PaiKnight LLC - Data Processing 1. PHI. PaiKnight processes Protected Health Information (PHI) solely as a HIPAA Business Associate of the Provider, under the Business Associate Agreement set out as Exhibit A to the Master Provider Services Agreement, which governs all PHI processing and controls in the event of any conflict with this summary. 2. Personal data. PaiKnight's handling of non-PHI personal data (for example, Authorized User account data and website-visitor data) is described in the PaiKnight Privacy Policy. 3. Subprocessors and offshore personnel. PaiKnight uses vetted subprocessors (such as cloud infrastructure, payment processing, and email delivery) and maintains a Business Associate Agreement with any subprocessor that may handle PHI. As authorized by Exhibit A, PaiKnight personnel and subcontractors located outside the United States (including in the United Arab Emirates and the Philippines) may access PHI, subject to the safeguards stated there, including encrypted transmission, role-based access controls, multi-factor authentication, jurisdiction logging, workforce HIPAA training, and subcontractor BAAs. 4. Security. PaiKnight applies administrative, physical, and technical safeguards, including AES-256-GCM encryption of PHI at rest, TLS in transit, least-privilege access, and immutable audit logging.