Enterprise Agreement Notice
These Terms of Service constitute a binding legal agreement between the Customer (the healthcare institution, pharmaceutical company, research organization, or enterprise entity) and Synthetix Health. They should be reviewed by your legal, compliance, and data protection teams prior to execution.
These Terms operate in conjunction with (a) your executed Business Associate Agreement (BAA), (b) Data Processing Agreement (DPA), (c) applicable Order Form, and (d) any executed Service Level Agreement (SLA). In the event of conflict, Order Forms take precedence, followed by BAAs, DPAs, and these Terms.
1. Acceptance of Terms
These Terms of Service ("Terms") govern your access to and use of the proprietary clinical intelligence infrastructure, APIs, privacy engine, Clinical Audit Trail, and Bio-Stream network (collectively, the "Services") provided by Synthetix Health.
By clicking "I Accept," accessing the platform, executing an Order Form referencing these Terms, or permitting any user within your organization to access the Services, you agree to be bound by this agreement on behalf of the enterprise, healthcare institution, pharmaceutical company, or research organization you represent ("Customer" or "you").
Authority Representation
By accepting these Terms, you represent and warrant that: (a) you have full legal authority to bind the Customer entity to this agreement; (b) you have read and understood these Terms; and (c) you agree to these Terms on behalf of the Customer. If you do not have such authority, you must not accept these Terms or use the Services.
These Terms apply globally to all use of the Services, subject to jurisdiction-specific addenda applicable to Indian and US operations as described herein.
2. Definitions
| Term | Definition |
|---|---|
| Services | The Synthetix Health clinical intelligence infrastructure, proprietary privacy engine, Clinical Audit Trail, Bio-Stream network, APIs, web application, and all associated platform components. |
| Source Data | Raw clinical data — including EHR records, FHIR-format datasets, clinical trial data, or other healthcare datasets — ingested by the Customer into their dedicated Synthetix instance. |
| Synthetic Data | Mathematically private synthetic healthcare datasets generated by the Synthetix proprietary privacy engine from Source Data, preserving statistical utility while providing formal privacy guarantees. |
| Privacy Certification | The mathematical privacy guarantee accompanying each Synthetic Data output, certifying that outputs meet Synthetix Health's proprietary privacy standard. Parameters and methodology are Confidential Information of Synthetix Health. |
| Clinical Audit Trail | The immutable, queryable compliance log that records privacy certification metadata, timestamps, user identifiers, and dataset lineage for every synthetic data generation event. |
| Protected Health Information (PHI) | Individually identifiable health information as defined under HIPAA (45 CFR §160.103) transmitted or maintained by a covered entity or business associate. |
| Business Associate Agreement (BAA) | The HIPAA-required agreement executed between Synthetix Health (as Business Associate) and the Customer (as Covered Entity or downstream Business Associate) governing permissible uses and disclosures of PHI. |
| Data Processing Agreement (DPA) | The data processing agreement governing Synthetix Health's role as Data Processor under the DPDP Act, 2023 and applicable Indian law. |
| Data Fiduciary / Data Principal | Under the DPDP Act, 2023: Data Fiduciary means the entity determining the purpose and means of data processing; Data Principal means the individual to whom personal data relates. |
| FHIR | Fast Healthcare Interoperability Resources — the international standard for healthcare data exchange (HL7 FHIR R4), natively supported by the Synthetix ingestion pipeline. |
| Re-identification | Any attempt, by any technical or non-technical means, to link, connect, or otherwise associate Synthetic Data outputs with the identity of any individual whose data was represented in the Source Data. |
| Order Form | A mutually executed commercial agreement specifying the Services, compute tier, fees, and any Customer-specific terms. Incorporated by reference. |
| DPDP Act | India's Digital Personal Data Protection Act, 2023. |
| SPDI Rules | India's IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. |
3. The Synthetix Infrastructure and Access Grant
3.1 Service Description
Synthetix Health provides compute infrastructure designed to generate mathematically private, high-fidelity Synthetic Data from Source Data utilizing proprietary privacy-preserving algorithms. The platform includes:
- Synthesis Workspace: FHIR-native ingestion pipeline, proprietary privacy engine, and multi-format synthetic data export.
- Clinical Audit Trail: An immutable, queryable compliance log linking privacy certification metadata, dataset lineage, and temporal metadata — designed to satisfy HIPAA audit control requirements (45 CFR §164.312(b)) and DPDP Act accountability obligations.
- Dataset Marketplace: A curated environment for sharing validated synthetic datasets between authorized institutional participants within the Bio-Stream network.
- APIs and Integrations: RESTful APIs enabling integration with existing EHR systems, research data warehouses, and AI/ML development pipelines.
3.2 Access Grant
Subject to your compliance with these Terms, execution of applicable BAAs and DPAs, and timely payment of fees, Synthetix Health grants you a limited, non-exclusive, non-transferable, non-sublicensable, enterprise-wide right to access and use the Services solely for your internal business, research, and machine learning development purposes during the applicable subscription term.
3.3 Service Levels
Platform uptime targets, support tiers, incident response SLAs, and scheduled maintenance windows are set forth in the applicable Service Level Agreement (SLA) executed with your organization. In the absence of a separately executed SLA, Synthetix Health will use commercially reasonable efforts to maintain platform availability consistent with its standard enterprise service levels.
3.4 Compliance Infrastructure
The Services are architected to align with HIPAA Security Rule requirements. For Indian enterprise customers, the platform is aligned with DPDP Act technical safeguard obligations and the ABDM Health Data Management Policy. Specific compliance certifications are set forth in your Order Form.
4. Acceptable Use and Strict Prohibitions
4.1 Permitted Use
You agree to use the Services strictly in accordance with: (a) these Terms; (b) your Order Form; (c) applicable local, national, and international law, including HIPAA and the HITECH Act in the United States, the DPDP Act and IT Act in India, and any applicable state-level health privacy laws; and (d) all applicable ethical and institutional review board (IRB/IEC) requirements governing your research activities.
4.2 Strict Prohibitions
Zero-Tolerance: Re-identification Prohibition
You shall not, under any circumstances, use algorithms, machine learning models, linkage attacks, auxiliary datasets, statistical inference, or any other technical or non-technical method to attempt to re-identify, de-anonymize, or reverse-engineer Synthetic Data to uncover the identity of any individual represented in the Source Data.
This prohibition applies to your organization, all of your employees, contractors, and agents, and extends to any downstream recipients of Synthetic Data under any data sharing arrangement.
Violation constitutes a material breach resulting in immediate termination with no right to cure, forfeiture of prepaid fees, and potential civil and criminal liability under HIPAA, the HITECH Act, the DPDP Act (which provides for penalties up to INR 250 crore / ~USD 30 million), and applicable privacy law.
You explicitly agree NOT to engage in any of the following:
- Unauthorized Source Data: You shall not upload, ingest, or process any Source Data unless you hold the explicit legal right, patient consent (in the form required by HIPAA, the DPDP Act, or applicable law), institutional authorization, and IRB/IEC approval.
- Reverse Engineering: You may not decompile, disassemble, reverse-engineer, or otherwise attempt to derive the source code, underlying algorithms, privacy parameters, or mathematical models of the Synthetix privacy engine or any component of the Services.
- Unauthorized Disclosure: You may not share, sublicense, distribute, sell, or otherwise make available to any third party access credentials, raw API keys, or any restricted Synthetic Data without prior written consent.
- Competitive Intelligence: You may not use the Services or outputs to build competing privacy infrastructure, benchmark against competing products for public disclosure, or otherwise disadvantage Synthetix Health commercially.
- Prohibited Jurisdictions and Sanctioned Parties: You may not use the Services in violation of US export control laws (EAR/ITAR), OFAC sanctions, or Indian FEMA restrictions.
- Misrepresentation of Privacy Certification: You may not misrepresent, alter, or remove the privacy certification metadata accompanying Synthetic Data outputs. Synthetic Data must be disclosed with its original privacy certification to any downstream recipients.
4.3 Consequences of Prohibited Use
Material Breach and Enforcement
Any violation of Section 4.2 constitutes a material breach. Synthetix Health reserves the right, without prior notice, to: (a) immediately suspend or terminate your access; (b) preserve and disclose relevant logs and audit trails to regulatory authorities (including HHS OCR and MeitY) as required by law; (c) seek injunctive relief and all available legal and equitable remedies.
Under the DPDP Act, 2023, data breaches caused by Customer misuse may expose your organization to financial penalties up to INR 250 crore (~USD 30 million). Synthetix Health disclaims all liability for penalties arising from Customer misuse.
5. Intellectual Property and Data Ownership
5.1 Synthetix Health Intellectual Property
Synthetix Health retains all right, title, and interest in and to the Services, including the proprietary privacy engine and all underlying algorithms, privacy parameters, and mathematical models, the Clinical Audit Trail architecture and immutability mechanisms, the Bio-Stream network protocol, all platform source code, APIs, documentation, and training materials, and all improvements, enhancements, and derivative works.
Nothing in these Terms transfers any ownership of Synthetix Health's intellectual property to you.
5.2 Customer Source Data
You retain all ownership rights, title, and interest in and to your Source Data. Synthetix Health claims no ownership over your Source Data. You grant Synthetix Health a limited, non-exclusive license to access, process, and transmit your Source Data solely to the extent necessary to provide the Services, subject to your BAA and DPA.
You represent and warrant that you own or have the lawful right and all necessary consents, authorizations, and approvals to ingest your Source Data into the Services.
5.3 Synthetic Data Ownership
Upon successful generation and payment of associated compute fees, you own the resulting Synthetic Data generated within your dedicated instance, subject to the following conditions:
- Ownership of Synthetic Data does not include ownership of the algorithms, models, or methods used to generate it;
- Synthetic Data must be used, shared, and disclosed in accordance with Section 4 (Acceptable Use);
- Synthetic Data must be accompanied by its privacy certification and relevant Clinical Audit Trail metadata in any downstream sharing arrangement or publication;
- Synthetix Health retains the right to use aggregated, statistical, and anonymized metadata about synthetic data generation events for platform improvement and research purposes, provided such use does not identify any individual or Customer.
5.4 Trained Models and Derivative Works
AI and machine learning models trained using Synthetic Data generated on the Synthetix platform are entirely your intellectual property. Synthetix Health claims no rights in such models. You acknowledge that the regulatory status of AI models trained on synthetic data (including any FDA submissions or CE-mark applications) is your sole responsibility.
5.5 Feedback
If you provide Synthetix Health with feedback, suggestions, or ideas about the Services ("Feedback"), you grant Synthetix Health a perpetual, irrevocable, royalty-free, worldwide license to use, incorporate, and commercialize such Feedback without restriction. Synthetix Health will not identify you as the source of Feedback without your prior written consent.
6. Security and Compliance — Dual Regulatory Framework
6.1 Synthetix Health Security Obligations
| Security Control | Standard / Commitment |
|---|---|
| Encryption in Transit | TLS 1.2+ for all data in transit; mTLS for API communications |
| Encryption at Rest | AES-256 for all stored data including Source Data, Synthetic Data, and audit logs |
| Access Controls | Role-based access control (RBAC), MFA, principle of least privilege, logical tenant isolation |
| Audit Logging | Immutable Clinical Audit Trail — satisfying HIPAA audit control requirements (45 CFR §164.312(b)) and DPDP Act accountability obligations |
| Vulnerability Management | Regular penetration testing, vulnerability scanning, and timely patch management |
| Incident Response | Documented IR plan; breach notification compliant with HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and DPDP Act Section 8 |
| Compliance Alignment | HIPAA Security Rule; DPDP Act technical safeguards; ABDM Health Data Management Policy |
6.2 HIPAA Business Associate Agreement (US)
HIPAA BAA — Mandatory for PHI Processing
If your Source Data contains Protected Health Information (PHI) as defined by HIPAA (45 CFR §160.103), you must execute a Business Associate Agreement (BAA) with Synthetix Health before ingesting any PHI into the Services.
Synthetix Health, as Business Associate, will: (a) use and disclose PHI only as permitted by the BAA and HIPAA; (b) implement safeguards required under the HIPAA Security Rule; (c) report breaches of unsecured PHI within the timeframes required by the HIPAA Breach Notification Rule; (d) make its books and records available to HHS for compliance review as required under HITECH.
You, as Covered Entity or upstream Business Associate, remain responsible for: (a) obtaining valid HIPAA-compliant patient authorizations or satisfying an applicable exception prior to sharing PHI; (b) configuring your instance in compliance with your own HIPAA obligations; (c) notifying affected individuals and HHS of breaches in accordance with your own breach notification obligations.
6.3 Data Processing Agreement (India — DPDP Act)
DPDP Act DPA — Mandatory for Indian Enterprise Customers
If you are an Indian enterprise processing personal data (including health data) through the Services, you must execute a Data Processing Agreement (DPA) with Synthetix Health prior to processing.
Synthetix Health acts as Data Processor processing personal data solely on your documented instructions as Data Fiduciary. Synthetix Health commits to: (a) process personal data only for purposes specified in the DPA; (b) implement technical and organizational measures consistent with DPDP Act Section 8; (c) assist you in fulfilling obligations to Data Principals (including rights requests under Sections 11-14); (d) promptly notify you of any personal data breach.
You, as Data Fiduciary, remain responsible for: (a) obtaining valid consent from Data Principals; (b) providing notice to Data Principals that their data will be processed by Synthetix Health; (c) ensuring the lawful basis for all processing instructed to Synthetix Health.
6.4 ABDM and Health Data Standards (India)
For Indian healthcare enterprise customers, Synthetix Health's processing pipeline aligns with:
- The Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy, including consent architecture principles and data minimization standards;
- The Ministry of Health and Family Welfare (MoHFW) EHR Standards, 2016, with respect to FHIR-format data ingestion and processing;
- The National Health Authority (NHA) guidelines on secondary use of health data, to the extent applicable to synthetic data generation.
6.5 Customer Security Responsibilities
Synthetix Health provides compute infrastructure; you dictate the data flows. You are responsible for:
- Securely configuring your instance, including access controls and network configuration;
- Managing and safeguarding the credentials of all authorized users;
- Ensuring all Source Data ingested meets the legal, consent, and IRB/IEC authorization requirements;
- Promptly notifying Synthetix Health of any suspected unauthorized access or security incident at legal@synthetixhealth.com.
7. Fees, Billing, and Payment
7.1 Compute and Licensing Fees
Access to the Services is billed according to the compute tier, instance size, API call volume, or subscription model specified in your Order Form. Fees are due in the currency specified, payable within thirty (30) days of invoice date unless otherwise agreed.
7.2 Taxes
All fees are exclusive of applicable taxes, levies, duties, or withholdings. You are responsible for payment of all such taxes, including:
- US Sales and Use Tax: Where applicable under US federal and state law.
- Goods and Services Tax (GST): Where applicable under the Indian GST Act, 2017. Indian customers will receive compliant GST invoices.
- Withholding Tax (India): If Indian tax law requires withholding at source, you shall provide Synthetix Health with valid withholding tax certificates (Form 16A or equivalent) within the period required by law.
7.3 Late Payments
Undisputed invoices not paid within thirty (30) days may accrue interest at the lower of 1.5% per month or the maximum rate permitted by applicable law. Synthetix Health reserves the right to suspend access upon thirty (30) days' prior written notice for non-payment.
7.4 Disputed Invoices
If you dispute any portion of an invoice in good faith, you must notify Synthetix Health in writing within fifteen (15) days of the invoice date. Undisputed portions must be paid by the due date. The parties will work in good faith to resolve billing disputes within thirty (30) days.
8. Term, Suspension, and Termination
8.1 Term
These Terms commence on the date you first accept them (or execute an Order Form referencing them) and continue for the subscription term specified in your Order Form, unless earlier terminated.
8.2 Termination for Convenience
Either party may terminate these Terms or any Order Form by providing sixty (60) days' prior written notice, unless a different period is specified in the relevant Order Form.
8.3 Termination for Cause
Either party may terminate immediately upon written notice if the other party:
- Materially breaches and fails to cure within thirty (30) days of notice (except Section 4.2 and 6.2 breaches which carry no right to cure and result in immediate termination);
- Becomes insolvent, makes a general assignment for creditors, or becomes subject to bankruptcy or similar proceedings; or
- In Synthetix Health's reasonable judgment, creates material legal, regulatory, or reputational risk.
8.4 Effect of Termination
Upon termination or expiration:
- Your access to the Services will be revoked;
- You must promptly destroy or return all Synthetic Data, unless you retain an independent right under a separate data sharing agreement;
- Clinical Audit Trail logs will be retained for a minimum of six (6) years consistent with HIPAA documentation requirements;
- Sections 2, 4.2, 5, 9, 10, 11, 12, and 13 survive termination.
9. Disclaimers
As-Is Infrastructure
THE SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. WHILE OUR PROPRIETARY PRIVACY ENGINE IS MATHEMATICALLY BOUNDED TO PROVIDE FORMAL PRIVACY GUARANTEES, SYNTHETIX HEALTH MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT:
(a) THE SYNTHETIC DATA WILL GUARANTEE SPECIFIC CLINICAL OUTCOMES, REGULATORY APPROVALS (INCLUDING FDA CLEARANCE, CE MARKING, OR CDSCO APPROVAL), OR AI MODEL PERFORMANCE FOR YOUR SPECIFIC USE CASE;
(b) THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM SECURITY VULNERABILITIES;
(c) THE SERVICES WILL MEET ALL REQUIREMENTS OF EVERY APPLICABLE JURISDICTION;
(d) THE PRIVACY GUARANTEES WILL SATISFY EVERY POSSIBLE LEGAL OR REGULATORY DEFINITION OF DE-IDENTIFICATION IN EVERY JURISDICTION.
Synthetix Health does not warrant that Synthetic Data constitutes "de-identified information" under HIPAA's Safe Harbor or Expert Determination methods (45 CFR §164.514) for all use cases. Customers are responsible for independently determining whether Synthetic Data meets the applicable de-identification standard for their specific regulatory context.
10. Limitation of Liability
10.1 Aggregate Liability Cap
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SYNTHETIX HEALTH'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS SHALL NOT EXCEED THE TOTAL FEES PAID BY CUSTOMER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
10.2 Exclusion of Consequential Damages
TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF REVENUE, PROFITS, BUSINESS, DATA, GOODWILL, OR COST OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY.
10.3 Jurisdiction-Specific Considerations
- HIPAA / HITECH (US): The liability cap does not limit either party's obligations arising directly under the executed BAA.
- DPDP Act (India): The DPDP Act imposes penalties up to INR 250 crore on Data Fiduciaries. Nothing in these Terms limits Synthetix Health's ability to seek indemnification from Customer for penalties arising from Customer's breach of Data Fiduciary obligations. The IT Act, 2000 (Section 43A) imposes liability for negligent security practices; parties retain their respective obligations.
- Consumer Protection Act, 2019 (India): To the extent any provision conflicts with mandatory consumer protections, such protections prevail. These Terms are, however, B2B enterprise agreements.
11. Indemnification
11.1 Customer Indemnification
Customer shall indemnify, defend, and hold harmless Synthetix Health from any claims, liabilities, damages, penalties, fines, and costs arising out of:
- Customer's breach of these Terms, including violations of Section 4.2;
- Customer's breach of BAA or DPA obligations;
- Failure to obtain valid consents, authorizations, or IRB/IEC approvals;
- Regulatory actions arising from Customer's misuse or non-compliance;
- Third-party claims arising from Customer's use of Synthetic Data.
11.2 Synthetix Health Indemnification
Synthetix Health shall indemnify Customer from third-party claims that the Services infringe any patent, copyright, or trade secret; provided that Customer: (a) promptly notifies Synthetix Health; (b) grants sole control of the defense; and (c) provides reasonable cooperation. This indemnity does not apply to claims arising from Customer's modification or combination with third-party materials.
12. Confidentiality
Each party agrees to: (a) hold Confidential Information in strict confidence using no less care than it uses to protect its own; (b) use it solely for purposes of exercising rights or fulfilling obligations under these Terms; and (c) not disclose it without prior written consent, except to employees, contractors, and advisors bound by equivalent confidentiality obligations.
Confidential Information does not include information that: (a) is or becomes publicly known through no fault of the receiving party; (b) was rightfully known prior to disclosure; (c) is independently developed without reference to it; or (d) is required to be disclosed by law, court order, or regulatory authority.
The Clinical Audit Trail, privacy engine architecture, all privacy parameters and mathematical models, and all technical implementation details of the Services are proprietary Confidential Information of Synthetix Health. Customer agrees not to disclose, publish, or reverse-engineer these parameters except as required for regulatory disclosure.
13. Governing Law and Dispute Resolution
13.1 US Customers
For customers primarily located in or operating under US law: governed by the laws of the State of Delaware, USA, without regard to conflict of law provisions. Legal actions shall be brought exclusively in Delaware state or federal courts.
13.2 Indian Customers
For customers primarily located in India: governed by the laws of India. Legal actions shall be brought exclusively in the courts of competent jurisdiction in Bangalore, Karnataka, India.
13.3 Cross-Border Disputes
International Arbitration Clause
For disputes involving both Indian and US operations, the parties agree to binding arbitration administered by the Singapore International Arbitration Centre (SIAC) under its Arbitration Rules, with the seat in Singapore and proceedings in English.
This does not prevent either party from seeking emergency injunctive or interim relief to protect intellectual property, Confidential Information, or to prevent imminent breach of the re-identification prohibition (Section 4.2).
Nothing limits Synthetix Health's ability to file complaints with HHS OCR, MeitY, the Data Protection Board of India, or any other competent regulatory authority.
13.4 Compliance with Regulatory Bodies
Each party agrees to cooperate fully with HHS and its Office for Civil Rights (OCR), MeitY, the Data Protection Board of India (DPBI), and any other competent regulatory authority with jurisdiction.
14. General Provisions
14.1 Entire Agreement
These Terms, together with all executed Order Forms, BAAs, DPAs, and SLAs, constitute the entire agreement and supersede all prior agreements, understandings, and representations.
14.2 Order of Precedence
In the event of conflict: (1) applicable Order Form; (2) BAA (for PHI-related matters); (3) DPA (for DPDP Act matters); (4) applicable SLA; (5) these Terms of Service.
14.3 Amendments
Synthetix Health may update these Terms. For material changes, we will provide at least thirty (30) days' advance notice via email and in-platform notification. Continued use after the effective date constitutes acceptance.
14.4 Assignment
You may not assign without Synthetix Health's prior written consent. Synthetix Health may assign in connection with a merger, acquisition, or sale of assets, provided the successor assumes all obligations.
14.5 Severability
If any provision is held invalid, it shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force.
14.6 Waiver
No failure or delay in exercising any right constitutes a waiver. A waiver of any particular breach does not waive any subsequent breach.
14.7 Force Majeure
Neither party shall be liable for delays caused by events beyond reasonable control, including acts of God, pandemics, government actions, cyberattacks, or telecommunications failures — provided the affected party promptly notifies the other and takes reasonable steps to mitigate.
14.8 Notices
All legal notices must be in writing and delivered by: (a) email to legal@synthetixhealth.com with confirmed receipt; (b) nationally recognized overnight courier; or (c) registered post with acknowledgment.
14.9 Export Controls and Sanctions
You represent and warrant compliance with all applicable US export control laws, OFAC sanctions, and Indian FEMA regulations. You may not process data of sanctioned parties without all required licenses.
14.10 Anti-Bribery and Corruption
Both parties agree to comply with all applicable anti-bribery laws, including the US Foreign Corrupt Practices Act (FCPA) and India's Prevention of Corruption Act, 1988.
15. Contact Information
Synthetix Health — Legal and Compliance
Email: legal@synthetixhealth.com
Subject Line Format: [Legal Notice | BAA Request | DPA Request | Compliance Inquiry | Dispute Notice] — [Customer Name] — [Brief Description]
For HIPAA-related matters: Include "HIPAA" in the subject line. For DPDP Act matters: Include "DPDP" in the subject line.
Response Commitment: Legal notices acknowledged within 2 business days; BAA and DPA execution initiated within 5 business days of request.
Appendix A: Summary of Key Regulatory Obligations
| Regulatory Area | Customer Obligation | Synthetix Health Commitment |
|---|---|---|
| HIPAA PHI Ingestion (US) | Execute BAA prior to ingesting PHI; obtain valid authorizations; notify of breaches | Provide BAA; implement HIPAA Security Rule safeguards; breach notification within required timeframes |
| DPDP Act 2023 (India) | Act as Data Fiduciary; obtain consent; provide DPDP-compliant notice; execute DPA | Act as Data Processor; process only on Customer instructions; assist with Data Principal rights; implement DPDP technical safeguards |
| SPDI Rules 2011 (India) | Provide prior written consent for SPDI; ensure authorization | Apply heightened protections; not share SPDI without specific consent |
| ABDM Compliance (India) | Ensure patient consent aligns with ABDM architecture | Align processing with ABDM Health Data Management Policy and NHA guidelines |
| IRB / Ethics Approval | Obtain IRB (US) or IEC (India) approval for research using synthetic data | Provide privacy certification documentation for regulatory submissions |
| Re-identification Prohibition | Zero-tolerance — see Section 4.2 | Mathematically bound outputs to certified privacy standard; Clinical Audit Trail records all events |
| CCPA / CPRA (California) | Comply with CCPA obligations as Covered Business | Process California PI only as instructed; support CCPA rights fulfillment |
| Export Controls | Ensure no use involving sanctioned parties; obtain licenses | Maintain OFAC and BIS compliance; flag jurisdictional restrictions |
Synthetix Health · legal@synthetixhealth.com · Version 2.0 · Effective February 19, 2026