Data Processing Agreement

This Data Processing Agreement summary describes how ORS AI handles customer data when a hospital, healthcare group, or other contracting entity engages ORS AI to provide software, implementation, support, analytics, integration, or related services.

It applies only where ORS AI processes personal data on behalf of a customer under a commercial agreement and is intended to operate alongside the relevant order form, master services agreement, implementation scope, or equivalent contract.

For customer deployment data, the customer acts as the controller, fiduciary, or other primary responsible party that determines the lawful purpose and means of processing. ORS AI acts as a processor or service provider only to the extent required to deliver the contracted services.

The customer remains responsible for deciding what source systems are connected, what categories of data are shared, which users are authorized, and whether the customer has an appropriate legal basis to disclose and process that data through ORS AI.

The subject matter of processing is the provision of ORS AI’s operating-room optimization platform and related services. The duration of processing continues for as long as ORS AI is engaged to provide those services and for any limited follow-on period needed to complete return, deletion, security, audit, or legal obligations.

The specific modules and data flows in scope depend on the customer’s implementation, configuration, integration choices, and executed service documents.

ORS AI is designed to minimize the personal data it needs. Depending on the deployment, customer data may still include operational and business information relating to staff, users, surgeons, patients, attendants, financial stakeholders, or support contacts.

The categories below are illustrative and may vary by implementation.

ORS AI processes customer data only on documented customer instructions as reflected in the agreement, the deployed configuration, support requests, implementation documents, and authorized communications from the customer’s designated personnel.

If ORS AI believes an instruction would violate applicable law or create a material security risk, ORS AI may raise the issue with the customer and, where necessary, pause the affected activity until the concern is resolved.

ORS AI limits access to customer data to personnel, contractors, and subprocessors who need that access for service delivery, support, security, or compliance purposes and who are bound by appropriate confidentiality obligations.

Access is intended to follow least-privilege and role-based principles and may be further restricted by environment, function, or customer-specific agreement.

ORS AI maintains technical and organizational measures designed to protect customer data against unauthorized access, accidental loss, misuse, or inappropriate disclosure. These measures may evolve over time provided that overall protection is not materially reduced.

Examples of such measures include controlled access, encryption in transit, environment segmentation, logging, backup procedures, change controls, vulnerability management, and operational review practices suitable for the nature of the services.

ORS AI may use carefully selected subprocessors to support infrastructure, communications, monitoring, customer support, or other service-delivery functions. Where subprocessors are used, ORS AI expects them to operate under confidentiality and data-protection obligations consistent with their role.

Current or common subprocessor categories include the following.

Taking into account the nature of the processing and the information available to ORS AI, we will provide reasonable assistance to help the customer respond to data-subject requests, security reviews, compliance enquiries, and regulator-facing questions related to ORS AI’s role.

Where customers require due-diligence support, ORS AI may provide architecture summaries, security overviews, questionnaire responses, or other documentation appropriate to the customer relationship and the sensitivity of the information requested.

If ORS AI becomes aware of a confirmed security incident affecting customer data within our responsibility boundary, we will notify the customer contact designated for such matters without undue delay and provide information reasonably available about the nature of the incident, the likely impact, and the mitigation steps being taken.

ORS AI will cooperate with the customer on reasonable containment, remediation, and follow-up actions while preserving evidence, legal obligations, and the security of the broader environment.

At the end of the service relationship, ORS AI will return or delete customer data according to the relevant agreement, technical feasibility, and legal or security obligations that may require limited continued retention. Residual copies may persist for a defined backup cycle before secure expiry or overwrite.

Where customers request a specific export or transition process, the scope, timing, and format of that process should be agreed in the governing commercial documents or an orderly wind-down plan.

ORS AI is designed with a primary India residency posture, including infrastructure hosted in Mumbai where practicable. Some ancillary support or vendor operations may nevertheless involve limited access from outside India depending on service-provider architecture and support model.

Where international access is relevant, ORS AI seeks to use contractual and operational controls proportionate to the sensitivity of the data and the role of the service provider involved.

If a signed customer agreement contains more specific data-processing terms, that agreement governs to the extent of any inconsistency with this summary. This summary is intended to explain ORS AI’s standard processing posture rather than replace negotiated contractual language.

Questions about ORS AI’s processing role, security controls, or customer-data handling may be sent to privacy@orsai.app or legal@orsai.app.