VETLOOP, INC. Business Associate Agreement Effective Date: March 2026 | Version 1.0 This Business Associate Agreement (“BAA”) is hereby entered between VetLoop, Inc., including its subsidiaries and affiliates (“Business Associate” or “VetLoop”) and the Customer of the VetLoop platform and services (“Customer”). This BAA forms part of and is incorporated into the VetLoop Platform Terms and Conditions, or other underlying agreement entered into by Business Associate and Customer (collectively, “Service Agreement(s)”). BY AGREEING TO THIS BAA EITHER VIA ELECTRONIC ACCEPTANCE, THE SERVICE AGREEMENT, OR USING THE VETLOOP PLATFORM AND SERVICES AS A CUSTOMER AS SET FORTH IN A SERVICE AGREEMENT WITHOUT A SEPARATE WRITTEN BUSINESS ASSOCIATE AGREEMENT SIGNED BY BUSINESS ASSOCIATE AND CUSTOMER, CUSTOMER AGREES TO THE TERMS OF THIS BAA WITH BUSINESS ASSOCIATE. STATEMENT OF PURPOSE BUSINESS ASSOCIATE HAS BEEN ENGAGED TO PROVIDE CERTAIN SOFTWARE AND SERVICES TO CUSTOMER AS SET FORTH IN THE SERVICE AGREEMENT, INCLUDING A CLOUD-BASED VETERINARY REFERRAL MANAGEMENT PLATFORM THAT FACILITATES THE CREATION, TRANSMISSION, AND MANAGEMENT OF VETERINARY REFERRALS AND ASSOCIATED CLINICAL DATA BETWEEN GENERAL PRACTICE VETERINARIANS AND SPECIALTY CLINICS. CUSTOMER MAY BE A COVERED ENTITY OR BUSINESS ASSOCIATE UNDER HIPAA, OR MAY VOLUNTARILY ELECT TO APPLY HIPAA-EQUIVALENT STANDARDS TO ITS VETERINARY OPERATIONS. THE PARTIES ACKNOWLEDGE THAT BUSINESS ASSOCIATE MAY BE EXPOSED TO, OR BECOME AWARE OF, PROTECTED HEALTH INFORMATION (“PHI”) IN THE PERFORMANCE OF THE SERVICE AGREEMENT. THE PARTIES WISH TO ENTER INTO THIS BAA TO PROVIDE CUSTOMER WITH THE WRITTEN ASSURANCES REQUIRED BY THE PRIVACY RULE AND THE SECURITY RULE ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (“HITECH ACT” AND TOGETHER, “HIPAA”) AND TO ADDRESS THE USE AND DISCLOSURE OF PHI. Applicability to Veterinary Data. The parties acknowledge that HIPAA does not directly govern veterinary clinical data or pet health information. However, owner personally identifiable information (“Owner PII”) processed through the VetLoop platform — including names, phone numbers, email addresses, and addresses — may constitute PHI where it is linked to health-related information, or may be subject to analogous protections under state privacy laws including the Texas Data Privacy and Security Act (TDPSA). VetLoop implements HIPAA-equivalent technical safeguards as a best practice for all data processed through its platform, and this BAA extends those protections to Customer regardless of whether HIPAA directly applies to Customer’s veterinary operations. 1. Definitions Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the Privacy Rule and the Security Rule, unless inappropriate by context, or the Service Agreement. • “Business Associate” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to this BAA, shall mean VetLoop, Inc. • “Covered Entity” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to this BAA, shall mean Customer where Customer qualifies as a Covered Entity under HIPAA, or Customer where Customer voluntarily elects to apply HIPAA-equivalent standards. • “Designated Record Set” shall have the meaning set forth in 45 C.F.R. Section 164.501. • “Disclose” and “Disclosure” mean, with respect to Protected Health Information, the release, transfer, provision of access to, or divulging in any other manner of Protected Health Information outside the organization’s internal operations or to individuals other than its workforce. • “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “Electronic Protected Health Information” in 45 C.F.R. § 160.103, and in this BAA shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Customer in the course of Business Associate’s performing the Service Agreement. • “Incidental” shall refer to those uses and disclosures covered in 45 C.F.R. 164.502(a)(1)(iii) which do not rise to the level where a business associate agreement is required and that occur as a by-product of another permissible or required use under HIPAA and that cannot be reasonably prevented and are limited in nature. • “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g). For purposes of this BAA, “Individual” also includes pet owners whose PII is processed through the VetLoop platform. • “Medical Record Data” shall mean data classified as Tier 1 under VetLoop’s Data Retention Policy, including referral records, clinical data transmitted between practices, discharge summaries, GP acknowledgements, and related documentation that constitutes or forms part of the veterinary medical record under applicable state veterinary practice acts. • “Privacy Rule” shall mean the standards, requirements, and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 160 subparts A and E promulgated under HIPAA. • “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Customer, and in this BAA shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Customer in the course of Business Associate performing the Service Agreement. For the avoidance of doubt, PHI includes Owner PII to the extent it is linked to health-related information processed through the VetLoop platform. • “Security Rule” shall mean the standards, requirements, and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 164 subpart C promulgated under HIPAA. • “Use” or “Uses” shall have the meaning set forth in 45 C.F.R. Section 160.103. 2. Obligations of Business Associate Business Associate agrees: • Not to use or further disclose PHI created or received by Business Associate from, or on behalf of, Customer other than as required to carry out its Service Agreement obligations to Customer and as permitted or required by this BAA or applicable laws. Such use, disclosure, or request of PHI shall utilize a limited data set if practicable or otherwise the minimum necessary PHI in accordance with HIPAA to accomplish the intended result of the use, disclosure, or request. • To use reasonable and appropriate safeguards designed to prevent the use or disclosure of Protected Health Information in any manner other than as permitted by this BAA. VetLoop’s current safeguards include encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls with practice-level data isolation, multi-factor authentication, web application firewall, API rate limiting, and comprehensive audit logging. • To report to Customer any use or disclosure of PHI not permitted by this BAA of which it becomes aware. In addition, Business Associate will report, following discovery and without unreasonable delay (and in no event later than seventy-two (72) hours after confirmation), any “Breach” of “Unsecured Protected Health Information” as defined by the HITECH Act and any implementing regulations. Any such report shall include the identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall report Security Incidents to Customer with the exception of unsuccessful Security Incidents (such as pings, broadcast firewall attacks, port scans, and unsuccessful log-on attempts) which Customer hereby acknowledges occur regularly and no further notice is necessary. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. • To ensure that any agents and subcontractors of Business Associate to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of Customer, agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information. VetLoop’s current sub-processors include Neon (PostgreSQL database), DigitalOcean (cloud infrastructure), Cloudflare (CDN/WAF), SendGrid (email delivery), Google Cloud (OAuth authentication), and Amazon S3 (file storage), each of which maintains SOC 2 Type 2 certification or equivalent. • To the extent (if any) that Business Associate maintains a Designated Record Set for Customer, and is notified of such by Customer, to make available PHI maintained by Business Associate in a Designated Record Set to Customer as required for Covered Entity to comply with its obligation to give an Individual the right of access to inspect and obtain a copy of their PHI as set forth in 45 C.F.R. 164.524. Consistent with 45 C.F.R. 164.524, Business Associate’s obligation will be limited to the extent such PHI is in the sole possession of Business Associate and is not duplicative of PHI held by Customer. The provision of the access to the Individual’s PHI and any denials of access to the PHI shall be the responsibility of Customer. • To the extent (if any) that Business Associate maintains a Designated Record Set for Customer, and is notified of such by Customer, to make available PHI maintained by Business Associate in a Designated Record Set to Customer as required for Covered Entity to comply with its obligation to amend PHI as set forth in 45 C.F.R. 164.526. The amendment of an Individual’s PHI and all decisions related thereto shall be the responsibility of Customer. • To make available to Customer information regarding disclosures by Business Associate to third parties for which an accounting is required under 45 C.F.R. Section 164.528 so Covered Entity can meet its requirements to provide an accounting of disclosures to Individuals in accordance with 45 C.F.R. 164.528. • To make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Customer, available to the Secretary of Health and Human Services for purposes of determining Customer’s compliance with the Privacy and Security Rules. • At termination of this BAA, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of Customer, that Business Associate still maintains in any form, subject to the following exception: Business Associate shall retain Medical Record Data (as defined in Section 1(h)) for the duration of the applicable retention period under VetLoop’s Data Retention Policy (7 years from date of last treatment), even after termination of this BAA or the Service Agreement. During such retention period, Business Associate shall extend the protections of this BAA to such retained data and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible (i.e., compliance with applicable veterinary medical record retention requirements). Upon expiration of the retention period, Business Associate shall securely destroy the retained data in accordance with its Data Retention Policy. • With respect to Electronic Protected Health Information, Business Associate will (i) implement administrative, physical, and technical safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Customer, as required by the Security Rule; (ii) ensure that any agent or subcontractor to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to Customer any Security Incident of which it becomes aware in accordance with Section 2(c). 3. Permitted Uses and Disclosures by Business Associate • Except as otherwise limited by this BAA, Business Associate may make any uses or disclosures of PHI reasonably necessary to perform its services to Customer and otherwise to meet its obligations under this BAA and the Service Agreement. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, if the disclosure is Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. • Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B). • Except as otherwise limited in this BAA, Business Associate may de-identify PHI in accordance with the HIPAA Safe Harbor principles. Business Associate may use de-identified and aggregated data to improve its platform and services, develop new features, train operational efficiency and process models, analyze and benchmark referral performance, and produce industry insights, provided that such de-identification is performed in accordance with industry-standard methods such that re-identification of Individuals is not reasonably possible. • Business Associate may use PHI to fulfill its obligations as a medical record custodian under applicable state veterinary practice acts, including retaining referral records, clinical data, and discharge documentation for the periods required by law. Business Associate may disclose such records to treating veterinarians with a legitimate interest, or to pet owners exercising their rights under applicable state law, in accordance with VetLoop’s consumer rights process and the requirements of the applicable veterinary practice act. 4. Customer Obligations • Customer shall use and disclose PHI only in accordance with the Privacy Rule, the Security Rule, and any other applicable law concerning PHI. Customer shall limit disclosures of PHI to Business Associate in accordance with minimum necessary practices. Customer shall follow all data security instructions communicated by Business Associate or set forth in the applicable Software or service documentation. Customer shall not request Business Associate to use or disclose PHI in violation of HIPAA or any other applicable law. • Customer shall be solely responsible for establishing the applicable HIPAA Security Rule safeguards and associated policies for protecting PHI in its facilities. Customer shall communicate the relevant safeguards and policies to Business Associate when Business Associate provides services at a Customer facility. • Customer shall be responsible for ensuring PHI is secured through the use of a technology or methodology specified by the Secretary of Health and Human Services as rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals. Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under applicable laws concerning PHI. Customer shall notify Business Associate of any limitation(s), restriction, or changes on the use or disclosure of PHI of which it becomes aware that may affect Business Associate’s use or disclosure of PHI. • When Customer submits patient records, referrals, or clinical data to VetLoop as part of a referral transaction, Customer represents and warrants that it has the right to share that information and that any required client/owner consent has been obtained. Customer’s accountability for the data it submits is part of VetLoop’s trust architecture, as described in the Service Agreement. • Customer acknowledges that VetLoop functions as a medical record custodian for referral transactions and associated clinical data processed through the platform, and that VetLoop’s retention of such data in accordance with its Data Retention Policy is a necessary function of the Service Agreement, not an unauthorized retention of PHI. 5. Additional VetLoop Security Commitments In addition to the obligations set forth in Section 2, Business Associate commits to the following security practices for the protection of PHI and Customer Data: • Maintaining Technology Errors and Omissions (Tech E&O) insurance and Cyber Liability insurance with coverage limits appropriate for Business Associate’s stage and risk profile. Certificates of insurance are available upon request. • Pursuing SOC 2 Type 1 certification (target Q4 2026) and SOC 2 Type 2 certification (target Q2 2027), and notifying Customer of material changes to its security posture or certification status. • Maintaining audit logs for all access to, creation of, modification of, and disclosure of PHI, with retention periods aligned to VetLoop’s Data Retention Policy (7 years for logs associated with Medical Record Data). • Conducting periodic risk assessments and vulnerability evaluations of its platform and infrastructure, and remediating identified risks in accordance with commercially reasonable timeframes. • Providing Customer access to VetLoop’s Security Overview, Vendor Risk Assessment, and Data Retention Policy upon request or through VetLoop’s Trust Center. 6. Miscellaneous a) Term and Termination. The term of this BAA shall be the same as the term of the Service Agreement. Upon Customer’s knowledge of a material breach of this BAA by Business Associate, Customer shall notify Business Associate of the breach in writing and shall provide an opportunity for Business Associate to cure the breach within thirty (30) business days after such notification; provided that if Business Associate fails to cure the breach within such time period, Customer shall have the right to terminate this BAA upon written notice to Business Associate. In the event that termination of this BAA is not feasible as mutually agreed, Business Associate hereby acknowledges that Customer shall have the right to report the breach to the Secretary of Health and Human Services. Notwithstanding termination of this BAA, Business Associate’s obligations with respect to Medical Record Data retained under VetLoop’s Data Retention Policy shall continue for the duration of the applicable retention period. This BAA shall terminate immediately in the event that a HIPAA business associate agreement is no longer required under applicable laws. b) No Third Party Beneficiaries. No provision of this BAA is intended to benefit any person or entity not a party to this BAA, nor shall any person or entity not a party to this BAA have any right to seek to enforce or recover any right or remedy with respect hereto. c) Modification of BAA. No alteration, amendment, or modification of the terms of this BAA shall be valid or effective unless in writing and signed by Business Associate and Customer, or unless Customer accepts an updated version of this BAA through electronic acceptance via the VetLoop platform. d) Non-Waiver. A failure of any party to enforce at any time any term, provision, or condition of this BAA shall in no way operate as a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein. e) Severability. If any provision of this BAA is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof. f) Relationship to Service Agreement. In the event that a provision of this BAA is contrary to a provision of the Service Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of the Service Agreement. g) Independent Contractor. Nothing in this BAA shall be deemed to create an employment, agency, or partner relationship between Business Associate and Customer. h) Assignment. Customer shall not assign this BAA without Business Associate’s prior written consent, which shall not be unreasonably withheld. i) Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to conflicts of law provisions. Any action arising out of this BAA shall be brought in the state or federal courts located in the State of Texas. j) Relationship to Data Retention Policy. This BAA is intended to be read in conjunction with VetLoop’s Data Retention Policy (current version available at https://vet-loop.com/retention-policy or upon request). Where this BAA addresses the retention or destruction of PHI, VetLoop’s Data Retention Policy provides additional detail regarding retention periods, data classification tiers, disposal procedures, and consumer rights processes. In the event of a conflict between this BAA and the Data Retention Policy with respect to the treatment of PHI, this BAA shall control. ACCEPTANCE By clicking “I Accept” or by executing the Service Agreement that incorporates this BAA, Customer confirms that it has read and understood this Business Associate Agreement, that it is authorized to bind Customer to this BAA, and that Customer agrees to be bound by all terms and conditions herein. [ ☐ ] I Accept the VetLoop Business Associate Agreement This document is version 1.0, effective March 2026. Questions: legal@vet-loop.com | Security: security@vet-loop.com | Compliance: compliance@vet-loop.com