BUSINESS ASSOCIATE AGREEMENT (BAA) EFFECTIVE DATE: 1. RECITALS WHEREAS, Dental Elephant LLC, a Wyoming limited liability company ("Business Associate"), provides services involving the use or disclosure of protected health information ("PHI") on behalf of dental practices and healthcare providers ("Covered Entity"); and WHEREAS, the parties desire to enter into this Business Associate Agreement as required by the Privacy Rule, Security Rule, and Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 CFR Parts 160, 164. NOW, THEREFORE, in consideration of mutual covenants and obligations, the parties agree as follows: 2. DEFINITIONS Unless otherwise stated, capitalized terms in this BAA shall have the same meaning as those defined in the HIPAA regulations at 45 CFR Parts 160 and 164. "Breach" means the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of PHI. "Dental Elephant Platform" means the AI-powered dental scribe software and associated services provided by Business Associate. "Dental Elephant Services" includes AI transcription, clinical note generation, schedule parsing, patient briefings, and related SaaS features. 3. PERMITTED USE AND DISCLOSURE OF PHI The Business Associate shall use and disclose PHI only for the purposes of providing the Dental Elephant Services and to the extent necessary to accomplish such purposes or as otherwise required by law. The Business Associate shall not: a) Use or disclose PHI for any purpose other than to perform functions, activities, or services on behalf of Covered Entity as specified in the service agreement; b) Use or disclose PHI for healthcare operations not directly related to the provision of Dental Elephant Services; c) Use or disclose PHI for marketing, fundraising, or sale of PHI without explicit written authorization; d) Disclose PHI to any third party except as required by this BAA, law, or explicit written authorization by Covered Entity. 4. SAFEGUARDS Business Associate shall implement and maintain reasonable physical, electronic, and procedural safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of PHI, including: a) Access controls and authentication to limit PHI access to authorized personnel only; b) Encryption of PHI in transit and, to the extent technically and commercially reasonable, at rest; c) Audit controls and logging to monitor access and use of PHI; d) Secure disposal procedures for PHI; e) Workforce security policies and procedures; f) Incident response and breach notification procedures. 5. BREACH NOTIFICATION Business Associate shall: a) Notify Covered Entity without unreasonable delay and in no case later than thirty (30) calendar days after discovery of any Breach of unsecured PHI; b) Provide Covered Entity with written notice containing: (i) a brief description of the Breach, including the date discovered and the date of the Breach if known; (ii) the types of PHI involved; (iii) steps individuals should take; (iv) summary of Business Associate's response; and (v) contact information for further inquiries; c) Cooperate with Covered Entity in conducting a thorough investigation and risk assessment; d) Maintain documentation of all Breach incidents for at least six (6) years. 6. SUBCONTRACTORS Business Associate shall make reasonable, good-faith efforts to ensure that any subcontractors or agents who obtain, create, receive, or maintain PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this BAA, to the extent required by applicable law. Business Associate shall maintain a current list of subcontractors who handle PHI and shall provide such list to Covered Entity upon reasonable written request. 7. AUDIT AND INSPECTION RIGHTS Upon reasonable prior written notice of not less than ten (10) business days, and at Covered Entity's sole expense, Business Associate shall: a) Allow Covered Entity to audit, access, inspect, and copy records and processes that store, process, or transmit PHI, subject to reasonable scope limitations to protect the confidentiality of other customers' data and Business Associate's proprietary systems; b) Provide evidence of compliance with this BAA within a reasonable timeframe not to exceed thirty (30) calendar days from the date of the written request. 8. RETURN AND DESTRUCTION OF PHI Upon termination of services or upon Covered Entity's written request, Business Associate shall, within thirty (30) calendar days: a) Return to Covered Entity or securely destroy all PHI in any form, including electronic, paper, and other media; b) Retain only the minimum amount of PHI required by law or to fulfill outstanding contractual obligations; c) Provide written certification of destruction or return; d) Securely destroy all backup copies of PHI. 9. AMENDMENT This BAA may be amended only by written agreement of both parties. Either party may request amendment to ensure compliance with changes in HIPAA regulations or to reflect changes in the Dental Elephant Platform or services provided. 10. TERM AND TERMINATION Term: This BAA shall begin on the Effective Date and continue for so long as Business Associate maintains, uses, or discloses PHI on behalf of Covered Entity. Termination for Cause: If Business Associate materially breaches this BAA and does not cure such breach within thirty (30) calendar days of written notice, Covered Entity may terminate this BAA and the underlying service agreement. If a cure is not possible within thirty (30) days, Business Associate shall provide a written remediation plan within such period and diligently pursue completion thereof. Survival: Obligations regarding return or destruction of PHI, breach notification, documentation, and the limitations on liability set forth in Section 15 shall survive termination of this BAA. 11. THIRD-PARTY BENEFICIARY Nothing in this BAA confers upon any individual any right to enforce this BAA or any right or benefit to any third party. 12. ENTIRE AGREEMENT This BAA, together with the underlying service agreement, constitutes the entire agreement between the parties with respect to the subject matter and supersedes all prior negotiations, understandings, and agreements. 13. GOVERNING LAW This BAA shall be governed by and construed in accordance with the laws of the State of Utah, without regard to conflict of law principles. The parties agree that Utah is the principal place of business operations of Business Associate and the anticipated location of performance of the Dental Elephant Services. 14. DISPUTE RESOLUTION In the event of any dispute arising under this BAA, the parties agree to first attempt to resolve the dispute through good-faith negotiation. If the parties are unable to resolve the dispute within thirty (30) calendar days of written notice of the dispute, either party may pursue any available legal remedy. 15. LIMITATION OF LIABILITY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: a) Business Associate's aggregate liability to Covered Entity arising out of or related to this BAA, whether in contract, tort, or otherwise, shall not exceed the total fees paid by Covered Entity to Business Associate in the twelve (12) months immediately preceding the event giving rise to the claim; b) IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS OR LOSS OF BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 16. INDEMNIFICATION Each party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other party and its members, managers, officers, employees, and agents (collectively, "Indemnified Party") from and against any third-party claims, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or relating to: a) In the case of Business Associate as Indemnifying Party: Business Associate's material breach of this BAA, gross negligence, or willful misconduct in connection with the handling of PHI; b) In the case of Covered Entity as Indemnifying Party: Covered Entity's material breach of this BAA, gross negligence, or willful misconduct, including without limitation any unauthorized or improper instruction given to Business Associate regarding the handling of PHI. The Indemnified Party shall: (i) promptly notify the Indemnifying Party in writing of any claim; (ii) give the Indemnifying Party sole control of the defense and settlement of the claim; and (iii) provide reasonable cooperation in connection with the defense. 17. SIGNATURES By clicking "I Accept" below, the Covered Entity agrees to be bound by the terms of this Business Associate Agreement. This electronic acceptance constitutes a legally binding signature.

DENTAL ELEPHANT AI-Powered Dental Scribe Platform TERMS OF USE & INFORMED CONSENT FOR AI SERVICES IMPORTANT — PLEASE READ CAREFULLY. By activating, accessing, or using the Dental Elephant platform, you ("Subscriber") agree to be bound by these Terms of Use and Informed Consent ("Agreement"). If you do not agree, do not use the platform. 1. NATURE OF THE SERVICE — AI LIMITATIONS Dental Elephant uses artificial intelligence ("AI") to assist dental professionals with clinical note generation, schedule parsing, referral letter drafting, patient briefings, and related tasks. By using the platform you acknowledge and agree: - AI systems, including those used by Dental Elephant, can produce errors, omissions, hallucinations, or clinically inaccurate content. No AI output should be treated as a substitute for independent clinical judgment. - All AI-generated clinical notes, referral letters, treatment summaries, patient briefings, and other output are drafts only. They do not constitute a final medical record until reviewed, verified, and adopted by a licensed dental professional. - Subscriber is solely responsible for verifying the accuracy of all AI output against the patient's official medical record and other available clinical information before relying upon, transmitting, or filing any such output. - Dental Elephant does not practice dentistry, does not provide medical or dental advice, and is not responsible for clinical decisions made by Subscriber or Subscriber's staff. 2. SUBSCRIBER'S VERIFICATION OBLIGATIONS Clinical Notes: AI-generated clinical notes must be reviewed by the treating clinician for accuracy, completeness, and clinical appropriateness before being entered into any patient chart or record system. Adoption as Official Record: By copying, pasting, importing, or otherwise incorporating any AI-generated note into a patient's official dental or medical record, Subscriber represents and warrants that Subscriber has personally reviewed the note and verified its accuracy. This act of incorporation constitutes Subscriber's professional attestation of the content's accuracy. Referral Letters: By sending, transmitting, faxing, electronically submitting, or otherwise delivering any AI-generated referral letter or communication to another healthcare provider, Subscriber represents and warrants that Subscriber has personally reviewed and verified the accuracy of its contents. Transmission constitutes Subscriber's professional attestation of accuracy. Cross-Check with Official Records: All AI-generated content that references patient history, medications, diagnoses, allergies, treatment dates, or clinical findings must be cross-checked against the patient's official medical and dental records. AI-generated content shall never be the sole source of clinical truth. Dental Elephant is a documentation assistance tool. Final clinical responsibility, including the accuracy of all records and communications, remains at all times with the licensed dental professional using the platform. 3. COMMUTE HUDDLE — SAFE USE REQUIREMENTS The Commute Huddle feature allows Subscribers to review AI-generated daily schedule briefings via audio playback. By using this feature, Subscriber agrees to the following: - Do not start, stop, pause, skip, adjust, or otherwise interact with the Commute Huddle audio playback while operating a motor vehicle. Any interaction with the Dental Elephant application while driving is strictly prohibited and done solely at Subscriber's own risk. - Commute Huddle is intended to be used only when a vehicle is safely parked, or by a passenger in a vehicle, or through a pre-configured hands-free system where no manual interaction with the application is required. - Dental Elephant assumes no liability for any accident, injury, citation, or loss arising from Subscriber's use of any feature of the platform while operating a motor vehicle. - Subscriber acknowledges that distracted driving laws vary by jurisdiction and that compliance with all applicable traffic laws is solely Subscriber's responsibility. 4. DATA, ACCURACY, AND SYSTEM RELIABILITY Dental Elephant makes reasonable efforts to maintain platform availability and data integrity, but does not guarantee uninterrupted service. Subscriber acknowledges: - Dental Elephant is not a primary medical records system. Subscriber should not rely on the Dental Elephant platform as the sole repository for clinical documentation. - In the event of data loss, accidental deletion, system error, or service interruption, Dental Elephant's liability is limited as set forth in Section 5 below. - Subscriber is responsible for maintaining independent backups of all clinical records in Subscriber's practice management system. - Dental Elephant does not guarantee that any data, notes, or records stored or generated on the platform will be available indefinitely. Subscriber should export and save important records to their own systems promptly. 5. LIMITATION OF LIABILITY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: - Dental Elephant LLC's total cumulative liability to Subscriber for any and all claims arising out of or related to this Agreement or the use of the Dental Elephant platform — including but not limited to claims arising from AI errors, data loss, accidental deletion of records, system downtime, inaccurate clinical output, or breach of this Agreement — shall not exceed the total fees actually paid by Subscriber to Dental Elephant LLC in the twelve (12) calendar months immediately preceding the event giving rise to the claim. - IN NO EVENT SHALL DENTAL ELEPHANT LLC, ITS MEMBERS, MANAGERS, OFFICERS, EMPLOYEES, OR CONTRACTORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING LOST PROFITS, LOST DATA, LOSS OF GOODWILL, PATIENT HARM, REGULATORY FINES, OR MALPRACTICE CLAIMS, EVEN IF DENTAL ELEPHANT LLC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - Subscriber assumes full responsibility for any clinical, legal, or regulatory consequences arising from Subscriber's failure to independently verify AI-generated content before use. Some jurisdictions do not allow the exclusion or limitation of certain damages. In such jurisdictions, the above limitations shall apply to the fullest extent permitted by law. 6. NO WARRANTY THE DENTAL ELEPHANT PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, OR RELIABILITY OF AI OUTPUT. DENTAL ELEPHANT LLC DOES NOT WARRANT THAT THE PLATFORM WILL BE ERROR-FREE, UNINTERRUPTED, OR FREE FROM HARMFUL COMPONENTS. 7. SUBSCRIBER RESPONSIBILITIES Subscriber agrees to: - Ensure that all staff members who use the Dental Elephant platform have read and understood these Terms of Use; - Maintain appropriate professional licensure and comply with all applicable dental practice laws and regulations; - Implement and maintain appropriate safeguards for patient data consistent with HIPAA and other applicable privacy laws; - Promptly notify Dental Elephant LLC of any known or suspected security incident, data breach, or unauthorized access related to the platform; - Not use the platform for any unlawful purpose or in any manner inconsistent with these Terms of Use. 8. CHANGES TO THESE TERMS Dental Elephant LLC reserves the right to update or modify these Terms of Use at any time. Continued use of the platform after notice of any material change constitutes Subscriber's acceptance of the revised terms. Notice may be provided by email, in-app notification, or posting to the Dental Elephant website. 9. GOVERNING LAW This Agreement shall be governed by and construed in accordance with the laws of the State of Utah, without regard to conflict of law principles. Any dispute not resolved by good-faith negotiation shall be subject to the exclusive jurisdiction of the state and federal courts located in Salt Lake County, Utah. SUBSCRIBER ACKNOWLEDGMENT By clicking "I Accept" below, Subscriber confirms that: - I have read and understood these Terms of Use & Informed Consent in their entirety. - I understand that AI-generated clinical notes and referral letters are drafts and require my independent verification before use. - I understand that by pasting AI-generated notes into a patient chart, I am attesting to their accuracy as a licensed professional. - I understand that by transmitting any AI-generated referral letter or communication to another provider, I am attesting to its accuracy. - I understand that the Commute Huddle feature must not be operated manually while driving. - I understand that Dental Elephant's liability is limited to the fees I have paid in the prior 12 months. - I agree to ensure all members of my staff who use this platform are informed of these terms. Dental Elephant LLC | dentalelephant.com | Version 1.0 — 2026