← Back to Keepset
Business Associate Agreement
Based on U.S. Department of Health and Human Services model BAA provisions
Between Blah Monsters LLC ("Business Associate") and your practice ("Covered Entity")
This BAA is included with every Keepset license. By using Keepset with Protected Health Information, both parties agree to these terms.
1. How Keepset Handles PHI
Keepset is a locally-installed application. PHI is stored exclusively on your Mac, encrypted at rest using SQLCipher AES-256. The Business Associate does not host, access, transmit, receive, or store your PHI on any server or cloud service.
2. Technical Safeguards We Provide
- Encryption at rest: SQLCipher AES-256-CBC with 256,000 KDF iterations
- Key storage: macOS Keychain (kSecAttrAccessibleWhenUnlockedThisDeviceOnly)
- Audit logging: Immutable access log for all PHI operations
- Auto-lock: Configurable with Touch ID / password re-auth
- Clipboard clearing: Automatic after configurable interval
- FileVault check: Runtime verification of disk encryption
- Recovery phrase: 24-word BIP39 mnemonic for backup recovery
3. What We Don't Do
- We do not access your patient data under normal operation
- We do not store PHI on our servers
- We do not use analytics or telemetry that touches PHI
- We do not use iCloud or any Apple cloud service for PHI
If you request support that requires screen access, it will be explicitly authorized by you, limited to the minimum necessary, and logged in the audit trail.
4. Your Responsibilities
- Enable FileVault disk encryption on all Macs running Keepset
- Maintain and verify backups regularly
- Secure the printed recovery phrase
- Use strong passwords
- Train staff on HIPAA obligations
- Secure physical access to hardware
- Apply software updates promptly
- Report suspected breaches
5. Optional Add-On Services
If you activate optional add-ons, the following subcontractors may handle PHI:
- Text messaging: Twilio Inc. (BAA available from Twilio)
- Cloud backup: Amazon Web Services (BAA available from AWS)
No add-ons are active by default. You choose whether to enable them.
6. Breach Notification
We will report any security incident or breach of unsecured PHI that we become aware of without unreasonable delay and no later than 60 calendar days after discovery.
7. Term
This BAA is effective upon license activation and remains in effect for the duration of your license. Upon termination, you retain full ownership and access to all PHI on your hardware.
8. Contact
Blah Monsters LLC
Email: legal@keepset.io
Website: keepset.io
This BAA is based on the model provisions published by the U.S. Department of Health and Human Services Office for Civil Rights, adapted for Keepset's local-only architecture. This document should be reviewed by legal counsel before use.