Last updated: June 2026

COPPA Compliant FERPA Compliant GDPR Aligned HIPAA BAA Stack SOPPA / State Laws ZDR Active No Training No Selling

This HIPAA Business Associate Agreement (the "BAA") is offered by Coffee & Fun LLC (operating as Helperbird), a Limited Liability Company organised under the laws of the State of Arkansas, USA ("Helperbird", "we", "us").

Helperbird's registered office address is provided to Covered Entity at execution.

It is intended to be executed by any healthcare organisation that is a "Covered Entity" or "Business Associate" as those terms are defined under the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA") and that wishes to use Helperbird in connection with Protected Health Information ("PHI").

If you are such an organisation and you wish to execute this BAA, please email [email protected] with your organisation's legal name, address, signer details, and the Helperbird account(s) to be covered.

No PHI may be transmitted through Helperbird until this BAA is executed.

Why this BAA exists, in plain English

Helperbird is built for general accessibility and productivity. It is not designed for storing or processing PHI, and our default Terms of Service ask users not to transmit PHI without a BAA in place.

That said, healthcare organisations sometimes have a legitimate need to use accessibility tooling in workflows that touch PHI. For example, a clinician with dyslexia reading patient notes aloud, or a hospital deploying Helperbird across staff devices.

This BAA lets that happen lawfully. It establishes Helperbird as your HIPAA Business Associate, defines what we will and won't do with PHI, and tells you what we already have in place upstream so the legal chain of trust is complete.

Helperbird's posture: what makes this BAA defensible

Before the legal text, here is what is true about Helperbird today. Each statement is verifiable from our Privacy Policy and our published subprocessor list.

Zero retention of user content. When you use Helperbird's online AI features, your text or audio is processed only for the moment it takes to return your result and is then discarded. We do not store it, retain it, log its contents, or use it to train AI.

Zero Data Retention (ZDR) is Active on our OpenAI organisation. OpenAI confirms in our account dashboard that no API content is persisted or used for training. Our signed OpenAI BAA covers OpenAI's processing under HIPAA.

Upstream BAAs are already in place with every AI/infrastructure subprocessor that could touch PHI:

OpenAI. BAA signed; Zero Data Retention active.
Amazon Web Services (AWS). Business Associate Addendum active in AWS Artifact (May 2026).
Microsoft Azure. HIPAA BAA incorporated via the Microsoft Customer Agreement and the Microsoft Products and Services Data Protection Addendum.

PII is removed on-device before transmission where technically possible, as described in our Privacy Policy.

The free tier transmits nothing to external AI services. AI features are Pro-only and require an active subscription.

Administrators can disable AI features entirely via managed storage policy (Google Admin Console for Chrome / ChromeOS, Microsoft Intune for Edge, equivalent Firefox enterprise policy). A covered entity that wants to deploy Helperbird but disable any feature that could transmit PHI to a third-party AI service can do so with a single policy push. See our admin documentation for the exact policy keys.

Security-framework readiness. Helperbird is preparing for SOC 2 Type II and ISO/IEC 27001 certification. Our existing technical and organisational controls are designed against the requirements of both frameworks. Until formal certification is complete, we describe ourselves as "audit-aligned" rather than "certified."

See our Privacy Policy for the current security-controls inventory and external scanning programme.

These properties dramatically reduce, but do not eliminate, the risk that PHI flows through Helperbird. This BAA covers what remains.

1. Definitions

Capitalised terms not defined here have the meanings given to them in HIPAA.

"BAA" means this Business Associate Agreement.
"Breach" has the meaning given in 45 C.F.R. § 164.402.
"Covered Entity" means you, the entity executing this BAA, in your capacity as a "covered entity" or "business associate" under HIPAA.
"Customer Account" means each Helperbird account that Covered Entity identifies in writing to Helperbird as subject to this BAA. PHI may only be transmitted through Customer Accounts.
"Designated Record Set" has the meaning given in 45 C.F.R. § 164.501.
"Effective Date" means the date on which both parties have executed this BAA.
"Helperbird Service" means the Helperbird browser extension, mobile applications, web apps, and any related online services made available by Helperbird.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended (including by the HITECH Act), together with all regulations promulgated under it.
"Individual" has the meaning given in 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
"PHI" means "protected health information" as defined in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Helperbird from or on behalf of Covered Entity in the course of providing the Helperbird Service.
"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
"Security Incident" has the meaning given in 45 C.F.R. § 164.304.
"Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
"Subcontractor" has the meaning given in 45 C.F.R. § 160.103.
"Underlying Agreement" means Helperbird's Terms of Service and the Pro subscription agreement under which Covered Entity uses the Helperbird Service.

2. Scope and applicability

This BAA applies only to PHI that Covered Entity transmits to or through a Customer Account.

Use of the Helperbird Service for any other purpose (including by Covered Entity's affiliates, separate accounts, or other end-users that are not Customer Accounts) is not governed by this BAA.

If Covered Entity has additional accounts that will transmit PHI, Covered Entity must designate them in writing to [email protected] so that this BAA applies to them.

This BAA does not modify the Underlying Agreement except as expressly stated here. In the event of a conflict between this BAA and the Underlying Agreement with respect to PHI, this BAA controls.

3. Permitted uses and disclosures of PHI

3.1 Helperbird's use of PHI

Helperbird may use or disclose PHI only:

(a) to perform the functions, activities, or services for or on behalf of Covered Entity as set out in the Underlying Agreement;

(b) for Helperbird's proper management and administration, provided that any disclosure outside Helperbird is required by law or made under written assurances that the recipient will hold the PHI confidentially and notify Helperbird of any Breach;

(d) for data aggregation services relating to the healthcare operations of Covered Entity, where requested by Covered Entity.

Helperbird will not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity, except as permitted under sections (b)–(d) above.

3.2 What Helperbird will not do with PHI

Helperbird will not:

(a) sell PHI;

(b) use PHI for marketing or advertising;

(c) use PHI to train, fine-tune, or improve any artificial intelligence model, whether Helperbird's, a subprocessor's, or a third party's;

(d) profile, score, or build behavioural inferences from PHI;

(e) retain PHI beyond what is necessary to deliver the requested service result, except as required by law; or

(f) disclose PHI to any subcontractor that has not agreed in writing to terms at least as protective as this BAA.

3.3 De-identified data

Helperbird may use de-identified information, where the de-identification meets the standards of 45 C.F.R. § 164.514(a)–(b), for service improvement and analytics, consistent with HIPAA.

4. Helperbird's HIPAA obligations

4.1 Safeguards

Helperbird will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, consistent with the Security Rule.

A summary of Helperbird's current technical and organisational measures is available on request to [email protected].

4.2 Subcontractors

Helperbird will require any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Helperbird to enter into a written agreement containing restrictions and conditions at least as protective as those in this BAA.

Helperbird's current subprocessors with executed HIPAA arrangements are:

OpenAI. Signed Business Associate Agreement; Zero Data Retention active on Helperbird's OpenAI organisation.
Amazon Web Services, Inc. Business Associate Addendum executed via AWS Artifact, applicable to the Helperbird account hosting our backend infrastructure.
Microsoft Corporation. HIPAA Business Associate Agreement incorporated by reference into the Microsoft Customer Agreement and the Microsoft Products and Services Data Protection Addendum.

Helperbird will maintain an up-to-date list of subprocessors in its Privacy Policy and will notify Covered Entity of material changes by email or in-product notice with at least thirty (30) days' advance notice where reasonably practicable.

Covered Entity may object to a new subprocessor that materially affects Helperbird's processing of PHI. If the parties cannot resolve the objection, Covered Entity may terminate this BAA without penalty.

4.3 Mitigation

Helperbird will mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Helperbird in violation of this BAA or HIPAA.

4.4 Reporting of unauthorised uses and disclosures

Helperbird will report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including any Security Incident or Breach, of which Helperbird becomes aware.

For routine and unsuccessful attempted security events (port scans, unsuccessful login attempts, pings, denials of service that do not result in unauthorised access), the parties acknowledge this notice is given by this paragraph and no further notice is required for those events.

4.5 Breach notification

Helperbird will notify Covered Entity of any Breach of unsecured PHI without unreasonable delay and in any event within sixty (60) calendar days of discovery, consistent with 45 C.F.R. § 164.410.

The notice will include, to the extent known and as required by 45 C.F.R. § 164.410(c):

the identification of each Individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
a brief description of what happened, including the date of the Breach and the date of discovery;
the types of unsecured PHI involved;
the steps Individuals should take to protect themselves from potential harm;
a brief description of what Helperbird is doing to investigate, mitigate harm, and prevent further Breaches; and
contact procedures for Individuals to ask questions or learn more.

4.6 Individual rights: Access, Amendment, Accounting

(a) Access (§ 164.524). Helperbird will provide access to PHI in a Designated Record Set that Helperbird maintains for Covered Entity, within thirty (30) days of Covered Entity's written request, in the form and format reasonably requested.

(b) Amendment (§ 164.526). Helperbird will make any amendment to PHI in a Designated Record Set that Covered Entity directs or agrees to, within thirty (30) days of Covered Entity's written request.

(c) Accounting of disclosures (§ 164.528). Helperbird will document and make available to Covered Entity such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures.

To the extent Helperbird maintains no PHI in a Designated Record Set (the typical case, given Helperbird's no-retention posture), Helperbird will confirm this in writing in response to any such request.

4.7 Internal records

Helperbird will make its internal practices, books, and records relating to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA.

4.8 Compliance with the Privacy and Security Rules

To the extent Helperbird carries out any of Covered Entity's obligations under the Privacy Rule, Helperbird will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations.

Helperbird will comply with the Security Rule with respect to electronic PHI in its possession.

5. Obligations of Covered Entity

Covered Entity will:

(a) notify Helperbird of any limitation in its notice of privacy practices that may affect Helperbird's use or disclosure of PHI;

(b) notify Helperbird of any changes in, or revocation of, an Individual's authorisation that may affect Helperbird's use or disclosure of PHI;

(c) notify Helperbird of any restriction on the use or disclosure of PHI to which Covered Entity has agreed under 45 C.F.R. § 164.522 that may affect Helperbird's use or disclosure of PHI;

(d) not request Helperbird to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as permitted under sections 3.1(b)–(d);

(e) use the administrative controls described in the admin documentation to limit the Helperbird features available to Customer Account users where appropriate (for example, disabling AI features that could transmit PHI to a third-party service if Covered Entity prefers not to use those services for PHI); and

(f) ensure that end-users of Customer Accounts are appropriately trained on the permissible uses of PHI within the Helperbird Service.

6. Term and termination

6.1 Term

This BAA takes effect on the Effective Date and continues until terminated as set out below or until the Underlying Agreement terminates.

6.2 Termination for cause

Either party may terminate this BAA on written notice if the other party materially breaches it and fails to cure the breach within thirty (30) days of notice.

If cure is not possible, the non-breaching party may terminate immediately.

6.3 Termination for convenience

Either party may terminate this BAA at any time on thirty (30) days' written notice.

Covered Entity may terminate without notice by ceasing all transmission of PHI through Customer Accounts and notifying Helperbird in writing.

6.4 Effect of termination

Upon termination, Helperbird will return or destroy all PHI in its possession, including PHI held by Subcontractors, if feasible.

Given Helperbird's no-retention posture, in the typical case there will be no PHI to return or destroy.

Where return or destruction is infeasible (for example, PHI retained in immutable backup), Helperbird will extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6.5 Survival

The provisions of sections 3.2, 4.5, 4.7, and 6.4 survive termination.

7. Miscellaneous

7.1 Regulatory references

A reference in this BAA to a section of HIPAA means that section as in effect or as amended.

7.2 Amendment

The parties may amend this BAA only by written agreement signed by both parties.

The parties will negotiate in good faith to amend this BAA as needed to comply with the requirements of HIPAA from time to time.

7.3 Interpretation

Any ambiguity in this BAA will be resolved to permit Covered Entity to comply with HIPAA.

7.4 No agency

Nothing in this BAA creates an agency, partnership, joint venture, or employment relationship between the parties.

7.5 Governing law

This BAA is governed by the laws of the State of Arkansas and the federal laws of the United States, without regard to conflict-of-laws rules.

The parties consent to the exclusive jurisdiction of the state and federal courts located in Garland County, Arkansas, for any dispute arising under this BAA.

7.6 Notices

Notices under this BAA must be sent to [email protected] (for Helperbird) and to the email address provided by Covered Entity at execution.

Notices are deemed given when sent.

7.7 Entire agreement

This BAA, together with the Underlying Agreement, the Privacy Policy, the Terms of Service, and any data privacy agreement executed separately between the parties, is the entire agreement between the parties with respect to the subject matter and supersedes any prior agreement on that subject matter.

How to execute this BAA

Email [email protected] with:

Covered Entity's legal name, registered address, and the name and title of the authorised signer.
A list of the Helperbird account(s) (Customer Account(s)) to be covered.
Confirmation that Covered Entity has reviewed Helperbird's Privacy Policy, Terms of Service, and this BAA.

Helperbird will then send a counter-signature-ready version (DocuSign or PDF) for execution.

We aim to turn around BAA execution within five (5) business days of a complete request.

Have Questions or Concerns?

Your trust and safety are paramount to us. We genuinely love hearing from healthcare organisations, hospital IT teams, compliance officers, and clinical leads. Even (especially) when the questions are tough.

BAA execution, HIPAA posture, healthcare‑adjacent workflows: [email protected]
Privacy or data‑subject requests: [email protected]
Security disclosures: [email protected]
Legal and DMCA: [email protected]
General product / support: [email protected]

For broader privacy details, see our Privacy Policy, our standard Data Privacy Agreement, our Compliance overview, our FERPA Compliance page, and our COPPA Compliance page.