Pharos Auditor

Legal & Trust

Business Associate Agreement

Template version 1.0 — April 2026

This page summarizes the Pharos Ventures standard BAA. The executed form is provided to paying Enterprise and Suite tenants. Healthcare customers must execute this agreement before uploading PHI into the Service.

Parties

This Business Associate Agreement ("BAA") is entered into by and between the Covered Entity identified in the Pharos Auditor subscription ("Covered Entity") and Pharos Ventures, Inc. ("Business Associate" or "Pharos"). It supplements the Terms of Service and governs Pharos's handling of Protected Health Information ("PHI") as defined by HIPAA (45 CFR §160.103).

1. Permitted uses and disclosures

Pharos may use or disclose PHI only to perform the services described in the Terms of Service (delivering the Pharos Auditor platform) and as required by law. Pharos will not use or disclose PHI for its own marketing, sale, or aggregate product development purposes.

2. Minimum necessary

Pharos will limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, per 45 CFR §164.502(b).

3. Safeguards

Pharos implements administrative, physical, and technical safeguards required by 45 CFR §§164.308, 164.310, 164.312. A current summary is published at /legal/security. Specific HIPAA controls include:

  • Application-layer encryption of PHI at rest.
  • TLS 1.2+ for all transmission.
  • Immutable audit trail with 7-year retention.
  • Role-based access control with Postgres RLS enforcement.
  • MFA-enforced workforce authentication.

4. Subcontractors

Pharos will require each subcontractor that creates, receives, maintains, or transmits PHI on its behalf to agree in writing to restrictions and conditions at least as protective as this BAA, per 45 CFR §164.502(e)(1)(ii). The current list of PHI-handling subprocessors is maintained at privacy@pharosventures.io.

5. Reporting

Pharos will report to Covered Entity any use or disclosure of PHI not permitted by this BAA, any security incident of which it becomes aware, and any breach of unsecured PHI, within the timeframes required by 45 CFR §§164.410 and §164.414 and in any case no later than 5 business days after discovery.

6. Access, amendment, accounting

Pharos will, within 30 days of a request from Covered Entity, make PHI in a Designated Record Set available for access, amendment, or accounting of disclosures per 45 CFR §§164.524, 164.526, and 164.528.

7. Compliance records

Pharos will make its internal practices, books, and records related to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with the HIPAA Privacy Rule.

8. Term and termination

This BAA is effective on the earlier of execution or first upload of PHI to the Service, and continues until the subscription terminates. On termination, Pharos will return or destroy all PHI in its possession, unless return/destruction is infeasible, in which case the protections of this BAA extend to the PHI for as long as Pharos retains it.

9. Indemnity carve-out

Nothing in the Terms of Service limits either party's obligations or remedies under HIPAA or this BAA.

10. Amendments

The parties will amend this BAA as reasonably necessary to comply with changes in HIPAA or the HITECH Act.

11. Contact

To execute this BAA or request the signed PDF, email legal@pharosventures.io with your organization's legal contact and subscription information.