Gatez

Appearance

Business Associate Agreement (BAA) — Template Outline

Disclaimer: This is a template outline for legal review. It is NOT legal advice. Have your legal team and the customer's legal team review and customize before execution.

1. Definitions

  • Covered Entity: The customer deploying Gatez to process PHI
  • Business Associate: Gatez Inc. (the software vendor)
  • PHI: Protected Health Information as defined by HIPAA
  • Platform: The Gatez Gateway Platform software

2. Scope

  • Gatez provides self-hosted software deployed on the Covered Entity's infrastructure
  • No PHI is transmitted to, stored by, or accessible to Gatez Inc.
  • This BAA covers the software license agreement only

3. Obligations of Business Associate

  • Provide software that implements technical safeguards (see HIPAA mapping)
  • Provide security updates and vulnerability patches
  • Not access customer infrastructure or data without explicit authorization
  • Report any discovered software vulnerability that could expose PHI within 72 hours

4. Obligations of Covered Entity

  • Deploy Gatez in a HIPAA-compliant configuration (see deployment guide)
  • Manage all encryption keys, TLS certificates, and access credentials
  • Configure PII redaction and audit retention per HIPAA requirements
  • Implement physical security for on-prem infrastructure
  • Conduct regular DR testing and security assessments

5. Permitted Uses

  • Gatez software may process, route, and log PHI within the Covered Entity's infrastructure
  • PHI is never transmitted outside the Covered Entity's network
  • Audit logs contain metadata only (timestamps, tenant_id, tool names) — never PHI content

6. Term and Termination

  • BAA effective on software license execution
  • Terminates when software license terminates
  • On termination, customer retains all data (self-hosted)

7. Security Incident Notification

  • Gatez Inc. notifies customer of software vulnerabilities within 72 hours
  • Customer notifies Gatez Inc. of any security incidents involving the platform
  • Both parties cooperate on incident investigation

8. Subcontractors

  • Gatez Inc. does not subcontract data processing (software is self-hosted)
  • If Gatez Inc. engages subcontractors for support, they will be bound by equivalent terms

Enterprise API + AI + Agent Gateway

Copyright 2026 Gatez