Business Associate Agreement
Linkd HQ — A product of DesignedIT Inc.
Effective March 15, 2026 — Version 1.0
| Version | Date | Changes |
|---|---|---|
| 1.0 | March 15, 2026 | Initial version |
Acceptance — By creating a Linkd HQ account you agree to this Business Associate Agreement alongside our Terms of Service and Privacy Policy. No separate signature is required. Agreement is binding upon account creation.
1. Parties and Purpose
This BAA is entered into between DesignedIT Inc., operating as Linkd HQ (“Linkd,” “Business Associate”), and the healthcare organization creating a Linkd account (“Covered Entity,” “Customer”). This Agreement governs the handling of Protected Health Information that may be created, received, maintained, or transmitted by Linkd on behalf of the Customer.
2. Jurisdiction Coverage
United States — HIPAA / HITECH. 45 CFR Parts 160 and 164. BAA per § 164.504(e).
Ontario, Canada — PHIPA. Personal Health Information Protection Act. Agent Agreement included herein.
Canada (Federal) — PIPEDA. Personal Information Protection and Electronic Documents Act.
United Kingdom — UK GDPR. UK International Data Transfer Addendum clauses apply.
Quebec, Canada — Law 25. Act respecting protection of personal information in the private sector.
3. Definitions
PHI — Protected Health Information as defined under HIPAA (45 CFR § 160.103). Includes Personal Health Information under PHIPA and Special Category data under UK GDPR.
Covered Entity — a healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA, or equivalent regulated entity under PHIPA, PIPEDA, UK GDPR, or Law 25.
Business Associate — DesignedIT Inc. (Linkd HQ), acting as a service provider that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.
Services — the Linkd HQ AI chatbot platform and all related features, APIs, and integrations.
Breach — unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.
Subcontractor — any third party to whom Linkd delegates functions involving PHI, currently OpenAI (inference), Google Cloud (infrastructure), and Clerk (authentication).
4. Permitted Uses and Disclosures
Linkd may use or disclose PHI only to provide the Services as configured by the Customer, for proper management and administration of Linkd's business where required by law, to carry out legal responsibilities where required by law, and for data aggregation services relating to the Customer's healthcare operations only where explicitly agreed.
Linkd will not use PHI for advertising, marketing, profiling, model training, or sale to third parties.
5. Linkd's Obligations
Safeguards — Linkd will implement appropriate administrative, technical, and physical safeguards to protect PHI including encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, tenant isolation, and automated monitoring.
Subcontractors — Linkd ensures all subcontractors handling PHI are bound by equivalent obligations. Current subcontractors with signed BAAs — OpenAI (zero data retention, no PHI stored), Google Cloud (SOC 2, ISO 27001 certified), Clerk (authentication only, no health data).
Reporting — Linkd will notify the Customer within 24 hours of discovering any breach or impermissible use or disclosure of PHI, including the nature of the incident, PHI involved, individuals affected, steps taken to mitigate, and recommended actions.
Access and Amendment — Linkd will provide access to PHI and make amendments upon Customer direction.
Accounting of Disclosures — Linkd will document and make available an accounting of PHI disclosures as required by applicable law.
Government Access — Linkd will make internal practices and records available to HHS (US), the Information and Privacy Commissioner (Ontario), the Office of the Privacy Commissioner (Canada), or the ICO (UK) for compliance determination purposes.
Minimum Necessary — Linkd will use, disclose, or request only the minimum PHI necessary to accomplish the intended purpose.
6. Customer Obligations
Customers agree to:
- Notify Linkd of any limitation in their Notice of Privacy Practices affecting Linkd's use of PHI.
- Notify Linkd of any changes to individual permissions.
- Not request Linkd to process PHI in violation of applicable law.
- Inform end users through their website that conversations and form submissions may be processed.
- Enable conversation logging only after ensuring appropriate consent and disclosure.
- Not upload individual patient records or clinical notes to the Linkd knowledge base.
7. Conversation Logging and PHI Detection
Conversation logging is off by default. When enabled, an automated detection layer identifies and removes combinations of personal identifiers and health information before data reaches storage. This detection is automated and may not identify every possible combination — the Customer as data controller remains responsible for lawful handling of data collected through the chatbot.
All conversation logs permanently delete after 30 days via Firestore TTL policy. Real-time inference through OpenAI operates under zero data retention — nothing is stored by OpenAI and nothing is used for training.
8. Term and Termination
This Agreement is effective upon account creation and remains in effect for the duration of the Services agreement. Either party may terminate if the other materially breaches and fails to cure within 30 days of written notice. Upon termination, Linkd will permanently delete all PHI within 30 days via secure deletion. Where deletion is not feasible, Linkd will extend the protections of this Agreement to any retained PHI.
9. Jurisdiction-Specific Provisions
United States — HIPAA / HITECH — This Agreement satisfies 45 CFR § 164.504(e). Linkd will notify the Customer without unreasonable delay and no later than 60 calendar days after discovery of any breach, consistent with 45 CFR § 164.410. For breaches affecting 500 or more individuals, Linkd will notify HHS as required.
Ontario — PHIPA — This Agreement constitutes an Agent Agreement under PHIPA S.O. 2004. Linkd acts as agent of the health information custodian and will collect, use, disclose, retain, and dispose of personal health information only as permitted by the Customer and in accordance with PHIPA. Linkd will notify the Customer of any privacy breach without undue delay.
Canada — PIPEDA — Linkd complies with PIPEDA and applicable provincial equivalents. Data processing is governed by the Privacy Policy at linkdhq.com/privacy.
United Kingdom — UK GDPR — This Agreement incorporates the UK International Data Transfer Addendum as issued by the ICO. Linkd will notify the Customer of any personal data breach within 24 hours of discovery, enabling the Customer to meet its 72-hour ICO notification obligation.
Quebec — Law 25 — Linkd supports compliance with the Act respecting the protection of personal information in the private sector. Linkd will notify the Customer of any breach involving Quebec residents within 24 hours, enabling the Customer to meet its 72-hour CAI notification obligation.
10. Miscellaneous
This Agreement is incorporated into the Linkd Terms of Service. Where this Agreement conflicts with the Terms regarding PHI, this Agreement controls. This Agreement may be amended with 30 days' notice. Continued use after the notice period constitutes acceptance. Governed by the laws of the Province of Ontario and the federal laws of Canada.
Questions — contact@designedit.org