PHI to Service Provider for the Services.

5. Term & Termination

5.1. Term

• This BAA becomes effective upon execution and shall terminate upon the expiration or termination of the Agreement, unless earlier terminated for cause as provided herein.

5.2. Termination for Cause

• If either Party determines that the other has materially breached this BAA and such breach is not cured within thirty (30) days of receiving written notice, the non‐breaching Party may terminate the Agreement and/or this BAA.

5.3. Effect of Termination

• Upon termination or expiration of the Agreement, Service Provider shall either return or securely destroy all PHI in its possession, unless retention is required by law. If return or destruction is not feasible, Service Provider shall continue to protect the PHI in accordance with the terms of this BAA.

6. Miscellaneous

6.1. No Third‐Party Beneficiaries

• Nothing in this BAA is intended to confer any rights, remedies, obligations, or liabilities upon anyone other than the Parties.

6.2. Amendment

• This BAA may be amended only by written agreement signed by authorized representatives of both Parties. If changes to HIPAA, HITECH, or other laws necessitate amendments, the Parties agree to negotiate in good faith to amend this BAA to reflect such changes.

6.3. Precedence

• In the event of any conflict between the terms of this BAA and the Agreement regarding PHI usage or disclosure, this BAA shall control.

SIGNATURES TO THE BAA

SERVICE PROVIDER (Business Associate)

By: AI Health Studio LLC

Name: Ahmed Jemaa

Title: CEO

Date: ____________________________

CLIENT (Covered Entity)

By: ______________________________

Name: ___________________________

Title: ____________________________

Date: ____________________________