BAA & DPA template.
Most enterprise pilots stall on the paperwork, not the product. Below is kolm's standard business-associate agreement (HIPAA) and data-processing addendum (GDPR-aligned), annotated so your legal team can finish review in one pass. Founder-signed within 48 hours of engagement letter. This page is a working draft for procurement review; the executed copy is sent on letterhead from founders@kolm.ai.
HIPAA business-associate agreement.
In the kolm architecture, PHI never leaves the covered entity's network at run time. The artifact runs inside your boundary. The BAA exists to cover the narrow window where kolm acts as a business associate: support engagements, optional capture-and-distill against your training data, and any incident-response touch points. The template below is the standard kolm BAA, annotated.
| Definitions | “Covered Entity” is your organization. “Business Associate” is kolm. “PHI” tracks 45 CFR 160.103. We do not redefine standard terms. |
| Permitted uses & disclosures | kolm uses PHI only to provide the services you contracted for. Aggregated, de-identified analytics permitted only with your explicit opt-in, and the de-identification standard is 45 CFR 164.514(b)(2) (Safe Harbor) by default. |
| Safeguards | Administrative, physical, technical safeguards per 45 CFR 164.308–312. Receipt-chain integrity is product-level; the BAA covers the people-and-process layer. |
| Subcontractors | kolm names every sub-processor in Schedule 2 (DPA section). At time of writing: Vercel (static hosting, no PHI), Railway (API hosting, encrypted at rest, no PHI by design), Stripe (billing only). All under BAA where they touch PHI; none do under the default architecture. |
| Breach notification | kolm notifies you within 24 hours of discovery. Investigation report within 5 business days. We do not negotiate “reasonable delay” clauses. |
| Term and termination | BAA is coterminous with the master agreement. On termination, kolm returns or destroys PHI within 30 days and certifies destruction in writing. No retention “for archival” exceptions. |
Data-processing addendum (GDPR-aligned).
For EU subject data, the same template covers GDPR processor obligations under Article 28. Schedule 1 lists processing categories, subject categories, retention. Schedule 3 covers transfer mechanism (SCCs incorporated by reference; UK addendum on request).
| Roles | Customer is Controller. kolm is Processor. We do not become Controller of your data under any clause. |
| Processing instructions | kolm processes Personal Data only on documented instructions from Customer. The product itself enforces this: there is no off-product training on your data without opt-in. |
| Sub-processors (Schedule 2) | Same list as BAA. We notify of additions 30 days before activation; you may object in writing. |
| International transfers (Schedule 3) | EU SCCs (Module 2: Controller-to-Processor) incorporated by reference. UK IDTA addendum available on request. Default deployment can be EU-only on request. |
| Data subject requests | kolm assists Controller in responding to access, rectification, erasure, restriction, portability, and objection requests within 7 business days. |
| Audit rights | One audit per year on 30 days notice, conducted under reasonable confidentiality. SOC 2 Type II (when available) satisfies in lieu, at Controller's option. |
The lines we hold.
A short list of clauses we do not redline. Saying it up front saves a week of back-and-forth.
| Indemnity cap | Capped at 12 months of fees paid. Standard. We will not accept uncapped indemnity for IP, data, or anything else. |
| Source-code escrow | Not available at current stage. We will publish the .kolm format spec (already public at /spec) and commit to format stability instead. |
| Source-code review | Available under NDA for design-partner engagements. Not generally. |
| On-prem control-plane | The runtime is already local. The control plane (key issue, billing) stays kolm-hosted at current stage. Air-gap reference deployment is documented at /cookbook/airgap-deploy for orgs that need 100% on-prem. |
| SLA > 99.9% | Control plane only. Runtime SLA is your local hardware. We will not sign 99.99% on the control plane until SOC 2 Type II. |
Two emails. One signed PDF.
$ # 1. you mail founders@kolm.ai with org name + workload $ # 2. we reply within 1 business day with engagement letter $ # 3. you redline if needed; we agree language within 48h $ # 4. mutual signature on Docusign or your preferred eSign $ # 5. executable BAA/DPA on kolm letterhead arrives same day $ # 6. kick off pilot