Early Access — Open for developer integration testing

Business Associate Agreement

Effective Date: June 3, 2026Last Updated: June 3, 2026Version: 0.1
This page is a request and scoping surface, not a standalone legal agreement. Do not submit protected health information to CAIRL until a written Business Associate Agreement and implementation scope have been signed.

Overview

Some regulated organizations may need a Business Associate Agreement ("BAA") before using CAIRL in a workflow that involves protected health information. CAIRL handles BAA requests through a legal and implementation review, because the required terms depend on the specific product surface, data flow, and customer role.

For general privacy and data-processing terms, see our Data Processing Agreement and Privacy Policy.

When a BAA May Apply

A BAA may be relevant when a covered entity, business associate, or regulated service provider asks CAIRL to process identity information in a healthcare-adjacent workflow. CAIRL evaluates these requests case by case.

  • The customer role and regulatory status
  • The CAIRL products and APIs in scope
  • The categories of data that would be processed
  • The required retention, deletion, and incident-response terms
  • The security controls and subprocessors needed for the workflow

Request Process

  1. Email legal@cairl.app with "BAA request" in the subject line.
  2. Include your organization name, role, intended CAIRL product surface, and whether any protected health information is expected to be processed.
  3. CAIRL will review the requested scope and route the request through legal, security, and implementation review before any BAA terms are exchanged or signed.

Safeguards

CAIRL is designed around data minimization, encryption, access control, audit logging, and verified-claim delivery rather than raw document sharing. These safeguards support regulated deployments, but they do not replace the need for a signed agreement and an approved implementation scope.

See the HIPAA section of our Compliance page for current posture language.

Not Self-Executing

This page does not create a BAA, does not amend the Terms of Service, and does not authorize transmission of protected health information to CAIRL. A BAA is effective only when signed by both parties and paired with the approved implementation scope.

Contact

For BAA-related inquiries: