Business Associate Agreement

Effective date: July 9, 2026

1. Overview

This Business Associate Agreement (“BAA”) describes how KollGuard protects Protected Health Information (“PHI”) when a customer’s use of the Service is subject to the U.S. Health Insurance Portability and Accountability Act, as amended by the HITECH Act (“HIPAA”). Under this BAA, Kollitech Corp (d/b/a KollGuard) acts as the Business Associate and the customer acts as the Covered Entity (or an upstream business associate).

KollGuard offers this BAA as part of an enterprise engagement. The executed counterpart provided during contracting governs; this page is provided for reference. Capitalized terms not defined here have the meanings given in HIPAA (45 C.F.R. Parts 160 and 164).

Data-minimization by design. The Service assesses the security and compliance posture of your systems and does not require PHI to function. KollGuard accesses PHI only to the minimum extent necessary to perform the scans you request, and stores findings and metadata in preference to raw PHI.

2. Permitted uses and disclosures

KollGuard may use or disclose PHI only:

  • as necessary to perform the Services under the underlying agreement;
  • as permitted or required by this BAA; or
  • as required by law.

KollGuard applies the Minimum Necessary standard, and may use PHI for its proper management and administration, to provide data-aggregation services to the Covered Entity, and to de-identify PHI in accordance with 45 C.F.R. §164.514 (each subject to the terms of the executed BAA). KollGuard will not sell PHI, use it for marketing, or use or disclose it in any manner that would violate the HIPAA Privacy Rule.

3. KollGuard’s obligations as Business Associate

  • Not use or disclose PHI other than as permitted by this BAA or required by law.
  • Use appropriate administrative, physical, and technical safeguards and comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to electronic PHI.
  • Report any impermissible use or disclosure, any Security Incident, and any Breach of Unsecured PHI — notifying the Covered Entity without unreasonable delay and no later than the timeframe set in the executed BAA (well within the 60-day HITECH cap).
  • Ensure any subcontractor that handles PHI on KollGuard’s behalf agrees in writing to protections at least as strict as this BAA (see “Sub-processors”).
  • Make PHI in a Designated Record Set available for individual access (§164.524), amendment (§164.526), and accounting of disclosures (§164.528).
  • Make its internal practices, books, and records available to HHS to determine compliance.
  • Mitigate, to the extent practicable, any harmful effect of a use or disclosure in violation of this BAA.
  • Acknowledge direct liability under the provisions of HIPAA applicable to business associates.

4. Covered Entity’s obligations

  • Notify KollGuard of limitations in its Notice of Privacy Practices, restrictions, or changes/revocations of individual permission that may affect KollGuard’s use of PHI.
  • Not request KollGuard to use or disclose PHI in a manner impermissible under HIPAA if done by the Covered Entity (except as expressly permitted).
  • Represent that it has authority and all necessary rights to grant KollGuard access to the systems it directs KollGuard to scan.

5. Term and termination

This BAA is effective on its effective date and continues until the underlying agreement ends and all PHI is returned or destroyed. The Covered Entity may terminate for an uncured material breach. On termination, KollGuard will return or destroy PHI where feasible; where infeasible, it will extend the protections of this BAA to the retained PHI and limit further use to what makes return or destruction infeasible. These obligations survive termination.

6. Security safeguards

KollGuard’s safeguards for electronic PHI include:

  • TLS 1.2+ in transit and AES-256 at rest; connection credentials stored in an encrypted secrets vault and never exposed to the browser.
  • Least-privilege, read-only scanning; role-based access, SSO/SAML, SCIM, and MFA; tenant isolation enforced by row-level security.
  • Egress and SSRF controls limiting outbound scan traffic to authorized targets.
  • Tamper-evident, hash-chained audit logging; secure SDLC with dependency and secret scanning; monitoring and documented incident response.
  • Data-minimization: findings and metadata retained in preference to raw PHI; configurable retention; return/destroy on termination.

See our security overview for details.

7. Sub-processors

KollGuard maintains a Business Associate Agreement with each subcontractor that may handle PHI. The current list is published at kollguard.com/sub-processors.

8. Requesting a BAA

To execute a BAA for your organization, contact info@kollitech.com or your account contact. If your use of KollGuard involves personal data more broadly, see our Data Processing Agreement.