HIPAA Business Associate Agreement

MARCON JOHN SOLUTIONS INC.

This Business Associate Agreement (“BAA”) is entered into effective this 8th day of
November 2023 (“Effective Date”) by and between Marcon John Solutions Inc. (“Business
Associate 1”) and Vida Natura Technologies Inc. (“Business Associate 2″) (each a “Party”
and collectively, the “Parties”).

RECITALS

WHEREAS, Business Associate 1 is a “Business Associate ” as that term is defined under the
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as
amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the
U.S. Department of Health and Human Services (“Secretary”), including, without limitation,
the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);

WHEREAS, Business Associate 2 seeks to perform Services for or on behalf of Business
Associate 1, and in performing said Services; Business Associate 2 will create, receive,
maintain, or transmit Protected Health Information (“PHI”) or Electronic Protected Health
Information (“ePHI”);

WHEREAS, the parties intend to protect the privacy and provide for the security of PHI and
ePHI disclosed by Business Associate 1 to Business Associate 2, or received or created by
Business Associate 2, when providing Services in compliance with the HIPAA Act,
regulations issued thereunder, applicable guidance issued by the Secretary of the
Department of Health and Human Services (HHS), the Health Information Technology for
Economic and Clinical Health Act (“the HITECH Act”) and other applicable state and federal
laws, all as amended from time to time; and

WHEREAS, as a Business Associate, Business Associate 1 is required under HIPAA to enter
into a Business Associate Agreement (BAA) with Business Associate 2 that meets certain
requirements with respect to the use and disclosure of PHI.

AGREEMENT

In consideration of above the recitals and for other good and valuable consideration, the
receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:

This Business Associate Agreement (“BAA”) is entered into effective this 8th day of
November 2023 (“Effective Date”) by and between Marcon John Solutions Inc. (“Business
Associate 1”) and Vida Natura Technologies Inc. (“Business Associate 2″) (each a “Party”
and collectively, the “Parties”).

RECITALS

WHEREAS, Business Associate 1 is a “Business Associate ” as that term is defined under the
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as
amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the
U.S. Department of Health and Human Services (“Secretary”), including, without limitation,
the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);

WHEREAS, Business Associate 2 seeks to perform Services for or on behalf of Business
Associate 1, and in performing said Services; Business Associate 2 will create, receive,
maintain, or transmit Protected Health Information (“PHI”) or Electronic Protected Health
Information (“ePHI”);

WHEREAS, the parties intend to protect the privacy and provide for the security of PHI and
ePHI disclosed by Business Associate 1 to Business Associate 2, or received or created by
Business Associate 2, when providing Services in compliance with the HIPAA Act,
regulations issued thereunder, applicable guidance issued by the Secretary of the
Department of Health and Human Services (HHS), the Health Information Technology for
Economic and Clinical Health Act (“the HITECH Act”) and other applicable state and federal
laws, all as amended from time to time; and

WHEREAS, as a Business Associate, Business Associate 1 is required under HIPAA to enter
into a Business Associate Agreement (BAA) with Business Associate 2 that meets certain
requirements with respect to the use and disclosure of PHI.

AGREEMENT

In consideration of above the recitals and for other good and valuable consideration, the
receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:

ARTICLE I

DEFINITIONS

The following terms shall have the meaning set forth below. Capitalized terms used in this
BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the
HIPAA Regulations, or the HITECH Act, as applicable.

1.1. “Breach” shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. §
164.402.

1.2. “Data Aggregation” shall have the meaning given under 45 CFR § 164.501.

1.3. “Designated Record Set” shall have the meaning given such term under 45 C.F.R. §
164.501.

1.4. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer,
provision of access to, or divulging in any other manner of PHI outside of Business
Associate 2 or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.

1.5. “Electronic PHI” or “ePHI” means PHI that is transmitted or maintained in
electronic media, as set forth in 45 C.F.R. § 160.103.

1.6. “Protected Health Information” and “PHI” mean any information, whether oral or
recorded in any form or medium, that: (a) relates to the past, present or future physical or
mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and (b) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual. “Protected Health Information” shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health
Information includes ePHI.

1.7. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.

1.8. “Services” shall mean the services for or functions on behalf of Business Associate 1
performed by Business Associate 2 pursuant to any service agreement(s) between
Business Associate 1 and Business Associate 2(s) which may be in effect now or from time
to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or
functions performed by Business Associate 2 that constitute a Business Associate
relationship, as set forth in 45 C.F.R. § 160.103, Definition of “Business Associate.”

1.9. “Subcontractor” means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of
such Business Associate.

1.10. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and Federal Register documents, including, but not limited to, Federal Register document 74; Federal Register 19006 (April 27, 2009); and 78 Federal
Register 5565 (January 25, 2013).

1.11. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI within Business Associate 2’s internal
operations, as set forth in 45 C.F.R. § 160.103.

1.12. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.

ARTICLE II

OBLIGATIONS OF BUSINESS ASSOCIATE

2.1. Permitted Uses and Disclosures of Protected Health Information: Business
Associate 2 shall not use or disclose PHI other than performing the Services, as permitted
or required by this BAA, or as required by law. Business Associate 2 shall not use or
disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part
164 if so used or disclosed by Business Associate 1. However, Business Associate 2 may use or disclose PHI (i) for the proper management and administration of Business Associate 2; (ii) to carry out the legal responsibilities of Business Associate 2, provided that
with respect to any such disclosure either: (a) the disclosure is required by law; or (b) Business Associate 2 obtains a written agreement from the person to whom the PHI is to be disclosed that such person will hold the PHI in confidence and will not use or further disclose such PHI except as required by law and for the purpose(s) for which it was disclosed by Business Associate 2 to such person, and that such person will notify Business Associate 2 of any instances of which it is aware in which the confidentiality of the PHI has
been breached; (iii) for Data Aggregation purposes for the healthcare operations of
Business Associate 1. To the extent that Business Associate 2 carries out one or more of
Business Associate 1’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate
2 must comply with the requirements of Subpart E that apply to Business Associate 1 in the
performance of such obligations.

2.2. Prohibited Marketing and Sale of PHI: Notwithstanding any other provision in this BAA, Business Associate 2 shall comply with the following requirements: (i) Business Associate 2 shall not use or disclose PHI for fundraising or marketing purposes, except to the extent expressly authorized or permitted by this BAA and consistent with the requirements of 42 U.S.C. § 17936, 45 C.F.R. §164.514(f), and 45 C.F.R. § 164.508(a)(3); and
(ii) Business Associate 2 shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Business Associate 1 and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2), and 45 C.F.R. § 164.502(a)(5)(ii).

2.3. Adequate Safeguards of PHI: Business Associate 2 shall implement and maintain
appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA. Business Associate 2 shall reasonably and appropriately protect the
confidentially, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Business Associate 1 in compliance with Subpart C of 45 C.F.R. Part 164 to prevent use or disclosure of PHI other than as provided for by this BAA.

2.4. Mitigation: Business Associate 2 agrees to mitigate, to the extent practicable, any
harmful effect that is known to Business Associate 2 of a use or disclosure of PHI by
Business Associate 2 in violation of the requirements of this BAA.

2.5. Reporting Non-Permitted Use or Disclosure

2.5.1. Reporting Security Incidents and Non-Permitted Use or Disclosure:
Business Associate 2 shall report to Business Associate 1 in writing each security incident
or use or disclosure that is made by Business Associate 2, members of its Workforce or Subcontractors that is not specifically permitted by this BAA, no later than three (3)
business days after becoming aware of such security incident or non-permitted use or
disclosure, in accordance with the notice provisions set forth herein. Business Associate 2
shall investigate each security incident or non-permitted use or disclosure of Business
Associate 1’s PHI that it discovers to determine whether such security incident or nonpermitted use or disclosure constitutes a reportable breach of unsecured PHI. Business
Associate 2 shall document and retain records of its investigation of any breach, including
its reports to Business Associate 1 under this Section 2.5.1. Upon request of Business
Associate 1, Business Associate 2 shall furnish to Business Associate 1 the documentation
of its investigation and an assessment of whether such security incident or non-permitted
use or disclosure constitutes a reportable breach. If such security incident or nonpermitted use or disclosure constitutes a reportable breach of unsecured PHI, then
Business Associate 2 shall comply with the additional requirements of Section 2.5.2 below.

2.5.2. Breach of Unsecured PHI: If Business Associate 2 determines that a
reportable breach of unsecured PHI has occurred, Business Associate 2 shall provide a
written report to Business Associate 1 without unreasonable delay, but no later than thirty
(30) calendar days after discovery of the breach. To the extent that information is available
to Business Associate 2, Business Associate 2’s written report to Business Associate 1 shall
be in accordance with 45 C.F.R. §164.410(c), as if “Business Associate 1” were the “Covered
Entity,” and as if “Business Associate 2” were “Business Associate 1,” for purposes of that
provision. Business Associate 2 shall cooperate with Business Associate 1 in meeting
Business Associate 1’s obligations under the HITECH Act with respect to such breach.
Business Associate 1 shall have sole control over the timing and method of providing
notification of such breach to the affected individual(s), the Secretary and, if applicable, the
media, as required by HIPAA and the HITECH Act. Business Associate 2 shall reimburse
Business Associate 1 for its reasonable costs and expenses in providing the notification,
including, but not limited to, any administrative costs associated with providing notice,
printing and mailing costs, and costs of mitigating the harm (which may include the costs of
obtaining credit monitoring services and identity theft insurance) for affected individuals
whose PHI has or may have been compromised as a result of the breach.

2.6. Availability of Internal Practices, Books, and Records to Government: Business
Associate 2 agrees to make its internal practices, books, and records relating to the use and
disclosure of PHI received from, or created, or received by the Business Associate 2 on
behalf of Business Associate 1, available to the Secretary for purposes of determining
Business Associate 1’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.
Except to the extent prohibited by law, Business Associate 2 shall notify Business Associate
1 of all requests served upon Business Associate 2 for information or documentation by or
on behalf of the Secretary. Business Associate 2 agrees to provide to Business Associate 1
proof of its compliance with the HIPAA Security Standards.

2.7. Access to and Amendment of Protected Health Information: To the extent that
Business Associate 2 maintains a Designated Record Set on behalf of Business Associate 1
and within fifteen (15) days of a request by Business Associate 1, Business Associate 2 shall
(a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Business Associate 1 for inspection and copying, or to an
individual to enable Business Associate 1 to fulfill its obligations under 45 C.F.R. § 164.524,
or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in
Designated Record Sets to enable Business Associate 1 to fulfill its obligations under 45
C.F.R. § 164.526. Business Associate 2 shall not disclose PHI to a health plan for payment or
healthcare operations purposes if and to the extent that Business Associate 1 has informed
Business Associate 2 that the patient has requested this special restriction, and has paid out
of pocket in full for the health care item or service to which the PHI solely relates,
consistent with 42 U.S.C. § 17935(a) and 42 C.F.R. § 164.522(a)(1)(vi). If Business
Associate 2 maintains PHI in a Designated Record Set electronically, Business Associate 2
shall provide such information in the electronic form and format requested by Business
Associate 1 if it is readily reproducible in such form and format, and, if not, in such other
form and format agreed to by Business Associate 1 to enable Business Associate 1 to fulfill
its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate
2 shall notify Business Associate 1 within fifteen (15) days of receipt of a request for access
to PHI.

2.8. Accounting: To the extent that Business Associate 2 maintains a Designated Record
Set on behalf of Business Associate 1, within thirty (30) days of receipt of a request from
Business Associate 1 or an individual for an accounting of disclosures of PHI, Business
Associate 2 and its Subcontractors shall make available to Business Associate 1 the
information required to provide an accounting of disclosures to enable Business Associate
1 to fulfill its obligations under 45 C.F.R. § 164.528 and its obligations under 42 U.S.C. §
17935(c). Business Associate 2 shall notify Business Associate 1 within fifteen (15) days of
receipt of a request by an individual or other requesting party for an accounting of
disclosures of PHI.

2.9. Use of Subcontractors: Business Associate 2 shall require each of its
Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business
Associate 2, to execute a Business Associate Agreement that imposes on such
Subcontractors the same restrictions, conditions, and requirements that apply to Business
Associate 2 under this BAA with respect to PHI.

2.10. Minimum Necessary: Business Associate 2 (and its Subcontractors) shall, to the
extent practicable, limit its request, use, or disclosure of PHI to the minimum amount of PHI
necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with
42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued
thereunder.

ARTICLE III

TERM AND TERMINATION

3.1. Term: The term of this Agreement shall be effective as of the Effective Date and
shall terminate as of the date that all of the PHI provided by Business Associate 1 to
Business Associate 2, or created or received by Business Associate 2 on behalf of Business
Associate 1, is destroyed or returned to Business Associate 1, or, if it is infeasible to return
or destroy the PHI, protections are extended to such information, in accordance with Section 3.3, or on the date that Business Associate 1 terminates for cause as authorized in
Section 3.2, whichever is sooner.


3.2. Termination for Cause: Upon Business Associate 1’s knowledge of a material
breach or violation of this BAA by Business Associate 2, Business Associate 1 shall either:
1. Notify Business Associate 2 of the breach in writing, and provide an opportunity for Business
Associate 2 to cure the breach or end the violation within ten (10) business days of such notification;
provided that if Business Associate 2 fails to cure the breach or end the violation within such time
period to the satisfaction of Business Associate 1, Business Associate 1 may immediately terminate
this BAA upon written notice to Business Associate 2; or
2. Upon written notice to Business Associate 2, immediately terminate this BAA if
Business Associate 1 determines that such breach cannot be cured.


3.3. Disposition of Protected Health Information Upon Termination or Expiration
3.3.1. Upon termination or expiration of this BAA, Business Associate 2 shall either
return or destroy all PHI received from, or created or received by Business Associate 2 on
behalf of Business Associate 1, that Business Associate 2 still maintains in any form and
retain no copies of such PHI. If Business Associate 1 requests that Business Associate 2
return PHI, PHI shall be returned in a mutually agreed upon format and timeframe, at no
additional charge to Business Associate 1.
3.3.2. If return or destruction is not feasible, Business Associate 2 shall (a) retain
only that PHI which is necessary for Business Associate 2 to continue its proper
management and administration or to carry out its legal responsibilities; (b) return to
Business Associate 1 the remaining PHI that Business Associate 2 still maintains in any
form; (c) continue to extend the protections of this BAA to the PHI for as long as Business
Associate 2 retains the PHI; (d) limit further Uses and Disclosures of such PHI to those
purposes that make the return or destruction of the PHI infeasible and subject to the same
conditions set out in Section 2.1 and 2.2 above, which applied prior to termination; and (e)
return to Business Associate 1 the PHI retained by Business Associate 2 when it is no
longer needed by Business Associate 2 for its proper management and administration or to
carry out its legal responsibilities.

ARTICLE IV

MISCELLANEOUS

4.1. Amendment to Comply with Law: This BAA shall be deemed amended to
incorporate any mandatory obligations of Business Associate 1 or Business Associate 2
under the HITECH Act, the HIPAA Act, and HIPAA regulations. Additionally, the Parties
agree to take such action as is necessary to amend this BAA from time to time as necessary
for Business Associate 1 to implement its obligations pursuant to the HIPAA Act, the HIPAA
Regulations, or the HITECH Act.


4.2. Indemnification: Both companies/organizations hereby agree to indemnify and hold harmless
the other, its affiliates, and their respective officers, directors, managers, members, shareholders, employees, and agents from and against any and all fines, penalties, damage, claims, or causes of action and expenses
(including, without limitation, court costs and attorney’s fees) the companies/organizations incur, arising
from violations of the HIPAA Act, the HIPAA Regulations, the HITECH Act, or from any negligence or wrongful
acts or omissions, including, but not limited to, failure to perform its obligations that results in a violation of
the HIPAA Act , the HIPAA Regulations, or the HITECH Act, by either company/organization or its employees,
directors, officers, subcontractors, agents, or members of its workforce.


4.3. Notices: Any notices required or permitted to be given hereunder by either Party to
the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or
facsimile with confirmation sent by United States first class registered or certified mail,
postage prepaid, return receipt requested; (3) by bonded courier or by a nationally
recognized overnight delivery service; or (4) by United States first class registered or
certified mail, postage prepaid, return receipt, in each case, addressed to a Party on the
signature page(s) to this Agreement or to such other addresses as the Parties may request
in writing by notice given pursuant to this Section 4.3. Notices shall be deemed received on
the earliest of personal delivery; upon delivery by electronic facsimile with confirmation
from the transmitting machine that the transmission was completed; twenty-four (24)
hours following deposit with a bonded courier or overnight delivery service; or seventytwo (72) hours following deposit in the U.S. mail as required herein.


4.4. Relationship of Parties: Business Associate 2 is an independent contractor and not
an agent of Business Associate 1 under this BAA. Business Associate 2 has the sole right
and obligation to supervise, manage, contract, direct, procure, perform or cause to be
performed all Business Associate 2 obligations under this BAA.


4.5. Survival: The respective rights and obligations of the Parties under Sections 3.3 and
4.2 of this BAA shall survive the termination of this BAA.


4.6. Applicable Law and Venue: This Agreement shall be governed by and construed in
accordance with the laws of the State of ___________(without regards to conflict of laws
principles). The Parties agree that all actions or proceedings arising in connection with this
BAA shall be tried and litigated exclusively in the State or federal (if permitted by law and if
a Party elects to file an action in federal court) courts located in the county of _____________.