Business Associate & Data Processing Agreement

How This Agreement Works

This is a single agreement with three parts:

• Part 1 — Common Terms. Applies to everyone who accepts this agreement.
• Part 2 — Role Addendums. Four of them. You do not pick. Whichever addendum describes a role you play applies to you automatically, based on what you told us during onboarding. If more than one describes you, more than one applies.
• Part 3 — Acceptance. Your name, title, organisation, jurisdiction, and email come from your onboarding form. You click I Accept on the panel showing this document. That's it.

Examples of how the addendums apply

• An individual clinician → Addendum A (Clinicians) applies.
• An individual coach or mentor → Addendum B (Coaches & Mentors) applies.
• A company deploying menthra to its employees → Addendum C (Employer Deployments) applies.
• A hospital, clinic, or health system using menthra as a wellness layer → Addendum D (Healthcare Organisations) applies.
• A company that both deploys menthra to its employees and employs counsellors who deliver care through the platform → Addendums A and C both apply, together.
• A hospital that also deploys menthra to its own workforce → Addendums C and D both apply, together.

You are not asked to select anything. The applicable addendums are determined by the role information you provided earlier in onboarding, and they apply to you by the terms of this agreement itself.

Preamble

This Business Associate and Data Processing Agreement (this "Agreement") is entered into between menthra Inc., a Delaware C-Corporation, together with its affiliates (collectively, "menthra"), and the organisation, professional, or entity that accepts this Agreement electronically through the menthra platform (the "Counterparty").

By accepting this Agreement, the Counterparty acknowledges that it has read, understood, and agrees to be bound by Part 1 and by every addendum in Part 2 that applies to the Counterparty's role or roles. If you do not agree, do not complete onboarding and do not use the platform.

Part 1 — Common Terms

Applies to everyone. Read this first.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable individual, including Protected Health Information under HIPAA, Digital Personal Data under the DPDP Act, Personal Data under the GDPR / UK GDPR, and equivalent categories under other applicable data protection laws.
• "Sensitive Personal Data" means any subcategory of Personal Data treated as sensitive under applicable law, including health and mental health information, biometric data, and special categories under the GDPR.
• "Individual" means the natural person to whom Personal Data relates, including clients, patients, employees, and family members.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, and deletion.
• "Personal Data Breach" means any unauthorised or accidental access to, acquisition, use, disclosure, alteration, or destruction of Personal Data.
• "Services" means the menthra platform and related services, as described in the primary agreement between the Parties.
• "Applicable Law" means all laws and regulations applicable to the Processing of Personal Data under this Agreement, including HIPAA, the DPDP Act, the GDPR, the UK GDPR, and equivalent laws in other jurisdictions.
• "Subprocessor" means any third party engaged by menthra to Process Personal Data in performance of the Services.

2. Scope

2.1 This Agreement applies whenever menthra processes Personal Data on behalf of, or in collaboration with, the Counterparty, and whenever the Counterparty processes Personal Data originating from or routed through the menthra platform.

2.2 It supplements, and does not replace, any primary platform or commercial agreement between the Parties. In case of conflict on data protection matters, this Agreement prevails.

2.3 Part 1 applies to all relationships. The addendums in Part 2 apply in addition to Part 1 wherever they describe a role played by the Counterparty. Where more than one addendum applies, all applicable addendums apply together; if two applicable addendums are in direct conflict on a specific obligation, the more protective obligation prevails.

3. Permitted Uses and Purpose Limitation

3.1 Purpose Limitation. menthra shall only Process Personal Data for the purposes of providing the Services, fulfilling its obligations under the primary agreement, and complying with Applicable Law.

3.2 Permitted Activities. menthra may: (a) use Personal Data to operate, maintain, secure, and improve the Services; (b) perform quality assurance, safety monitoring, and crisis detection; (c) generate aggregated, de-identified, or anonymised data for analytics, research, and service improvement; and (d) disclose Personal Data to Subprocessors acting under written obligations no less protective than those herein.

3.3 De-identification. menthra applies de-identification in accordance with the HIPAA Safe Harbor standard (45 CFR §164.514(b)) or equivalent statistical methods before supplying data to AI infrastructure providers. Direct identifiers are removed. De-identified data is not Personal Data under this Agreement.

3.4 Prohibited Activities. menthra shall not: (a) sell Personal Data; (b) use Personal Data for independent marketing to Individuals outside the scope of the Services; (c) Process Personal Data in a manner prohibited by Applicable Law; or (d) train AI models in a way that would cause identifiable attributes of Individuals to appear in model outputs.

4. Safeguards

4.1 menthra maintains administrative, physical, and technical safeguards appropriate to the nature and sensitivity of the Personal Data Processed under this Agreement.

4.2 Baseline safeguards include:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Role-based access control, least privilege, multi-factor authentication for privileged access, and periodic access reviews.
• Security logging, monitoring, intrusion detection, and documented incident response.
• Secure software development, change management, vulnerability scanning, and penetration testing.
• Workforce training on data protection and security, refreshed at least annually.
• Physical safeguards at data centre and cloud environments.
• Business continuity and disaster recovery planning with defined RPO/RTO.
• A designated security and privacy officer, and a documented risk management programme.

4.3 Each Party shall ensure that its workforce with access to Personal Data is bound by appropriate confidentiality obligations.

5. Subprocessors

5.1 The Counterparty provides general authorisation for menthra to engage Subprocessors in the performance of the Services.

5.2 menthra imposes on each Subprocessor contractual obligations no less protective than those in this Agreement, and remains liable to the Counterparty for its Subprocessors' performance.

5.3 menthra maintains a current list of Subprocessor categories, including cloud infrastructure, AI model providers (receiving only de-identified data), voice and avatar rendering, communications, payments, and analytics. The list is available on request and through the platform.

5.4 menthra provides reasonable prior notice before adding or replacing a Subprocessor that handles non-de-identified Personal Data. The Counterparty may object on reasonable data protection grounds within thirty (30) days; the Parties shall cooperate to find an acceptable solution, failing which the Counterparty may terminate the affected Services.

6. Breach Notification

6.1 menthra notifies the Counterparty without undue delay after becoming aware of a confirmed Personal Data Breach, and in any event within seventy-two (72) hours, or sooner where Applicable Law requires.

6.2 The notification includes, to the extent then known:

• The nature of the breach, including the categories and approximate number of Individuals and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address and mitigate the breach.
• A contact point for further information.

6.3 menthra supports the Counterparty in discharging its own notification obligations to regulators and Individuals where Applicable Law imposes them on the Counterparty.

6.4 menthra maintains documentation of all Security Incidents, including those not requiring external notification, and makes it available on reasonable request.

7. Individual Rights and Cooperation

7.1 menthra assists the Counterparty, to the extent technically feasible, in responding to requests from Individuals exercising rights under Applicable Law, including rights of access, correction, erasure, restriction, portability, objection, and withdrawal of consent.

7.2 Where menthra receives a request directly from an Individual that relates to Personal Data Processed on behalf of the Counterparty, menthra forwards the request without undue delay.

7.3 Neither Party responds to regulatory or law-enforcement requests concerning the other Party's Personal Data without notifying the other Party, unless notification is prohibited by law.

8. International Data Transfers

8.1 Where Personal Data is transferred across jurisdictions, the transferring Party ensures an appropriate transfer mechanism under Applicable Law.

8.2 For transfers out of the EEA or the United Kingdom, the then-current EU Standard Contractual Clauses and the UK International Data Transfer Addendum are incorporated by reference.

8.3 For transfers out of India under the DPDP Act, menthra complies with any restrictions notified by the Central Government and makes its transfer mechanism available on request.

8.4 For transfers involving other jurisdictions, the Parties adopt the mechanism required by the relevant law.

9. Audit and Compliance

9.1 menthra maintains records of its Processing activities sufficient to demonstrate compliance with this Agreement.

9.2 On reasonable written notice and no more than once per twelve (12) month period (unless required more frequently by a regulator or triggered by a Security Incident), menthra makes available information reasonably necessary to demonstrate compliance, including audit reports (such as SOC 2 summaries) and responses to industry-standard questionnaires.

9.3 Where a written or on-site audit is required by Applicable Law and cannot reasonably be satisfied by available reports, menthra cooperates, subject to reasonable scheduling, scope, confidentiality, and cost allocation.

10. Term, Termination, and Data Handling on Exit

10.1 This Agreement takes effect on acceptance and remains in force while menthra Processes Personal Data of or for the Counterparty, and thereafter until all return or destruction obligations are discharged.

10.2 Either Party may terminate for material breach if the other fails to cure within thirty (30) days, or immediately for an uncurable material breach.

10.3 On termination or expiry, menthra returns or securely destroys all Personal Data Processed on the Counterparty's behalf, at the Counterparty's option, and certifies the same.

10.4 menthra may retain Personal Data where required by Applicable Law or for archival, audit, or dispute purposes, provided retained data continues to be protected and is not further Processed.

11. Liability

11.1 Each Party's liability is subject to the limitations in the primary agreement, except where Applicable Law prohibits limitation.

11.2 Nothing limits liability for: (a) death or personal injury caused by negligence; (b) fraud; (c) statutory fines or penalties imposed by a supervisory authority; or (d) any other liability that cannot be limited under Applicable Law.

11.3 Where a regulator imposes a fine arising from the other Party's breach, the Party at fault indemnifies the other to the extent permitted by law.

12. Governing Law

12.1 This Agreement is governed by the law specified in the primary agreement. In the absence of such specification, the governing law is: (a) Delaware, USA, if the Counterparty is primarily based in the United States; (b) India, seat at Hyderabad, if the Counterparty is primarily based in India; or (c) England and Wales, if the Counterparty is primarily based in the EEA or the United Kingdom.

12.2 Nothing in this clause prevents either Party from seeking urgent injunctive relief from a court of competent jurisdiction.

13. General Provisions

13.1 Updates. menthra may update this Agreement. Material changes are notified at least thirty (30) days in advance. Continued use after the effective date constitutes acceptance.

13.2 Notices. Notices go through the verified communication channels between the Parties. For menthra: legal@menthra.ai.

13.3 Assignment. Neither Party assigns this Agreement without the other's written consent, save that menthra may assign to an affiliate or successor.

13.4 Severability. If any provision is invalid, the remainder continues in full force.

13.5 Survival. Clauses concerning confidentiality, security, breach notification, data return or destruction, liability, and governing law survive termination.

13.6 Entire Agreement. This Agreement, with the primary platform or commercial agreement and every addendum in Part 2 that applies to the Counterparty, is the entire agreement of the Parties on its subject matter.

Part 2 — Role Addendums

These apply in addition to Part 1. You do not choose. Whichever addendum describes a role you play applies automatically, by the terms of this agreement.

Addendum A — Clinicians

Applies to any individual, and to any organisation employing such individuals, where a licensed or registered mental health professional delivers care through the menthra platform.

A.1 When this addendum applies. This addendum applies whenever a mental health professional holding a valid licence, registration, or equivalent recognised credential (for example, RCI registration in India, state licensure in the USA, HCPC or BACP in the UK, or equivalent) delivers or will deliver care through the menthra platform. It applies to the individual clinician accepting onboarding; where a clinician is employed or contracted by an organisation, it also applies to that organisation in respect of that clinician's activities on the platform.

A.2 Role allocation.

• In the United States where PHI is handled on the platform, menthra acts as Business Associate under HIPAA for the data menthra processes on the Counterparty's behalf.
• In India menthra acts as Data Processor in respect of client data managed through the platform. Clinical responsibility sits with the clinician under the Mental Healthcare Act 2017 and RCI regulations.
• In the EEA and United Kingdom menthra acts as Processor and the clinician (or the employing organisation) acts as Controller.

A.3 Digital Twin — who is responsible for what.

• Clinician-Authored Content: responsibility of the clinician and, where applicable, the employing organisation. This includes protocols, frameworks, pre-recorded guidance, and any other content the clinician deliberately submits to shape their Digital Twin.
• Platform-Generated Content: menthra's responsibility. This includes all AI-generated conversational outputs across chat, voice, and video, including safety filtering and crisis detection. Platform-Generated Content is not attributed to the clinician personally for clinical liability purposes.
• Live Sessions: clinical responsibility of the clinician, in line with the same professional standards that govern any in-person consultation.
• Platform Operation: menthra's responsibility — availability, security, and safety systems.

A.4 Obligations.

• A.4.1 Maintain licensure or registration in good standing and notify menthra within seven (7) days of any suspension, investigation, or disciplinary action affecting the right to practice.
• A.4.2 Practice only within licensed scope. Do not provide services the platform is not authorised to deliver in a given jurisdiction.
• A.4.3 Respond to crisis escalations and safety alerts within the response time defined for the service tier, or arrange acceptable coverage.
• A.4.4 Maintain active professional indemnity insurance at levels customary in the jurisdiction, and provide proof on request.
• A.4.5 Do not solicit, circumvent, or bypass the platform's billing, referral, or privacy frameworks. Do not accept off-platform payments from clients.

A.5 What menthra provides.

• Platform, clinician dashboard, scheduling, and session management.
• Digital Twin creation, training, supervision, and operation infrastructure across chat, voice, and video.
• Client onboarding, matching, and care-pathway routing.
• Payment collection, invoicing, revenue share disbursement, and tax statements.
• Safety, crisis escalation, compliance, and privacy infrastructure.

A.6 Indemnification. menthra indemnifies the clinician and the employing organisation against claims arising from Platform-Generated Content and Platform operational failures. The clinician and the employing organisation indemnify menthra against claims arising from Live Session conduct, Clinician-Authored Content, and breach of licensing, regulatory, or legal obligations.

Addendum B — Coaches & Mentors

Applies to non-clinical wellness coaches, life coaches, mentors, and educators, and to any organisation employing such individuals.

B.1 When this addendum applies. This addendum applies where a non-clinical wellness coach, mentor, educator, or comparable professional provides structured guidance, programmes, or content through the menthra platform, and does not hold themselves out as a licensed mental health professional. It applies to the individual coach and, where the coach is employed or contracted by an organisation, to that organisation in respect of the coach's activities on the platform.

B.2 Role allocation.

• menthra acts as Data Processor in respect of client data managed through the platform.
• The coach and, where applicable, the employing organisation are responsible for the content and coaching guidance provided within the scope defined by the menthra platform.
• HIPAA and clinical regulations do not apply to this tier. The DPDP Act, GDPR, and general consumer protection laws do apply.

B.4 Digital Twin and content responsibility.

• Coach-Authored Content: responsibility of the coach and, where applicable, the employing organisation.
• Platform-Generated Content: menthra's responsibility.
• Live Sessions: responsibility of the coach, subject to the scope-of-practice rules above.

B.5 Obligations.

• B.5.1 Provide accurate information about qualifications, experience, and areas of focus. Do not misrepresent credentials.
• B.5.2 Follow menthra's content standards and community guidelines.
• B.5.3 Respect client confidentiality and comply with the platform's privacy rules.
• B.5.4 Maintain general liability and professional coverage appropriate to the nature of the work.
• B.5.5 Do not solicit off-platform payment or circumvent the platform's revenue-share structure.

B.6 What menthra provides.

• Platform, coach dashboard, scheduling, and session tools.
• Companion training and deployment infrastructure (Sage tier).
• Client matching, billing, and payouts.
• Safety escalation, so the coach can route clinical cases out of scope quickly.

Addendum C — Employer Deployments

Applies to any organisation deploying menthra to its workforce — through the Ally for Workplace configuration. A company may fall under Addendum C alone, or under C together with another addendum (for example, C and A where the company also employs counsellors who deliver care through the platform).

C.1 When this addendum applies. This addendum applies where an organisation deploys menthra as a mental wellness benefit to its employees, and optionally to employees' immediate families. Typical examples include corporates, fintechs, BPOs, manufacturing, and any employer of record wishing to extend wellness support to its workforce.

C.2 Role allocation.

• The employer acts as Controller / Data Fiduciary of its employees' basic identification and employment data shared with menthra to provision access.
• menthra acts as Processor of that employment data, and as Controller in respect of employees' direct wellness interactions on the platform.
• Individual wellness conversations are not shared with the employer. See C.4 below.

C.3 What menthra provides.

• Employee access to the Ally for Workplace deployment, optionally co-branded or white-labelled.
• SSO integration and IT onboarding support.
• Aggregate, anonymised wellness analytics at the department or cohort level, with minimum cohort size thresholds to prevent re-identification.
• Clinical escalation pathways for employees whose wellness signals indicate the need for professional care.
• Quarterly outcomes review and ROI reporting.

C.5 Obligations.

• C.5.1 Provide accurate and lawfully collected employee data to menthra for provisioning.
• C.5.2 Obtain the consents and give the notices required by Applicable Law (including employment and data protection laws) before enrolling employees.
• C.5.3 Pay fees on agreed terms and honour the contractual commitments in the primary agreement.
• C.5.4 Respect the confidentiality boundary in C.4 and educate managers and HR on it.

C.6 Where the employer also employs clinicians who deliver care on the platform. Where the employer also engages one or more licensed clinicians who provide clinical services through the menthra platform, Addendum A (Clinicians) applies to the employer in addition to this Addendum C. Both addendums operate together; the employer is simultaneously the operator of a workplace deployment (this Addendum) and a provider of clinical services (Addendum A).

Addendum D — Healthcare Organisations & Clinical Partners

Applies to hospitals, clinics, health systems, and healthcare groups partnering with menthra.

D.1 When this addendum applies. This addendum applies where a healthcare provider, hospital, clinic, group practice, health plan, insurer, or equivalent healthcare entity offers menthra as a complementary wellness layer to its patient base, to corporates it serves, or to its own workforce.

D.2 Role allocation.

• In the United States, the Counterparty typically acts as Covered Entity under HIPAA; menthra acts as its Business Associate for data Processed on the Counterparty's behalf. The HIPAA BAA terms are incorporated — see D.6 below.
• In India, the Counterparty acts as Data Fiduciary under the DPDP Act; menthra acts as Data Processor. Clinical responsibility sits with the Counterparty's clinicians; platform responsibility sits with menthra.
• In the EEA and United Kingdom, the Counterparty acts as Controller; menthra acts as Processor.

D.3 Clinical and AI responsibility allocation.

• The Counterparty's clinicians' Live Sessions: the Counterparty's clinical responsibility, in line with institutional duty of care.
• Clinician-Authored Content submitted by the Counterparty's clinicians: the clinician's responsibility; platform curation remains menthra's.
• Platform-Generated Content (AI conversations across chat, voice, and video): menthra's responsibility. The Counterparty's clinicians carry no incremental liability from AI-generated interactions.
• Safety, crisis detection, platform operation, data security: menthra's responsibility.

D.4 What menthra provides.

• Platform access for the Counterparty's patient, employee, or corporate cohorts, optionally co-branded or white-labelled.
• Clinical customisation — companion behaviour, triage thresholds, escalation routing, and content library tuned to the Counterparty's clinical protocols.
• Referral-first escalation routing into the Counterparty's clinical network.
• Quarterly clinical review, outcomes reporting, and joint incident review.
• Named customer success and clinical liaison from menthra.

D.5 Obligations.

• D.5.1 Provide the clinical governance input required to configure the platform for safe deployment within the Counterparty's environment.
• D.5.2 Ensure clinicians engaging with the platform meet their own licensure and professional obligations; each such clinician is additionally subject to Addendum A.
• D.5.3 Obtain the patient consents and give the notices required by Applicable Law before routing patients into the platform.
• D.5.4 Cooperate in joint incident, breach, and outcomes review as set out in the primary agreement.

D.6 HIPAA Business Associate terms (where applicable). Where this Addendum D is engaged in the United States in respect of PHI, the following Business Associate provisions apply and are deemed incorporated:

• menthra will not use or disclose PHI other than as permitted or required by this Agreement, as required by law, or as expressly permitted by the HIPAA Rules.
• menthra will use appropriate safeguards and comply with the Security Rule, as detailed in Part 1 Section 4.
• menthra will report to the Counterparty any use or disclosure of PHI not provided for, any Security Incident, and any Breach of Unsecured PHI as required under 45 CFR §164.410.
• menthra will ensure Subcontractors that handle PHI agree in writing to the same restrictions.
• menthra will make PHI available to the Counterparty, to the Individual, or to third parties designated by the Individual, as required by 45 CFR §164.524, §164.526, and §164.528.
• menthra will make its practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
• On termination, menthra will return or destroy all PHI and retain no copies, or where infeasible, will extend the Agreement's protections to the retained PHI.
• De-identified information produced under 45 CFR §164.514(b) is not PHI, and menthra may disclose it to AI service providers in operating the Services.

D.7 Where the healthcare organisation also deploys menthra to its own workforce. Where the Counterparty also deploys menthra as a wellness benefit to its own employees (distinct from patient-facing use), Addendum C (Employer Deployments) applies in addition to this Addendum D. The confidentiality boundary in C.4 applies to the workforce deployment irrespective of the Counterparty's clinical role under D.

Part 3 — Acceptance

Fields below are pre-filled from your onboarding form. You review, click I Accept, and onboarding completes.

By clicking I Accept on the panel showing this document, you confirm that you have read and agree to be bound by Part 1 (Common Terms) and by every addendum in Part 2 that describes your role or roles, based on the information you provided during onboarding. You confirm that you have authority to bind the organisation on whose behalf you accept. Your acceptance is a valid electronic signature under the U.S. Electronic Signatures in Global and National Commerce Act, the Indian Information Technology Act 2000, the EU eIDAS Regulation, and equivalent electronic-signature laws in other jurisdictions.

menthra Inc. · Delaware, USA · India operations — Hyderabad & Frisco, TX