Healthcare Addendum
Innovasium Inc.
Version 2026-2.0 · Effective: January 1, 2026 · innovasium.com/healthcare
This Healthcare Addendum ("Healthcare Addendum") applies when an Innovasium estimate or statement of work identifies the engagement as a Healthcare Engagement. It supplements and, where in conflict, controls over the Innovasium Standard Terms (or applicable MSA) with respect to the Healthcare Engagement. Capitalized terms not defined here have the meanings given in the Standard Terms or MSA.
1. Definitions
"Healthcare Engagement" means an engagement in which the Work Product is intended to be used to collect, store, process, or transmit Health Information, or to support the delivery of healthcare services. "Health Information" means Personal Information about an identifiable individual relating to physical or mental health, the provision of health care, or payment for health care, including:
- (a) "protected health information" under the U.S. Health Insurance Portability and Accountability Act ( "HIPAA"); and
- (b) "personal health information" under applicable Canadian provincial health information legislation, including Ontario's Personal Health Information Protection Act, 2004 ( "PHIPA").
2. Canadian Health Privacy
Where the Work Product Processes personal health information subject to PHIPA or comparable provincial legislation, Client is the "health information custodian"(or equivalent) and Innovasium is an "agent"(or equivalent service provider) acting on Client's behalf. Innovasium will Process such information only as instructed by Client, only for the purposes specified in the applicable estimate, and in accordance with the safeguards in the DPA.
3. US Healthcare — HIPAA
Unless the applicable estimate expressly contemplates HIPAA-regulated workloads and the parties have executed a separate Business Associate Agreement ( "BAA") in form acceptable to Innovasium, the Work Product is not warranted as HIPAA-compliant and Innovasium is not, and does not act as, a HIPAA Business Associate. Client will not submit Protected Health Information to the Services unless a BAA is in effect. Where a BAA is executed, it governs the handling of Protected Health Information and controls over this Healthcare Addendum in the event of conflict.
4. Not Clinical Decision Support
Unless the applicable estimate expressly contemplates the development of a regulated medical device, software as a medical device ( "SaMD"), or clinical decision support system, the Work Product is not designed, validated, or warranted as a clinical decision support system, medical device, or substitute for the judgment of a qualified healthcare professional. Client will communicate this limitation clearly to end users in its end-user terms.
5. Medical Device Regulation
If the applicable estimate expressly contemplates development of a regulated medical device or SaMD subject to Health Canada, the U.S. Food and Drug Administration, the UK Medicines and Healthcare products Regulatory Agency, or another medical device regulator, Client is the manufacturer or sponsor of record and is responsible for obtaining and maintaining all required regulatory authorizations. Innovasium will provide reasonable assistance with quality management documentation, design history, and risk management as specified in the estimate, at Client's expense. Innovasium is not a regulator-authorized manufacturer or sponsor.
6. Health Information Breach Notification
Where a breach of security involves Health Information, Innovasium will notify Client within 24 hours of becoming aware, in addition to the breach notification requirements in the DPA. Client is responsible for notification to regulators, custodians, and affected individuals as required by applicable law.
7. Data Residency for Healthcare Engagements
For Healthcare Engagements, the parties will give specific consideration to data residency in the applicable estimate. While the default data region under the DPA is AWS US-East-1, Healthcare Engagements involving Canadian health information custodians or end users typically specify AWS Canada (Central) or another Canadian region as the primary data region for persistent data (application data, knowledge bases, vector indices, conversation history, session state, and logs).
Where the selected Foundation Models are not natively hosted in the primary data region (for example, Anthropic's Claude models are not natively hosted in the AWS Canada (Central) region and are accessed via Amazon Bedrock Cross-Region Inference to a US region), the applicable estimate will identify:
- (a) the primary data region for persistent data; and
- (b) the AWS regions used for transient Foundation Model inference.
The parties will ensure that Client's end-user disclosures accurately describe this architecture.
8. Survival and Conflict
Sections 2 through 6 of this Healthcare Addendum survive termination of any Healthcare Engagement. In the event of conflict between this Healthcare Addendum and the Standard Terms or MSA with respect to the subject matter addressed here, this Healthcare Addendum controls (except where a BAA is in effect, in which case the BAA controls for the handling of Protected Health Information).
Questions about this Healthcare Addendum: [email protected]
Innovasium Inc., Toronto, Ontario, Canada
