Cloud Processing Addendum

Preamble

This Cloud Processing Addendum ("Addendum") supplements and forms part of the Assurium Terms of Service ("Terms") and the Assurium Privacy Policy (collectively, the "Agreement"). This Addendum governs your use of Assurium Managed AI, an optional cloud-based audit processing service operated by Assurium.

This Addendum applies only when you elect to use Assurium Managed AI. It does not apply to Cloud AI (BYOK) configurations, where you connect directly to a third-party AI provider using your own API credentials. BYOK configurations are governed solely by the Terms and by your separate agreement with your chosen provider.

By accepting this Addendum — whether through the in-application consent mechanism, an order form, or other written acceptance — you agree to be bound by the provisions set forth herein. If you are accepting this Addendum on behalf of an organization, you represent and warrant that you have the authority to bind that organization. If you do not agree to this Addendum, do not enable or use Assurium Managed AI.

Capitalized terms used but not defined in this Addendum have the meanings given to them in the Terms.

In the event of any conflict between this Addendum and the Terms, this Addendum shall control with respect to the subject matter hereof (i.e., your use of Assurium Managed AI and the processing of Clinical Content through that service).

1. Definitions

In addition to the definitions set forth in the Terms, the following definitions apply to this Addendum:

• "Assurium Managed AI" means the optional cloud-based audit processing service operated by Assurium, through which Clinical Content is transmitted from the Application to Assurium's cloud infrastructure for AI-powered compliance analysis and the generation of Findings.
• "Clinical Text" means the text content of clinical notes or documents that you transmit to the Managed AI Service for processing.
• "Transient Processing" means the ephemeral, in-memory handling of Clinical Text solely for the purpose of performing a single audit inference request, after which the Clinical Text and any intermediate representations are immediately discarded. Transient Processing does not involve persistent storage, caching, indexing, or retention of Clinical Text beyond the duration of the individual processing request.
• "Inference Provider" means the third-party large language model (LLM) API provider engaged by Assurium to perform AI inference as part of the Managed AI Service. The current Inference Provider is identified in Schedule A.
• "Subprocessor" means any third-party entity engaged by Assurium that processes Clinical Text in the course of providing the Managed AI Service.
• "Findings" has the meaning given in the Terms and includes the structured audit results generated by the Managed AI Service.
• "PHI" means Protected Health Information as defined under HIPAA and its implementing regulations at 45 CFR Parts 160 and 164.

2. Scope of the Managed AI Service

2.1 Service Description

Assurium Managed AI provides AI-powered compliance auditing of clinical documentation. When you use the Managed AI Service:

1. The Application transmits Clinical Text from your device to Assurium's cloud infrastructure.
2. Assurium's infrastructure forwards Clinical Text to the Inference Provider for AI analysis.
3. The Inference Provider returns structured audit Findings.
4. Findings are returned to the Application and stored locally on your device.

2.2 Transient Processing Only

Assurium processes Clinical Text on a strictly transient basis. Specifically:

• Clinical Text is held in memory only for the duration necessary to complete a single audit inference request.
• Clinical Text is not written to persistent storage, disk, database, cache, queue, or any durable medium at any point during processing.
• Clinical Text is not retained, archived, or backed up after the inference request completes.
• Clinical Text is not logged, recorded, or captured in application logs, audit trails, or monitoring systems. Only non-content metadata (request identifiers, timestamps, token counts, latency metrics, and error codes) is logged.
• Clinical Text is not used, directly or indirectly, to train, fine-tune, improve, or evaluate any machine learning model, algorithm, or AI system.
• Clinical Text is not aggregated, anonymized, de-identified, or otherwise derived for any secondary purpose.

2.3 What Assurium Does Not Do

For the avoidance of doubt, in connection with the Managed AI Service, Assurium does not:

• Store, retain, or maintain copies of Clinical Text or Findings on Assurium-controlled systems;
• Create, compile, or maintain any database or data warehouse containing Clinical Text;
• Share, sell, license, or disclose Clinical Text to any party other than the Subprocessors identified in this Addendum;
• Use Clinical Text for product development, analytics, benchmarking, research, or any purpose other than fulfilling the specific audit request;
• Attempt to re-identify de-identified Clinical Text; or
• Access Clinical Text in human-readable form, except as may be strictly necessary for the investigation of a confirmed security incident.

3. Data Flows and Technical Architecture

3.1 Processing Pipeline

3.2 Authentication and Authorization

Access to the Managed AI Service requires authentication via JSON Web Tokens (JWTs) issued by Assurium's token service. Tokens are scoped to individual tenant identifiers, short-lived (sixty-minute expiration), and verified using RS256 public key cryptography (JWKS).

3.3 Encryption in Transit

All data transmitted between the Application and Assurium's cloud infrastructure, and between Assurium's cloud infrastructure and the Inference Provider, is encrypted using Transport Layer Security (TLS) version 1.2 or higher.

3.4 Metadata Logging

Assurium logs non-content metadata for operational, security, and billing purposes. Logged: request IDs, tenant IDs, timestamps, processing latency, token counts, error codes. Never logged: Clinical Text, Findings, patient identifiers, provider names, API keys, file paths.

4. Subprocessors

4.1 Authorized Subprocessors

By accepting this Addendum, you consent to the engagement of the following Subprocessors:

4.2 Subprocessor Obligations

Assurium requires each Subprocessor to process Clinical Text only as necessary to perform the Managed AI Service; not retain, store, or cache Clinical Text beyond the individual request; not use Clinical Text for model training or any secondary purpose; and maintain commercially reasonable security measures.

4.3 Subprocessor Changes

Assurium may update Subprocessors with at least thirty (30) days notice. If you object to a new Subprocessor, you may discontinue use of the Managed AI Service. Continued use after the effective date constitutes consent.

5. Customer Obligations and Representations

5.1 Authorization

You represent and warrant that:

• You have all necessary rights, permissions, and authorizations to transmit Clinical Text to the Managed AI Service;
• Your use complies with all applicable laws, regulations, professional standards, and contractual obligations;
• You have evaluated the Managed AI Service and determined it is appropriate for your intended use; and
• If you are a Covered Entity or Business Associate under HIPAA, you have made an independent determination regarding HIPAA applicability.

5.2 De-identification

The Application includes an optional de-identification feature. De-identification is optional, user-controlled, and provided on a best-effort basis. It is not guaranteed to detect or remove all identifiable information. You are solely responsible for determining whether de-identification is required for your use case.

5.3 Professional Review of Findings

Findings generated by the Managed AI Service are decision support outputs only. They are not medical advice, legal advice, coding recommendations, or definitive compliance determinations. You acknowledge that:

• Findings require independent professional review and verification;
• Findings may contain errors, omissions, or inaccuracies inherent in AI-generated outputs;
• You will not rely primarily or exclusively on Findings to make clinical, coding, billing, or compliance decisions; and
• You are solely responsible for all decisions made in connection with Findings.

5.4 Prohibited Uses

You shall not use the Managed AI Service to:

• Process content you do not have authorization to process;
• Submit fabricated or test data containing real patient identifiers;
• Attempt to extract or reverse-engineer model weights, prompts, or proprietary components;
• Circumvent usage limits, trial quotas, or authentication controls; or
• Engage in any activity that violates the Acceptable Use provisions of the Terms.

6. HIPAA; Business Associate Status

6.1 No Business Associate Agreement

This Addendum is not, and shall not be construed as, a Business Associate Agreement ("BAA") under HIPAA.

As stated in the Terms: "Assurium does not act as your Business Associate under HIPAA unless expressly agreed in a separate, written Business Associate Agreement (BAA) executed by Assurium."

The Managed AI Service is designed for Transient Processing. Assurium does not create, receive, maintain, or transmit PHI on your behalf in a manner that establishes a Business Associate relationship, except to the limited extent that Clinical Text is processed transiently as described in Section 2.

6.2 Customer Responsibility

You bear sole responsibility for:

• Determining whether Clinical Text constitutes PHI;
• Evaluating whether HIPAA or other healthcare privacy laws apply to your use;
• Determining whether a BAA is required and, if so, contacting Assurium to discuss enterprise arrangements;
• Implementing safeguards appropriate to your compliance posture; and
• Ensuring consistency with your organization's privacy and security policies.

6.3 Enterprise Arrangements

If your organization requires a BAA or other specific compliance agreement, please contact us at legal@assurium.co to discuss enterprise arrangements. Self-service and trial accounts are not eligible for BAA execution.

7. Security Measures

7.1 Assurium's Security Commitments

Assurium implements and maintains commercially reasonable technical and organizational security measures, including:

• Encryption in transit: TLS 1.2 or higher for all transmissions.
• Authentication: JWT-based authentication with short-lived tokens, tenant isolation, and role-based access.
• No persistent storage: Clinical Text is processed in-memory only.
• PHI-safe logging: Logs exclude Clinical Text, Findings, and patient identifiers.
• Infrastructure security: AWS managed runtime with network isolation and automated patching.
• Least-privilege access: No routine human access to Clinical Text.

7.2 No Guarantee of Security

No system is completely secure. Assurium does not warrant that the Managed AI Service is free from vulnerabilities or that unauthorized access will not occur.

8. Incident Response and Notification

8.1 Security Incident Notification

If Assurium becomes aware of a confirmed security incident that results in unauthorized access to Clinical Text, Assurium will:

• Notify you without unreasonable delay, and in any event within seventy-two (72) hours of confirmation;
• Provide a description of the nature of the incident and categories of data affected;
• Describe the measures taken or proposed to address and mitigate the incident; and
• Cooperate reasonably with your investigation of the incident.

8.2 Limitation

Because the Managed AI Service performs Transient Processing, the scope of any incident is inherently limited to data in transit or in active processing at the time. Notification obligations apply only to confirmed incidents — not to unsuccessful attempts or remediated vulnerabilities.

8.3 Customer Notification Obligations

If applicable law requires you to notify affected individuals or regulators of a security incident, such notification is your sole responsibility. Assurium will provide reasonable cooperation but is not responsible for making notifications on your behalf.

9. Disclaimers Specific to Managed AI

9.1 AI Output Disclaimers

THE MANAGED AI SERVICE USES ARTIFICIAL INTELLIGENCE AND LARGE LANGUAGE MODELS TO GENERATE FINDINGS. AI-GENERATED OUTPUTS ARE INHERENTLY PROBABILISTIC AND MAY CONTAIN ERRORS, OMISSIONS, INACCURACIES, OR HALLUCINATIONS.

ASSURIUM DOES NOT WARRANT OR REPRESENT THAT:

• Findings will be accurate, complete, current, or error-free;
• Findings will identify all compliance issues or documentation deficiencies;
• Findings will be consistent across repeated analyses of the same Clinical Text;
• The Managed AI Service will prevent claim denials, payer audits, or adverse outcomes;
• The Managed AI Service will ensure compliance with any law, regulation, or payer policy; or
• The Managed AI Service will be available without interruption or error.

9.2 No Medical, Legal, or Coding Advice

The Managed AI Service does not provide medical advice, legal advice, professional coding services, billing recommendations, or audit defense services. Findings are informational aids produced by automated systems and are not a substitute for independent professional judgment.

9.3 Model Changes

Assurium may update or replace the AI models used by the Managed AI Service. Such changes may affect the content or characteristics of Findings. Assurium will use commercially reasonable efforts to maintain backward compatibility and provide notice of material changes.

10. Limitation of Liability

10.1 Incorporation of Terms

The limitations of liability set forth in the Terms (including the exclusion of indirect, incidental, special, consequential, and punitive damages, and the aggregate liability cap) apply to your use of the Managed AI Service and to any claims arising under this Addendum.

10.2 Additional Exclusions

WITHOUT LIMITING THE FOREGOING, ASSURIUM SHALL NOT BE LIABLE FOR:

• Any decision, action, or omission based on Findings generated by the Managed AI Service;
• Errors, inaccuracies, or hallucinations in Findings, regardless of cause;
• Your failure to review, verify, or apply professional judgment to Findings;
• Claims arising from your decision to transmit Clinical Text (including PHI) without implementing de-identification or other safeguards;
• Acts, omissions, outages, or policy changes of Subprocessors;
• Loss of Clinical Text in transit due to network failures or service interruptions; or
• Any regulatory action, fine, or enforcement proceeding arising from your use of the Managed AI Service.

11. Indemnification

In addition to the indemnification obligations set forth in the Terms, you agree to indemnify, defend, and hold harmless Assurium from and against any claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your transmission of Clinical Text (including PHI) to the Managed AI Service;
• Your failure to de-identify Clinical Text where required by applicable law;
• Your reliance on Findings without independent professional review;
• Any claim by a third party arising from your use of Findings;
• Your breach of this Addendum or any representation herein; and
• Your failure to obtain required authorizations or agreements in connection with the Managed AI Service.

12. Term and Termination

12.1 Term

This Addendum is effective as of the date you accept it and continues for the duration of your use of the Managed AI Service or your Subscription, whichever is shorter.

12.2 Termination

This Addendum terminates automatically when you disable the Managed AI Service, your Subscription expires or is terminated, or the Terms are terminated. You may terminate at any time by disabling the Managed AI Service in the Application settings.

12.3 Effect of Termination

Because the Managed AI Service performs Transient Processing only, there is no Clinical Text to return or destroy upon termination. Provisions that by their nature should survive termination (including Sections 6, 9, 10, 11, and 13) will survive.

13. General Provisions

• Governing Law: State of Florida, without regard to conflict of law principles, consistent with the Terms.
• Dispute Resolution: State or federal courts in Orange County, Florida, consistent with the Terms.
• Entire Agreement: This Addendum, together with the Terms and Privacy Policy, constitutes the entire agreement regarding the Managed AI Service.
• Severability: If any provision is unenforceable, the remainder remains in full force.
• No Waiver: Failure to enforce any provision is not a waiver.
• Amendments: Assurium may update this Addendum with notice. Material changes may require re-acceptance. Continued use after the effective date constitutes acceptance.
• Assignment: You may not assign without consent. Assurium may assign in connection with a merger, acquisition, or sale of assets.
• Notices: Legal notices to Assurium should be sent to legal@assurium.co.

Schedule A — Subprocessors

Current as of February 11, 2026

Schedule B — Technical and Organizational Measures

• Access Controls: JWT-based auth (RS256/JWKS), 60-minute token expiry, tenant-scoped access, rate limiting.
• Encryption: TLS 1.2+ for all data in transit. No data at rest (transient processing).
• Infrastructure: AWS Lambda managed runtime, automatic patching, network isolation, Secrets Manager for credentials.
• Logging: PHI-safe — all logs exclude Clinical Text, Findings, and patient identifiers. Metadata-only logging for operations.
• Personnel: Least-privilege access. No routine human access to Clinical Text. Incident-only access with authorization and audit trail.
• Vendor Management: Subprocessor agreements require transient-only processing and no training use.