This Business Associate Agreement ("Agreement") is entered into as of the date of last signature below, by and between the parties identified in Section 1.
1. Definitions
- "Business Associate" means Bonis Systems LLC, a Texas limited liability company, operating the DealMatcherApp.com platform, headquartered in San Antonio, TX. UEI: R2BPJDC5CBA3.
- "Covered Entity" means the organization or government agency executing this Agreement that engages Business Associate services for deal matching, procurement, or related AI-assisted operations.
- "Knox Blockchain" means the proprietary immutable audit ledger developed by Bonis Systems LLC, utilizing SHA-256 cryptographic hash chaining to create an append-only record of all system transactions, decisions, and data access events.
- "Protected Deal Information" (PDI) means any non-public deal data, procurement information, financial records, investor profiles, or government contract details processed through the DealMatcherApp.com platform.
- "Bruce AI" means the AI agent integrated into DealMatcherApp.com that performs automated deal matching, procurement analysis, and government data cross-referencing.
- "Platform" means DealMatcherApp.com and all associated APIs, databases, and services operated by Business Associate.
2. Obligations of Business Associate
Business Associate agrees to the following security and compliance obligations:
2.1 Encryption & Data Protection
- TLS 1.3 enforced for all data in transit between clients and the Platform
- AES-256 encryption for all sensitive data at rest
- bcrypt (minimum 12 rounds) for all password and credential storage
- SHA-256 cryptographic hashing for Knox Blockchain audit entries
- No plaintext storage of credentials, API keys, or authentication tokens
2.2 Knox Blockchain Audit Trail
- All deal matches, AI decisions, user actions, and data access events are recorded on the Knox Blockchain
- Each audit block contains: timestamp, action type, actor ID, data hash, and parent block hash
- Knox ledger is append-only — blocks cannot be modified, overwritten, or deleted
- Audit records retained for a minimum of 7 years in compliance with federal requirements
- Audit data exportable in JSON format for federal review upon request
2.3 Access Controls
- Role-based access control (RBAC) with distinct admin, investor, and vendor permission levels
- JWT-based authentication with configurable expiration
- Rate limiting on all authentication endpoints
- Account lockout after repeated failed authentication attempts
- Principle of least privilege enforced across all API endpoints
2.4 IP & Privacy Protection
- IP addresses are not stored in application logs beyond operational necessity
- User geolocation data is processed only for compliance verification (state/federal jurisdiction)
- No sale or sharing of Protected Deal Information with third parties
- Data isolation between tenant accounts
3. Knox Blockchain Audit Guarantees
- Immutability: Once a block is written to the Knox ledger, it cannot be altered. Any tampering attempt breaks the SHA-256 hash chain and is immediately detectable.
- Completeness: Every system action that touches Protected Deal Information generates a Knox audit entry. No gaps in the audit trail.
- Availability: Knox audit data is available for export within 24 hours of a compliance review request.
- Integrity Verification: The entire Knox chain can be independently verified by recalculating SHA-256 hashes from genesis block forward.
- Non-Repudiation: Each Knox entry includes the authenticated actor ID, preventing denial of actions taken on the Platform.
4. Permitted Uses and Disclosures
Business Associate may use and disclose Protected Deal Information only for the following purposes:
- AI Deal Matching: Processing investor profiles against commercial listings using Bruce AI to generate match scores and recommendations.
- Procurement Optimization: Analyzing government contract opportunities via SAM.gov integration and matching qualified entities.
- Compliance Verification: Cross-referencing entities against SAM.gov, FinCEN, and other federal databases to verify eligibility and standing.
- Audit & Reporting: Generating compliance reports, audit exports, and analytics as required by Covered Entity or federal regulation.
- Platform Operations: Maintaining, securing, and improving the Platform infrastructure and AI models.
5. Breach Notification
In the event of a security incident involving Protected Deal Information, Business Associate shall:
- Notify Covered Entity within 72 hours of discovery
- Provide a Knox Blockchain audit export covering the incident timeframe
- Identify all affected records using Knox chain analysis
- Implement remediation measures and document them on the Knox ledger
6. Term and Termination
This Agreement shall remain in effect for the duration of the business relationship between the parties. Upon termination:
- Business Associate shall return or destroy all Protected Deal Information within 30 days
- Knox Blockchain audit records shall be retained per Section 2.2 retention requirements
- A final audit export shall be provided to Covered Entity upon request
7. Signatures
Business Associate
Bonis Systems LLC
Signature
Printed Name
Title
Date
Covered Entity
_________________________
Signature
Printed Name
Title
Date
© 2026 Bonis Systems LLC. All rights reserved. This template is provided for business associate review and execution.
Document Version: 1.0 —