‍Regional Applicability

Users are subject to the version of this ToS corresponding to their jurisdiction:

• UAE-based users: Governed by UAE ToS, UAE Federal Law No. 45 of 2021, ADHICS, and UAE data localization laws.
  
• U.S.-based users: Governed by U.S. ToS, HIPAA, and applicable state/federal data privacy laws.

Terms of Service — Orva (UAE Version)

Effective Date: April 22, 2025
Last Updated: May 20, 2025

These Terms of Service (“ToS”) constitute a legally binding agreement between you (“User,” “you,” or “your”) and RAIN Technology ME LTD, a limited liability company registered in Abu Dhabi Global Market (ADGM), regarding your access to and use of the Orva platform (“Orva”) within the United Arab Emirates.

Orva is a clinical-grade, voice-activated platform designed to assist healthcare professionals in surgical and procedural environments by enabling hands-free documentation, workflow automation, and real-time voice interaction.

This platform is intended solely for institutional use by:

• Licensed healthcare providers operating in the UAE
  
  
• Public or private hospitals, surgical centers, and clinics
  
  
• Organizations authorized under the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2) and Federal Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
  
  

By accessing or using Orva, you agree to:

• Comply with these Terms and any referenced policies (including the Orva Privacy Policy and End User License Agreement)
  
  
• Abide by all applicable UAE healthcare regulations, including Department of Health–Abu Dhabi (DoH), Dubai Health Authority (DHA),  and Ministry of Health and Prevention (MOHAP) standards
  
  
• Ensure that your use is authorized and governed by your healthcare institution’s internal policies and controls
  
  

If you do not agree to these Terms, you are not permitted to access or use the Orva platform.

1. Definitions

For the purposes of this Terms of Service, the following definitions apply. Capitalized terms used throughout this agreement shall be interpreted as defined below:

• PHI (Protected Health Information): Any clinical, biometric, or demographic data that is directly or indirectly identifiable to a patient and is subject to regulation under the UAE Personal Data Protection Law (Federal Decree Law No. 45 of 2021) and the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2). This includes, but is not limited to, patient names, medical record numbers, diagnosis codes, treatment history, and voice-recorded commands containing clinical context.
  
  
• PII (Personally Identifiable Information): Any information that can be used, either alone or in combination with other data, to identify a natural person. Examples include full name, date of birth, email address, phone number, Emirates ID number, or device identifiers. PII is protected under the UAE PDPL and relevant sectoral guidance.
  
  
• User: Any authorized individual—such as a licensed clinician, nurse, anesthetist, surgical staff member, or administrative personnel—who is granted access to the Orva platform under an institutional agreement. Users must operate within the scope of their professional role and in accordance with their healthcare provider’s internal policies.
  
  
• Device: Hardware approved to run the Orva platform, including Android-based tablets, smart displays, operating room televisions, and wearable headsets that support real-time, hands-free interaction in surgical environments.
  
  
• Applicable Law: The full body of laws, standards, and regulatory requirements governing the use of digital health technologies and data in the UAE, including:
  
  
  
  • ADHICS v2 (Abu Dhabi Healthcare Information and Cyber Security Standard)
    
    
  • UAE Federal Law No. 45 of 2021 (UAE Personal Data Protection Law)
    
    
  • MOHAP and Department of Health (DoH) regulations, circulars, and guidance relating to the protection and management of health information
    
    

2. Introduction

Orva is a clinical-grade, voice-activated platform developed to support surgical and procedural teams in the United Arab Emirates. The system enables hands-free intraoperative documentation, time-stamped milestone logging, and verbal interaction with key workflow functions—designed to improve efficiency, safety, and compliance in operating room environments.

Orva is intended solely for institutional deployment by:

• Licensed surgical centers and hospitals in the UAE
  
  
• Facilities operating under the authority of the Department of Health – Abu Dhabi (DoH), Ministry of Health and Prevention (MOHAP), or other recognized health authorities
  
  
• Organizations that comply with ADHICS v2 and the UAE Personal Data Protection Law (Federal Decree Law No. 45 of 2021)
  
  

The platform may only be accessed by authorized healthcare professionals trained in its use and provisioned under the governance of an approved healthcare provider.

Unauthorized or non-clinical use of Orva is strictly prohibited. Use of the platform is also subject to any applicable clinical governance policies issued by your healthcare institution, including patient data handling and informed consent protocols.

3. Usage Policy

Use of the Orva platform is restricted to authorized clinical personnel operating within licensed UAE healthcare institutions. By accessing and using Orva, Users agree to strictly adhere to institutional policies, applicable UAE regulations, and the terms of this agreement.

All Users must:

1. Operate Within Approved Clinical Settings

• Use Orva exclusively within licensed surgical environments, such as operating rooms, procedural suites, and other designated clinical areas approved by their institution
  
  
• Ensure that the platform is deployed only on authorized, institution-provisioned devices managed under appropriate mobile device management (MDM) controls
  
  
• Use the system only during the course of official duties within a recognized healthcare provider subject to UAE health regulations
  
  

2. Avoid Unauthorized, Recreational, or Unlawful Use

Users may not:

• Use Orva for any personal, entertainment, or recreational purposes
  
  
• Attempt to repurpose, reverse-engineer, or tamper with the platform for unauthorized clinical applications or software testing
  
  
• Transmit, store, or process any data through Orva that would violate UAE federal law, cybercrime statutes, or healthcare sector data handling rules
  
  

3. Comply with UAE National Healthcare Privacy Standards

Users must comply with:

• The Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2)
  
  
• The UAE Personal Data Protection Law (Federal Decree Law No. 45 of 2021)
  
  
• Any additional regulations or circulars issued by the Department of Health – Abu Dhabi, MOHAP, or Dubai Health Authority (DHA) relevant to voice data, clinical system use, and digital health platforms

Failure to comply with this Usage Policy may result in suspension or revocation of access, internal disciplinary action, and/or regulatory notification where required by law.

4. User Accounts

Access to the Orva platform requires an authorized user account, which must be provisioned and managed through the secure Orva Admin Panel. Each account is linked to a verified healthcare role and is subject to institutional access control policies.

To protect the confidentiality and integrity of clinical data, all user accounts must adhere to the following security measures:

Account Security Features

• Strong Password Requirements: All passwords must meet defined minimum standards for length, complexity, and uniqueness, in alignment with ADHICS v2 access management controls
  
  
• Two-Factor Authentication (2FA): Required at the time of initial account setup and during any password reset events. 2FA may use time-based one-time passcodes (TOTP), authenticator apps, or SMS verification, based on institutional policy
  
  
• Session Timeout & Re-authentication: Sessions are automatically terminated after a defined period of inactivity. Users must re-authenticate using their password to resume system access
  
  
• Enforced Password Resets: Users may be required to change their passwords at regular intervals, as mandated by institutional policy or system configuration settings
  
  

User Responsibilities

Each User is solely responsible for:

• Maintaining the confidentiality of their credentials and not sharing their account with any other individual
  
  
• Promptly reporting any suspected compromise of account access or unusual system behavior to their IT/security team or designated Orva administrator
  
  
• Using only their assigned credentials, and not attempting to bypass access controls or impersonate other users

RAIN Technology ME LTD reserves the right to suspend, deactivate, or audit user accounts in response to detected anomalies, potential misuse, or institutional policy enforcement.

5. Data Management

The Orva platform collects and processes data essential for clinical workflow support, operational integrity, and regulatory compliance. All data is handled in accordance with the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2) and the UAE Personal Data Protection Law (PDPL – Federal Decree Law No. 45 of 2021).

Categories of Data Collected

Orva may collect the following data types during clinical use:

• Surgical Milestones & Workflow Logs: Time-stamped events representing clinical actions, procedural steps, or documented notes entered via voice or touchscreen
  
  
• Wake-Word Activated Voice Inputs: Audio recordings triggered only after the system detects its activation phrase (“Hey Orva”), capturing user commands or dictated notes for in-session processing
  
  
• Session Metadata & Device Information: Includes anonymized session identifiers, user role tags, device IDs, room identifiers, session duration, and system performance logs
  
  

All data is collected under the authority of the deploying healthcare institution and governed by its data handling, consent, and access control policies.

Data Protection & Hosting

All data—including PHI and PII—is safeguarded using the following technical controls:

• AES-256 encryption at rest and TLS 1.2/1.3 encryption in transit, ensuring confidentiality and integrity of all transmitted or stored data
  
  
• Role-based access restrictions and audit logging enforced at both the application and infrastructure layers
  
  
• Cloud storage within UAE borders, using ADHICS-compliant hosting environments to maintain residency and compliance with Ministry of Health and Prevention (MOHAP) and Department of Health (DoH) standards
  
  

RAIN Technology ME LTD enforces regular security reviews, access audits, and vulnerability assessments to protect data throughout its lifecycle.

Data is retained and disposed of according to the healthcare provider’s policies and applicable retention obligations, including incident response and forensics, where applicable.

6. Data Privacy

RAIN Technology ME LTD is committed to maintaining the confidentiality, integrity, and lawful processing of all Protected Health Information (PHI) and Personally Identifiable Information (PII) collected and processed through the Orva platform. All data privacy practices comply with the UAE Personal Data Protection Law (Federal Decree Law No. 45 of 2021) and the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2).

Data Residency and Access

All PHI and PII processed by Orva is:

• Stored exclusively within UAE jurisdiction, using cloud hosting environments that are certified for health sector compliance under ADHICS
  
  
• Accessible only by authorized personnel, including clinical users and approved system administrators who have been provisioned with appropriate access rights
  
  
• Protected by role-based access controls (RBAC), audit trails, and session logging mechanisms to ensure accountability, traceability, and adherence to institutional policies
  
  

Access to any sensitive data is governed by the healthcare institution’s internal policy and is monitored for unauthorized activity or abnormal patterns.

International Data Transfer Restrictions

Orva does not transfer PHI or PII outside of the United Arab Emirates unless all of the following conditions are met:

• The data is fully anonymized in accordance with UAE PDPL standards, such that individuals cannot be re-identified directly or indirectly
  
  
• The transfer is made only for system improvement, security audit, or development purposes
  
  
• The transfer has been explicitly approved in writing by the data controller, i.e., the deploying healthcare provider or institution
  
  

Any such transfers are logged, subject to contractual safeguards, and periodically reviewed for compliance.

7. Voice Samples for System Improvement

To support the accuracy and contextual responsiveness of Orva’s speech recognition and natural language understanding (NLU) models, de-identified voice samples may be used for internal training and system enhancement purposes.

Scope of Use

Voice samples are:

• Only captured after the system detects the wake word (“Hey Orva”), ensuring user-initiated activation
  
  
• Used to improve the platform’s ability to recognize clinical terminology, regional accents, and real-time surgical language patterns
  
  
• Processed strictly for the purpose of improving Orva’s performance, safety workflows, and speech recognition models
  
  

RAIN Technology ME LTD does not use voice data for:

• Commercial advertising, marketing, or behavioral profiling
  
  
• Monetization, resale, or third-party licensing of any audio content or training data sets

De-identification & Privacy Safeguards

Before any voice sample is used for system improvement, it undergoes a rigorous de-identification process to ensure that it no longer constitutes PHI or PII under the UAE Personal Data Protection Law (PDPL) and ADHICS standards. This includes:

• Stripping metadata and clinical identifiers
  
  
• Audio review to remove personally revealing speech content
  
  
• Ensuring data is irreversibly anonymized such that re-identification is not possible
  
  

Access to de-identified training data is restricted to authorized RAIN personnel under strict role-based permissions, and all use is auditable and logged for accountability.

8. User Responsibilities

All authorized users of the Orva platform are expected to operate within the scope of their clinical role and adhere to their healthcare institution’s privacy, security, and compliance policies. Use of the Orva system implies an ongoing responsibility to safeguard sensitive information, ensure lawful use, and maintain operational integrity.

Users must:

1. Ensure Appropriate Use of the System

• Use Orva solely for approved clinical and operational purposes
  
  
• Follow institutional guidelines related to the use of voice-activated technology in surgical settings
  
  
• Avoid any unauthorized or experimental use of the platform, including non-clinical data entry, testing, or external integrations

2. Safeguard Account Credentials

• Keep usernames, passwords, and any two-factor authentication (2FA) mechanisms confidential and secure
  
  
• Never share login credentials or allow unauthorized individuals to access the platform under their account
  
  
• Log out of active sessions when leaving a device unattended in clinical areas
  
  

3. Report Misuse or Security Incidents Promptly

• Immediately report any suspected data breach, unauthorized access, or misuse of the Orva platform to their institution’s designated security or privacy officer
  
  
• Cooperate with internal investigations, incident response efforts, and compliance reviews when requested
  
  
• Report any device loss or suspected credential compromise to their IT department to initiate secure deactivation

RAIN Technology ME LTD reserves the right to suspend or terminate access for any user found to be in violation of these responsibilities or whose activity presents a risk to data privacy, patient safety, or system integrity.

9. Liability

To the fullest extent permitted under applicable UAE law, RAIN Technology ME LTD disclaims liability for any direct, indirect, incidental, special, or consequential damages arising from the use—or inability to use—the Orva platform.

RAIN Technology ME LTD is not liable for:

1. Clinical Decisions or Outcomes

Orva is a workflow support tool, not a medical device, diagnostic engine, or decision-support system. All medical and clinical decisions remain the sole responsibility of the attending licensed healthcare professionals.
RAIN Technology ME LTD shall not be held liable for:

• Treatment errors
  
  
• Delayed interventions
  
  
• Adverse clinical outcomes resulting from reliance on, or misinterpretation of, Orva prompts, timestamps, or system feedback
  
  

2. Unauthorized Use or Misuse

RAIN is not responsible for damages or breaches resulting from:

• Use of the Orva platform by individuals not authorized by a licensed healthcare provider
  
  
• Misconfiguration, negligent deployment, or failure to follow security protocols
  
  
• Improper storage, handling, or reuse of shared devices without appropriate re-authentication controls

3. Downtime or Service Interruptions

While Orva is designed to operate reliably in healthcare environments, it depends on external infrastructure, including internet connectivity, cloud service providers, and device performance.
RAIN Technology ME LTD is not liable for:

• Temporary service interruptions due to third-party hosting failures
  
  
• Connectivity disruptions at the facility level
  
  
• Delays caused by scheduled maintenance, software updates, or force majeure events
  
  

In all cases, the total cumulative liability of RAIN Technology ME LTD under this agreement shall be limited to the amounts paid by the healthcare provider for use of the Orva platform in the preceding 12 months, unless otherwise required by UAE commercial law.

10. Modifications

RAIN Technology ME LTD reserves the right to update the ToS at any time. Changes become effective upon written notice to healthcare facilities or posting on the platform.

11. Dispute Resolution

This Terms of Service (ToS) shall be governed by and interpreted in accordance with the laws of the United Arab Emirates, including any applicable health, data protection, and civil regulations issued by federal authorities or regional regulators such as the Department of Health – Abu Dhabi (DoH) and MOHAP.

Resolution Process

In the event of any dispute, claim, or controversy arising out of or relating to the use of the Orva platform, the parties agree to pursue resolution through the following process:

1. Mediation or Arbitration (Optional by Agreement)

Where possible, the parties shall first seek to resolve disputes amicably through good faith negotiations. If unresolved, the parties may mutually agree to submit the matter to:

• Mediation under the rules of the Abu Dhabi Global Market (ADGM) Arbitration Centre, or
  
  
• Binding arbitration conducted in Abu Dhabi, in accordance with the rules of the applicable arbitral body (e.g., ADCCAC or DIAC)
  
  

The language of proceedings shall be English, unless otherwise agreed.

2. Judicial Proceedings

If arbitration or mediation is not mutually agreed to, or if either party seeks immediate legal relief:

• All disputes shall be subject to the exclusive jurisdiction of the civil courts of Abu Dhabi, including the courts of ADGM where contractually applicable
  
  
• Nothing in this clause prevents a party from seeking interim or injunctive relief through the courts, including the preservation of evidence or enforcement of confidentiality obligations
  
  

Exclusion of Foreign Law

The United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to this agreement.

12. Contact

RAIN Technology ME LTD
Level 14, Al Sarab Tower
ADGM Square, Al Maryah Island
Abu Dhabi, UAE
Email: hello@orvahealth.com

‍

Terms of Service — Orva (U.S. Version)

Effective Date: April 22, 2025
Last Updated: May 20, 2025

These Terms of Service (“ToS”) constitute a legally binding agreement between you (“User,” “you,” or “your”) and RAIN Technology, Inc. (“RAIN,” “Orva,” “we,” “our,” or “us”) governing your access to and use of the Orva software platform (“Orva”) within the United States.

Orva is a clinical-grade, voice-activated platform designed to support workflow efficiency, voice-driven documentation, and intraoperative support in surgical and procedural healthcare environments. The platform is intended for use exclusively by licensed healthcare providers, clinical staff, and authorized administrators operating under the direction of a HIPAA-covered entity.

By installing, accessing, or using the Orva platform, you:

• Acknowledge that you are authorized by a licensed healthcare institution to use the platform;
  
  
• Agree to comply with these Terms and all applicable federal and state healthcare laws and regulations, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act;
  
  
• Accept and are bound by the terms of any associated Business Associate Agreement (BAA) between RAIN and your healthcare organization.
  
  

If you do not agree to these Terms, you must not access or use the Orva platform.

‍

1. Definitions

For the purposes of these Terms of Service, the following terms shall have the meanings set forth below. Capitalized terms used but not defined elsewhere in the agreement shall be interpreted according to the definitions below:

• PHI (Protected Health Information): Health-related information, including demographic data, that can be used to identify an individual and is created, received, maintained, or transmitted by a covered entity or business associate in the course of providing healthcare services. PHI is governed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.
  
  
• PII (Personally Identifiable Information): Information that can be used, either alone or in combination with other data, to identify, contact, or locate a specific individual. Examples include, but are not limited to, full name, date of birth, address, email address, phone number, and device identifiers.
  
  
• User: Any authorized individual accessing or using the Orva platform, including but not limited to clinicians, surgeons, nurses, anesthesiologists, healthcare administrators, or IT personnel operating under the authority of a healthcare institution.
  
  
• Device: Any supported Android-based hardware running the Orva application, including tablets, head-mounted displays (HMDs), wearable computing devices, or smart displays deployed in clinical or surgical environments.
  
  
• Applicable Law: All relevant United States federal and state laws and regulations governing healthcare data privacy and security, including but not limited to the HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and, where applicable, state-specific consumer privacy laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

2. Introduction

Orva is a clinical-grade, voice-enabled software platform developed by RAIN Technology, Inc. to support intraoperative workflows, enhance surgical team coordination, and streamline clinical documentation through hands-free, voice-activated interaction.

The platform is specifically designed for use in operating rooms and procedural healthcare environments and is intended to function as an assistive tool—not a replacement for clinical judgment or medical expertise.

Use of Orva is limited to:

• Licensed healthcare providers and professionals operating within regulated healthcare settings in the United States
  
  
• Institutions that have entered into a valid agreement and Business Associate Agreement (BAA) with RAIN Technology, Inc.
  
  
• Organizations that comply with applicable federal and state privacy laws, including HIPAA, HITECH, and, where applicable, state-specific consumer privacy legislation
  
  

Orva is not intended for consumer, personal health, or non-clinical use. Unauthorized use of the platform outside of these regulated healthcare settings is strictly prohibited and may result in account suspension, termination of service, or legal action.

3. Usage Policy

You agree to use the Orva platform solely for authorized, clinical purposes in accordance with applicable U.S. laws, healthcare regulations, and your healthcare organization’s internal policies.

Use of Orva is strictly subject to the following conditions:

1. Compliance with Applicable Laws

You must use the platform in compliance with all relevant federal and state healthcare privacy, security, and data protection laws, including but not limited to:

• The Health Insurance Portability and Accountability Act (HIPAA)
  
  
• The Health Information Technology for Economic and Clinical Health Act (HITECH)
  
  
• State-specific privacy laws such as the California Consumer Privacy Act (CCPA/CPRA), where applicable

You are responsible for ensuring that your use of Orva does not violate any applicable institutional, legal, or regulatory requirements.

2. Authorized Clinical Use Only

Orva may be used only by individuals:

• Licensed or authorized by a healthcare provider or institution to operate in a clinical environment
  
  
• Acting within the scope of their professional role in support of surgical documentation, intraoperative coordination, or other approved clinical workflows
  
  
• Operating within a covered entity or business associate framework under HIPAA
  
  

Use of Orva for personal health tracking, consumer voice applications, or non-clinical research is strictly prohibited.

3. Prohibited Uses

You may not:

• Use Orva for any fraudulent, deceptive, unauthorized, or unlawful purpose
  
  
• Access or attempt to access protected health information (PHI) for which you are not authorized
  
  
• Misrepresent your identity, role, or authorization status when using the platform
  
  
• Use Orva in a way that could interfere with patient safety, clinical decision-making, or regulatory compliance
  
  

RAIN Technology, Inc. reserves the right to suspend or terminate access for any user or institution found to be in violation of this Usage Policy.

4. User Accounts

Access to the Orva platform is restricted to authenticated user accounts provisioned through the organization’s secure Admin Panel. Each user must be individually authorized and assigned a unique set of credentials tied to their professional role.

Account Security Requirements

All user accounts must adhere to Orva’s access control and authentication standards, including:

• Strong password enforcement, including minimum length and complexity requirements
  
  
• Two-Factor Authentication (2FA) at account creation and during password reset events, using a secondary authentication method such as an authenticator app or verification code
  
  
• Session timeouts with enforced re-authentication after periods of inactivity, in accordance with HIPAA workstation security best practices
  
  
• Mandatory password resets at periodic intervals, as determined by your organization’s security policy or contractual obligations
  
  

RAIN Technology, Inc. may update these controls as needed to meet evolving security requirements.

User Responsibilities

You are solely responsible for:

• Maintaining the confidentiality of your login credentials (e.g., username, password, 2FA tokens)
  
  
• Not sharing your credentials with any other person or using credentials issued to another user
  
  
• Immediately reporting any suspected compromise or unauthorized access to your system administrator or Orva support team
  
  

You agree not to circumvent or disable any authentication mechanisms, nor to attempt to access administrative features or systems for which you are not authorized.

RAIN reserves the right to suspend or revoke account access in response to security concerns, policy violations, or inactivity, and to support compliance with institutional or legal requirements.

User accounts are created via the secure Admin Panel. Account security includes:

• Strong password policies
  
  
• Two-Factor Authentication (2FA) for account setup and password changes
  
  
• Session timeout with re-authentication upon idle
  
  
• Periodic password resets
  
  

Users are responsible for keeping their login credentials confidential.

5. Data Management

The Orva platform collects, processes, and stores specific categories of data necessary to support its clinical functionality and to ensure compliance with healthcare privacy and security requirements. All data collected through Orva is handled in accordance with HIPAA, HITECH, and applicable U.S. data protection laws.

Types of Data Collected

Orva may collect the following categories of information during clinical use:

• Clinical Event Logs: Time-stamped entries capturing surgical milestones, task completions, and intraoperative workflow activity
  
  
• Voice Commands: Audio interactions initiated only after the platform’s wake phrase (“Hey Orva”) is detected
  
  
• Device and Session Metadata: Includes device ID, user role, room ID, IP address, software version, session duration, and usage analytics
  
  

These data types are used solely for clinical workflow support, system operation, security auditing, and, where applicable, anonymized performance benchmarking.

Data Security & Storage

All data containing Protected Health Information (PHI) or Personally Identifiable Information (PII) is:

• Encrypted in transit using TLS 1.2 or 1.3
  
  
• Encrypted at rest using AES-256 encryption
  
  
• Stored exclusively in HIPAA-compliant U.S.-based cloud environments that meet industry standards for security, redundancy, and regulatory certification
  
  

RAIN Technology, Inc. enforces role-based access controls, audit logging, and strict authentication requirements for any access to systems that store PHI/PII.

Data is never shared with third parties for marketing or non-clinical purposes and is retained in accordance with institutional policies, HIPAA retention rules, and relevant Business Associate Agreements (BAAs).

6. Data Privacy

RAIN Technology, Inc. is committed to protecting the privacy and confidentiality of all personal and clinical data processed through the Orva platform. All data handling activities are governed by executed Business Associate Agreements (BAAs) with covered healthcare entities, as required under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Access Controls & Confidentiality

All protected health information (PHI) and personally identifiable information (PII) collected or processed through Orva:

• Is accessible only to authorized users with properly provisioned accounts and a documented need to access such data
  
  
• Is subject to role-based access controls, with all access logged and auditable in accordance with HIPAA’s security and privacy rules
  
  
• Is never used for advertising, resale, or non-clinical third-party profiling
  
  

RAIN staff may only access PHI when explicitly authorized and for support or compliance purposes under BAA-authorized workflows.

Third-Party Sharing & Legal Disclosures

Orva does not share, sell, or license PHI/PII to third parties unless:

• Disclosure is required by law, regulation, subpoena, court order, or other government request
  
  
• Directed in writing by the covered entity or healthcare provider in accordance with their internal policies and legal obligations
  
  

All such disclosures are logged, reviewed, and executed in compliance with applicable federal and state laws.

Anonymized Data Use

De-identified or anonymized data may be used by RAIN Technology, Inc. for:

• Internal quality assurance (QA)
  
  
• Debugging and system diagnostics
  
  
• Performance benchmarking
  
  
• Product development and enhancement
  
  

Anonymization is performed using HIPAA-compliant methods, such as Safe Harbor or Expert Determination standards (45 CFR §164.514), ensuring no individual can be identified from the resulting data set.

7. Voice Samples for System Improvement

To support continuous improvement of Orva’s voice recognition capabilities and natural language processing (NLP) models, RAIN Technology, Inc. may use de-identified voice samples collected during clinical use of the platform.

Scope of Use

Voice samples may be used for:

• Training and refining NLP and speech-to-text algorithms
  
  
• Enhancing recognition accuracy across clinical terminology, accents, and acoustic environments
  
  
• Improving response relevance, safety prompts, and real-time system interactions
  
  

Only audio data collected after wake-word activation (“Hey Orva”) is eligible for use, and all such samples are evaluated against technical criteria to determine eligibility for inclusion in the AI training workflow.

De-identification Process

Before any voice data is used for training or analysis, it is:

• Irreversibly de-identified in accordance with HIPAA de-identification standards (45 CFR §164.514), ensuring no individual can be reasonably identified from the audio content
  
  
• Stripped of all metadata and speech content that could reveal identity, context, or protected health information
  
  
• Encrypted and access-controlled, with use restricted to authorized machine learning and QA personnel
  
  

RAIN does not use voice data for advertising, user profiling, or commercial resale under any circumstances.

All AI training activities are logged, monitored, and subject to internal review and external audit when required under applicable agreements or laws.

8. User Responsibilities

All users of the Orva platform are expected to act in accordance with clinical best practices, institutional policies, and applicable laws. By using Orva, you agree to the following responsibilities:

1. Clinical-Only Use

You must use the Orva platform solely for authorized clinical purposes, including:

• Surgical workflow management
  
  
• Intraoperative documentation
  
  
• Voice-activated navigation and timestamping of clinical events
  
  

You must not use Orva for personal, administrative, or non-clinical purposes, or to input data unrelated to patient care.

2. Accuracy of Documentation

As a user, you are responsible for:

• Providing accurate and timely voice commands and event inputs
  
  
• Ensuring that any voice-initiated records or system interactions reflect the true course of clinical activity
  
  
• Avoiding the intentional or negligent entry of false, misleading, or incomplete information
  
  

Any discrepancies identified in system-generated data may be subject to clinical audit or quality assurance review.

3. Security Awareness

You must promptly report any of the following to your organization’s IT/security team or to Orva support:

• Suspected account compromise or unauthorized access
  
  
• System malfunctions, unusual activity, or security vulnerabilities
  
  
• Improper use of the platform by other users
  
  

Users are also expected to comply with institutional training requirements, access control policies, and security protocols, including password protection and device handling procedures.

Failure to comply with these responsibilities may result in suspension or termination of access and may be escalated to the healthcare provider or regulatory authorities, as appropriate.

9. Liability

To the fullest extent permitted by applicable law, RAIN Technology, Inc. disclaims responsibility and shall not be held liable for any loss, damage, or harm arising from or related to the use of the Orva platform in a clinical setting.

Clinical Judgment

Orva is a supplementary tool intended to support surgical workflow and documentation. It is not a substitute for clinical judgment or licensed medical decision-making. RAIN Technology, Inc. is not responsible for:

• Clinical outcomes, treatment decisions, or procedural actions taken (or not taken) in reliance on Orva
  
  
• Errors or omissions in data entry by users, whether verbal or manual
  
  
• Any consequence resulting from the failure to verify system-generated records or prompts
  
  

Unauthorized Use or Misconfiguration

RAIN Technology, Inc. is not liable for any damage or data exposure caused by:

• Unauthorized access due to compromised user credentials or failure to follow security best practices
  
  
• Incorrect setup, configuration, or use of Orva outside of documented guidance or institutional policy
  
  
• Use of the platform by unapproved or untrained personnel
  
  

Service Availability

Orva relies on cloud infrastructure, device connectivity, and external services to function. RAIN shall not be held responsible for:

• Downtime or degraded performance due to third-party service disruptions (e.g., cloud outages, internet failure)
  
  
• Interruptions caused by scheduled maintenance, emergency updates, or infrastructure-level changes
  
  
• Incidental or consequential losses resulting from temporary unavailability
  
  

RAIN will make reasonable efforts to notify impacted clients of extended service interruptions and to restore access in a timely manner.

10. Modifications

We may update this ToS periodically. Changes are effective upon notification and publication on the platform or our website.

11. Dispute Resolution

These Terms of Service are governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law principles.

In the event of any dispute, controversy, or claim arising out of or relating to these Terms, the Orva platform, or your use thereof, the parties agree to the following resolution process:

1. Good Faith Negotiation

Before initiating formal proceedings, both parties agree to attempt to resolve the dispute informally through good faith negotiations for a period of no less than 30 days after written notice of the dispute has been provided.

2. Mediation or Arbitration

If the matter cannot be resolved through informal negotiation:

• The parties may elect to submit the matter to non-binding mediation, followed by
  
  
• Binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, with proceedings held in Wilmington, Delaware
  
  

Any decision rendered through arbitration shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

3. Jurisdiction

If a dispute is not resolved through arbitration or either party seeks equitable relief (e.g., injunctive relief or enforcement of intellectual property rights), you agree that such matters will be subject to the exclusive jurisdiction of the state and federal courts located in Delaware.

4. Exclusion of CISG

The United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to this agreement or any transactions carried out under it.

‍

‍