Skip to main content

Data Processing Addendum

Last Updated: June 10, 2026

Provider (Processor): PCX Analytics LLC, a Texas limited liability company
Cloud Service: PCXa
Privacy Contact: privacy@pcxa.app

This Data Processing Addendum (this “DPA”) is an Attachment to the Base Agreement between Customer and PCX Analytics LLC (“Provider”). This DPA is incorporated into the Base Agreement by reference and forms part of it. In the event of conflict between this DPA and the Base Agreement with respect to the Processing of Customer Personal Data, this DPA controls. Capitalized terms not defined in this DPA are defined in the Base Agreement.

“Base Agreement” means the applicable Master Services Agreement, Terms of Service, or other written agreement between Customer and Provider governing Customer’s access to and use of the Services, as identified on the signature page or order form under which this DPA is executed. This DPA is designed to function as a standalone document that can be incorporated by reference into any Base Agreement.

1. Definitions

The following terms have the meanings set forth below when used in this DPA. Terms not defined herein have the meanings given in the Base Agreement or applicable Data Protection Laws.

“Affiliate” means an entity that is controlled by, controls, or is under common control with a party, where “control” means ownership of at least fifty percent (50%) of the voting interests or the power to direct the management of such entity.

“Audit” has the meaning in Section 9.3.

“Audit Report” has the meaning in Section 9.2.

“Cloud Service” means with respect to a Base Agreement that is a Terms of Service, the PCXa cloud service as described therein; with respect to a Base Agreement that is a Master Services Agreement, the Services described in the applicable Statement of Work.

“Controller” means the natural or legal person, public authority, agency, or other body that determines the purposes and means of Processing of Personal Data.

“Customer Data” means any data, content, or other materials that Customer submits or makes available to Provider in connection with the Services, including all data and information contained within Customer Materials. “Customer Materials” means content or other materials of any kind that Customer makes available to Provider in connection with the Services, as further defined in the Base Agreement.

“Customer Instructions” has the meaning in Section 3.1.

“Customer Personal Data” means Personal Data contained in or derived from Customer Data.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data under the Base Agreement, including as applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”); (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); and (v) the UK Data Protection Act 2018; in each case, as updated, amended, or replaced from time to time.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

“DPA Effective Date” means the effective date of the Base Agreement, or such later date as the parties execute this DPA.

“EEA” means the European Economic Area.

“Enhanced Cap” has the meaning in the Base Agreement, or if not defined therein, three times (3x) the General Cap.

“General Cap” has the meaning in the Base Agreement, or if not defined therein, fees paid or payable by Customer to Provider in the twelve (12) months preceding the first incident giving rise to liability.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended from time to time. “Covered Entity,” “Business Associate,” and “Protected Health Information” have the meanings given under HIPAA.

“Key Terms” means the Agreement, DPA Effective Date, and Subprocessor List, as defined in this DPA.

“Master Services Agreement” means the PCX Analytics Master Services Agreement between Customer and Provider, as amended from time to time.

“Order” means with respect to engagements governed by the Terms of Service, an order for Customer’s access to the Cloud Service that references the Terms of Service; and with respect to engagements governed by the Master Services Agreement, the applicable Statement of Work executed by the parties.

“Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data,” “personal information,” “personally identifiable information,” or similar terms as defined in Data Protection Laws.

“Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processes” have correlative meanings.

“Processor” means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.

“Restricted Transfer” means (i) where EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination; (ii) where UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country that is not subject to an adequacy determination; or (iii) where FADP applies, a transfer of Customer Personal Data from Switzerland to any other country that is not subject to an adequacy determination.

“Schedules” means the schedules appended to this DPA. The default Schedules are: Schedule 1 (Subject Matter and Details of Processing), Schedule 2 (Technical and Organizational Measures), Schedule 3 (Cross-Border Transfer Mechanisms), and Schedule 4 (Region-Specific Terms).

“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Provider.

“Security Measures” means the technical and organizational security measures implemented and maintained by Provider as described in Schedule 2 of this DPA and as referenced in the Base Agreement.

“Sensitive Data” means (a) patient, medical, or other protected health information regulated by HIPAA; (b) credit, debit, bank account, or other financial account numbers; (c) social security numbers, driver’s license numbers, or other government-issued identification numbers; and (d) special categories of data enumerated in EU GDPR Article 9(1) or any successor legislation.

“Services” means with respect to a Base Agreement that is a Terms of Service, the Cloud Service and any Professional Services provided by Provider thereunder; and with respect to a Base Agreement that is a Master Services Agreement, the professional services and Deliverables provided by Provider under the applicable Statement of Work.

“SOW Term” means the term for Provider’s delivery of Services as specified in the applicable Statement of Work.

“Specified Notice Period” means 5 business days, unless a shorter period is required by applicable Data Protection Laws or specified in Schedule 4 (Region-Specific Terms).

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated or replaced from time to time.

“Statement of Work” means a statement of work for Services executed by the parties that references the Master Services Agreement.

“Subprocessor” means any third party authorized by Provider to Process any Customer Personal Data.

“Subprocessor List” means the list of Provider’s Subprocessors published at pcxa.app/legal/subprocessors.

“Subscription Term” means with respect to engagements governed by the Terms of Service, the Subscription Term as defined therein; and with respect to engagements governed by the Master Services Agreement, the SOW Term as defined in the applicable Statement of Work.

“Terms of Service” means the PCX Analytics Terms of Service between Customer and Provider, as amended from time to time.

2. Scope and Duration

2.1. Roles.

This DPA applies to Provider as a Processor and to Customer as a Controller (or, where Customer is itself a Processor on behalf of a third-party Controller, as a Processor) of Customer Personal Data. Unless otherwise specified in Schedule 1, Customer is the Controller and Provider is the Processor.

2.2. Scope.

This DPA applies to Provider’s Processing of Customer Personal Data under the Base Agreement to the extent such Processing is subject to Data Protection Laws.

2.3. Duration.

This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Base Agreement, or if later, the date on which Provider has ceased all Processing of Customer Personal Data.

2.4. Order of Precedence.

In the event of conflict: (1) any Standard Contractual Clauses or transfer mechanisms in Schedule 3 or Schedule 4 control; (2) then this DPA controls; (3) then the Base Agreement controls. Claims arising under this DPA remain subject to the limitation of liability provisions of the Base Agreement, except that Provider’s liability for Security Incidents or breaches caused primarily by third-party infrastructure providers outside Provider’s direct operational control shall be subject to the General Cap, not the Enhanced Cap.

2.5. Role Reassessment.

If the nature of Provider’s Processing of Customer Personal Data changes materially such that Provider Processes Customer Personal Data for purposes beyond the Customer Instructions, the parties shall promptly reassess the applicable Controller/Processor roles and, if necessary, amend this DPA to reflect the correct designation under applicable Data Protection Laws.

3. Processing of Personal Data

3.1. Customer Instructions.

  1. (a) Provider shall Process Customer Personal Data solely: (i) in accordance with Customer Instructions; or (ii) to comply with applicable laws.
  2. (b) “Customer Instructions” means: (i) Processing necessary to provide the Services and perform Provider’s obligations under the Base Agreement (including this DPA); and (ii) other reasonable documented instructions of Customer consistent with the Base Agreement.
  3. (c) Details of Processing are set forth in Schedule 1.
  4. (d) Provider shall notify Customer if it receives an instruction that Provider reasonably believes infringes Data Protection Laws.

3.2. Confidentiality.

  1. (a) Provider shall protect Customer Personal Data in accordance with its confidentiality obligations under the Base Agreement.
  2. (b) Provider shall ensure that personnel who Process Customer Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.

3.3. Compliance with Laws.

  1. (a) Provider and Customer shall each comply with Data Protection Laws in their respective Processing of Customer Personal Data.
  2. (b) Customer shall comply with Data Protection Laws in issuing Customer Instructions to Provider. Customer shall ensure that it has established all necessary lawful bases under Data Protection Laws to enable Provider to lawfully Process Customer Personal Data for the purposes contemplated by the Base Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects.

3.4. Changes to Laws.

The parties shall negotiate in good faith to amend this DPA as necessary to address changes in applicable Data Protection Laws.

3.5. Prohibition on Secondary Use.

Provider shall not use, access, or Process Customer Personal Data for any purpose other than providing the Services as specified in the Base Agreement and this DPA, including for the purpose of training, developing, or improving any artificial intelligence, machine learning, or analytical model. This restriction applies regardless of whether Customer Personal Data is identified, de-identified, aggregated, or pseudonymized, except for data that has been verifiably anonymized such that it can no longer be attributed to a specific individual.

4. Subprocessors

4.1. Authorization.

  1. (a) Customer generally authorizes Provider to engage Subprocessors to Process Customer Personal Data, including Provider’s Affiliates.
  2. (b) Provider shall: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA; and (ii) remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Provider to breach any of its obligations under this DPA. Notwithstanding the foregoing, Provider’s liability for Security Incidents or other breaches caused primarily by the acts or omissions of a third-party infrastructure provider (including cloud hosting platforms) that are outside Provider’s direct operational control shall be subject to the General Cap (not the Enhanced Cap) as defined in the Base Agreement.

4.2. Subprocessor List.

Provider shall maintain an up-to-date Subprocessor List at pcxa.app/legal/subprocessors or available upon written request.

4.3. Notice of New Subprocessors.

At least thirty (30) days before any new Subprocessor Processes Customer Personal Data, Provider shall update the Subprocessor List and notify Customer through email to the address associated with Customer’s account. Customer may elect a longer notice period (not to exceed sixty (60) days) in the applicable Order or Schedule 1, in which case such elected period shall apply.

4.4. Objection to New Subprocessors.

  1. (a) If Customer objects to a new Subprocessor based on reasonable data protection concerns within thirty (30) days of notice, the parties shall discuss such concerns in good faith.
  2. (b) If the parties cannot resolve Customer’s objection, Customer’s sole remedy is to terminate the affected Order for convenience. Provider shall refund prepaid fees prorated to the post-termination period.

5. Security

5.1. Security Measures.

Provider shall implement and maintain reasonable and appropriate technical and organizational measures, procedures, and practices, as appropriate to the nature of the Customer Personal Data, that are designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data and protect against Security Incidents, in accordance with Provider’s Security Measures referenced in the Base Agreement and as further described in Schedule 2 (Technical and Organizational Measures). Provider shall regularly monitor its compliance with its Security Measures and Schedule 2.

5.2. Incident Notice and Response.

  1. (a) Provider shall implement procedures to detect and respond to Security Incidents.
  2. (b) Provider shall notify Customer without undue delay, and no later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer Personal Data, and shall make reasonable efforts to identify the cause, mitigate effects, and remediate.
  3. (c) Upon Customer’s request and taking into account the nature of the applicable Processing, Provider shall provide commercially reasonable assistance to Customer by making available, when obtainable, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws. To the extent such assistance requires material effort beyond Provider’s standard incident response procedures, Customer shall reimburse Provider’s reasonable costs.
  4. (d) Provider’s notification of a Security Incident is not an acknowledgment of fault or liability.
  5. (e) Security Incidents do not include unsuccessful attempts that do not compromise Customer Personal Data.

5.3. Customer Responsibilities.

  1. (a) Customer is responsible for reviewing the information made available by Provider relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
  2. (b) Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents.
  3. (c) In the event of a Security Incident, Customer shall cooperate with Provider’s investigation and remediation efforts, including by preserving relevant logs and access records, restricting access to affected systems as reasonably requested by Provider, and refraining from actions that may interfere with Provider’s containment or forensic activities; provided that nothing in this Section 5.3(c) shall require Customer to take any action that conflicts with Customer’s own applicable legal obligations, regulatory requirements, or documented incident response procedures, and Customer shall promptly notify Provider in writing of any such conflict.

6. Data Protection Impact Assessment

Upon Customer’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Provider, Provider shall assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Services, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities.

7. Data Subject Requests

7.1. Assistance.

Upon Customer’s request and taking into account the nature of the applicable Processing, Provider shall assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Services).

7.2. Direct Requests.

If Provider receives a request from a Data Subject in relation to the Data Subject’s Customer Personal Data, Provider shall notify Customer and advise the Data Subject to submit the request to Customer (but shall not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws). Customer is responsible for responding to all such requests.

8. Data Return and Deletion

8.1. During Services.

During the term of the Base Agreement, Customer may access, export, or delete Customer Personal Data through the features of the Services or upon written request.

8.2. Post-Termination.

  1. (a) Following termination or expiration of the Base Agreement, Provider shall delete all Customer Personal Data from its primary production systems within ninety (90) days after the close of any post-termination data extraction or export window, or within ninety (90) days of termination or expiration if no such window applies. Customer Personal Data in encrypted backup systems shall be purged within one hundred eighty (180) days following termination or expiration.
  2. (b) Deletion shall comply with industry-standard secure deletion practices. Upon Customer’s request, Provider shall confirm in writing that it has completed deletion of Customer Personal Data from primary production systems. Backup system purges shall occur per Section 8.2(a) above.
  3. (c) Provider may retain Customer Personal Data: (i) as required by Data Protection Laws; or (ii) in accordance with its standard backup or records retention policies; provided that, in either case, Provider shall: (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data; and (y) not further Process retained Customer Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.
  4. (d) Expedited Deletion. Upon Customer’s written request stating a legitimate legal or regulatory basis, Provider shall use commercially reasonable efforts to complete deletion of Customer Personal Data from primary production systems within thirty (30) days of such request and shall confirm completion in writing upon Customer’s request.

9. Audits

9.1. Records.

Provider shall maintain records of its Processing in compliance with Data Protection Laws and shall make available to Customer records reasonably necessary to demonstrate compliance with this DPA.

9.2. Third-Party Compliance Programs.

  1. (a) Provider shall describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals, subject to confidentiality obligations.
  2. (b) Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.
  3. (c) Customer agrees that any audit rights granted by Data Protection Laws shall be satisfied by Audit Reports and the procedures of Section 9.3 (Customer Audit).

9.3. Customer Audit.

  1. (a) Subject to this Section 9.3, Customer may conduct an audit of reasonable scope pursuant to a mutually agreed-upon audit plan consistent with the parameters below (an “Audit”).
  2. (b) Customer may exercise this right if: (i) an Audit Report does not provide sufficient information to verify compliance; (ii) required to respond to a government authority audit; or (iii) in connection with a Security Incident.
  3. (c) Each Audit shall: (i) be conducted by an independent third party bound to confidentiality; (ii) be limited in scope to matters necessary to assess compliance with this DPA; (iii) occur at a mutually agreed time during regular business hours; (iv) occur no more than once annually absent cause; (v) cover only Provider-controlled facilities; (vi) be limited to Customer Personal Data; and (vii) treat all results as confidential information to the fullest extent permitted by Data Protection Laws.
  4. (d) Regulatory Examinations. Notwithstanding the limitations in this Section 9.3, if Customer is subject to a regulatory examination, inspection, or audit by a government authority with jurisdiction over Customer, Customer may, upon reasonable prior written notice to Provider, permit such authority to conduct a review of Provider’s records and facilities pertaining to Customer Personal Data, subject to applicable confidentiality obligations and Provider’s reasonable security requirements.

10. Cross-Border Transfers and Region-Specific Terms

10.1. Data Location.

Provider shall Process and store Customer Personal Data in the United States by default. EU hosting is available upon request; applicable fees, if any, are set forth in the applicable Order. Provider shall not transfer Customer Personal Data outside the designated hosting region except as necessary to provide the Services and in compliance with this Section 10.

10.2. Restricted Transfers.

If Provider engages in a Restricted Transfer, it shall comply with the cross-border transfer mechanisms set forth in Schedule 3.

10.3. Region-Specific Terms.

To the extent Provider Processes Customer Personal Data protected by Data Protection Laws in a region listed in Schedule 4, the terms in Schedule 4 apply in addition to this DPA.

Schedule 1 — Subject Matter and Details of Processing

SUBJECT MATTER

Provider’s provision of the Services to Customer pursuant to the Base Agreement

DURATION

The term of the Base Agreement plus any applicable post-termination data retention period

NATURE AND PURPOSE

Processing of Customer Personal Data as necessary to provide the Services, including data ingestion, storage, analytics, visualization, reporting, and related support operations

CATEGORIES OF DATA SUBJECTS

Customer’s employees, contractors, project managers, and other end users of the Services; individuals whose personal data is contained in project data uploaded by Customer

CATEGORIES OF PERSONAL DATA

Names, email addresses, job titles, employer information, login credentials (hashed), IP addresses, usage logs, and personal data contained in project data uploaded by Customer (e.g., personnel lists, contact information, site access records)

SENSITIVE DATA

None expected. Customer must not submit Sensitive Data to the Services without Provider’s prior written consent and, where applicable, execution of a Business Associate Agreement

PROCESSING OPERATIONS

Collection, storage, organization, retrieval, consultation, use, alignment, combination, restriction, erasure, and destruction as necessary to provide the Services

CONTROLLER

Customer

PROCESSOR

PCX Analytics LLC

Schedule 2 — Technical and Organizational Security Measures

Infrastructure Security: Cloud hosting on Render, Vercel, and Cloudflare with industry-recognized security certifications. Data encrypted at rest (AES-256) and in transit (TLS 1.2+). Network segmentation, firewall controls, DDoS protection, and intrusion detection.

Access Controls: Role-based access control (RBAC) with principle of least privilege. MFA required for all Provider personnel accessing production systems. Unique credentials; shared accounts prohibited. Regular access reviews and prompt deprovisioning.

Application Security: Secure SDLC with code review, regular vulnerability scanning and penetration testing, input validation and output encoding, dependency management and patching.

Data Protection: Customer data logically segregated by tenant. Automated backup with encrypted storage. Data retention and deletion procedures aligned with the Base Agreement. No Customer Personal Data used for AI/ML training or secondary purposes.

Incident Management: Documented incident response plan with defined roles and escalation procedures. Security incident detection, investigation, and remediation capabilities. Notification procedures compliant with Section 5.2 of this DPA.

Personnel Security: Background checks where permitted by law. Mandatory security awareness training upon hire and annually. Confidentiality obligations in employment and contractor agreements.

Business Continuity: Disaster recovery plan with documented RTO/RPO. Regular backup testing and restoration verification. Multi-availability-zone deployment for production workloads.

Schedule 3 — Cross-Border Transfer Mechanisms

1. Standard Contractual Clauses (EU). To the extent a Restricted Transfer involves Customer Personal Data from the EEA, the parties agree to the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are incorporated by reference as follows: Module Two (Controller to Processor) applies where Customer is a Controller and Provider is a Processor. Module Three (Processor to Processor) applies where Customer is itself a Processor. Clause 7 (Docking Clause): Included. Clause 9(a) (Use of Subprocessors): Option 2 (General Written Authorization) applies, with a notice period of 30 days. Clause 11 (Redress): Optional language not included. Clause 13(a) (Supervision): The competent supervisory authority is the supervisory authority of the EEA member state in which Customer is established. Clause 17 (Governing Law): The law of Ireland. Clause 18(b) (Choice of Forum): The courts of Ireland. Annexes I, II, and III: as set forth in Schedules 1 and 2 of this DPA.

2. UK International Data Transfer Addendum. To the extent a Restricted Transfer involves Customer Personal Data from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the EU Commission SCCs, issued by the UK Information Commissioner under s. 119A(1) of the Data Protection Act 2018.

3. Switzerland (FADP). To the extent a Restricted Transfer involves Customer Personal Data from Switzerland, the SCCs apply with modifications required to comply with the FADP, including designation of the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.

Schedule 4 — Region-Specific Terms

1. EEA / United Kingdom. (a) The Specified Notice Period for Security Incidents involving EU GDPR or UK GDPR-protected data is 48 hours, to allow Customer sufficient time to meet its 72-hour GDPR Article 33 notification obligation. (b) If required by applicable Data Protection Laws, Provider shall appoint an EEA and/or UK representative within 90 days of onboarding its first Customer in those regions. (c) Data protection impact assessments shall be supported as described in Section 6.

2. California (CCPA/CPRA). (a) Provider is a “Service Provider” and Customer is a “Business” with respect to Customer Personal Data for purposes of the CCPA. (b) Provider shall not sell or share Customer Personal Data. (c) Provider shall not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services. (d) Provider shall not combine Customer Personal Data with personal information from other sources except as permitted by the CCPA.

3. Texas (TDPSA). (a) To the extent the Texas Data Privacy and Security Act (TDPSA) applies to the Processing of Customer Personal Data, Provider shall comply with the obligations applicable to processors under the TDPSA. (b) Provider shall assist Customer in fulfilling its obligations under the TDPSA, including responding to consumer rights requests. (c) Provider shall not sell Customer Personal Data, as that term is defined under the TDPSA. (d) Provider shall not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services as specified in the Base Agreement, or as otherwise permitted by the TDPSA. (e) Provider shall not combine Customer Personal Data with personal data received from other sources except as permitted by the TDPSA.

4. HIPAA. (a) To the extent Customer is a Covered Entity or Business Associate under HIPAA and intends to submit Protected Health Information to the Services, Customer and Provider must execute a separate Business Associate Agreement (“BAA”) prior to any such submission. (b) Customer shall not submit Protected Health Information absent an executed BAA. Provider is not a Business Associate for any Base Agreement without a separately executed BAA.