Terms & Conditions

Vala, Inc. Effective Date: April 1, 2026

IMPORTANT — PLEASE READ CAREFULLY. These Terms of Service constitute a binding legal agreement. By accessing or using Vala’s Services, you agree to be bound by these Terms. If you do not agree, do not use the Services.

1. Agreement and Acceptance

These Terms of Service (“Terms”), together with any order form, statement of work, subscription ordering page, incorporated policy, Data Processing Addendum, Business Associate Addendum, or other supplemental terms expressly incorporated by reference, constitute a binding legal agreement between Vala, Inc., a Delaware corporation (“Vala”), and the customer identified in the applicable ordering document or, if no such document exists, the person or entity accessing or using the Services (“Customer”). This agreement governs access to and use of the website located at valaclaims.com, together with any affiliated website, portal, application, software, hosted environment, API, AI-enabled functionality, document-processing feature, communication tool, or related service made available by Vala (collectively, the “Services”).

By executing an order form, clicking acceptance, creating an account, accessing the Services, or using the Services in any manner, Customer agrees to be bound by these Terms. If the individual accepting these Terms does so on behalf of an entity, that individual represents and warrants that they possess full power and authority to bind that entity. If such authority does not exist, that individual may not accept these Terms or use the Services on behalf of the purported customer.

To the extent of any conflict between these Terms and an executed order form, the order form will control solely with respect to the specific commercial subject matter addressed therein. To the extent of any conflict between these Terms and a separately executed Data Processing Addendum or Business Associate Addendum, the applicable addendum will control solely with respect to the subject matter governed by that addendum.

2. Eligibility; Customer Type; Authorized Use

The Services are intended solely for lawful business and professional use in connection with veterans-benefits workflows, claims-support operations, administrative case handling, legal-support activities, intake management, client communications, document processing, analytics, and related operational functions. The Services are designed principally for use by VA-accredited attorneys, VA-accredited claims agents, law firms, advocacy organizations, supervised support staff, and other professional entities operating within a lawful and properly supervised environment in compliance with 38 C.F.R. Part 14.

Customer represents and warrants that it, and all Users acting on its behalf, are legally authorized to access and use the Services and will do so only for legitimate business purposes. Customer is solely responsible for determining whether the Services are appropriate for its business, professional, legal, ethical, and regulatory obligations. Vala may refuse access to, or discontinue access for, any person or entity that does not satisfy Vala’s eligibility, compliance, security, or risk requirements.

Individuals who access the Services as representatives of an organization do so on behalf of, and bind, that organization. Use of the Services by unaccredited individuals in connection with representation of veterans before the U.S. Department of Veterans Affairs (“VA”) is prohibited unless supervised and permitted by applicable law and VA regulations.

Prohibited Registrants; Competitor Access

The following persons and entities are not eligible to access or use the Services and are expressly prohibited from registering for or using the Services in any capacity:

  • Any individual or entity who is a Competitor (as defined in Section 28) and who accesses or attempts to access the Services for the purpose of competitive intelligence gathering, reverse engineering, benchmarking, feature evaluation for competitive purposes, or development of a competing product — regardless of whether access is obtained under their own identity or through a third party.

  • Any individual or entity that accesses or attempts to access the Services on behalf of, or for the benefit of, a Competitor, or for the purpose of gathering competitive intelligence, performing benchmarking, evaluating features for competitive purposes, or reverse engineering any aspect of the Services.

  • Any individual or entity that registers for or uses the Services under a false identity, fictitious business name, or misrepresentation of their professional affiliation, organizational role, or VA accreditation status.

  • Any individual or entity that uses or attempts to use the credentials, account access, or identity of a Customer, User, or client or claimant of a Customer to gain access to the Services or to Customer Data to which they are not independently entitled.

Customer represents and warrants, as of the date of acceptance and on a continuing basis throughout the term, that neither Customer nor any User accessing the Services on Customer’s behalf is a Competitor or is acting for the benefit of a Competitor. Customer shall not grant access to the Services to any person or entity that Customer knows or reasonably suspects to be a Competitor.

Vala reserves the right to verify the identity, VA accreditation status, bar admission, or professional credentials of any Customer or User at any time, and to require supporting documentation as a condition of continued access. Customer shall cooperate promptly with any such verification request. Vala may immediately suspend or terminate access if verification cannot be completed or if Vala determines that access was obtained through false pretenses, impersonation, or misrepresentation.

Customer is responsible for preventing unauthorized access to its accounts by third parties — including clients, claimants, or opposing parties — who are not authorized Users. Customer shall not share login credentials with any individual who is not a designated User, and shall not permit claimants or third parties direct access to the Services using Customer’s account credentials. Customer shall promptly revoke access for any User whose authorization has ended or who Customer suspects may be acting adversely to Customer or Vala.

3. Provision of Services; License Grant

Subject to Customer’s compliance with these Terms and timely payment of all applicable fees, Vala grants Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable right during the applicable subscription term to access and use the Services solely for Customer’s internal business purposes in accordance with the Documentation and any applicable order form. No rights are granted except as expressly stated in these Terms.

Customer shall not, and shall not permit any third party to: sell, resell, license, sublicense, distribute, lease, timeshare, outsource, or commercially exploit the Services; modify, create derivative works of, reverse engineer, decompile, disassemble, or attempt to discover the source code, underlying models, structure, or non-public aspects of the Services, except to the limited extent such restriction is prohibited by applicable law; access the Services to build a competing product or service; or benchmark the Services for public disclosure without Vala’s prior written consent.

4. No Legal Advice; No Representation; No Accreditation by Vala

Vala is a software and technology provider. Vala is not a law firm, does not provide legal advice, does not provide claims representation, and is not itself VA-accredited for purposes of representing claimants before the U.S. Department of Veterans Affairs. The Services are offered solely as operational, administrative, technical, and informational tools.

No feature, communication, workflow, output, recommendation, summary, classification, transcription, or generated content made available through the Services shall be construed as legal advice, claims advice, professional advice, or representation. Customer remains solely responsible for all professional judgments, legal conclusions, factual determinations, strategy decisions, client communications, filing decisions, deadlines, and representations made to any client, claimant, agency, court, or other third party. Vala’s technology does not substitute for, and is not a replacement of, a VA-accredited attorney or claims agent.

5. Customer Obligations; Professional Responsibility

Customer is solely responsible for all use of the Services by its Users and for ensuring that all use complies with these Terms, the Documentation, applicable law, applicable professional rules, contractual obligations, and regulatory requirements. Customer is responsible for obtaining all permissions, consents, authorizations, and legal rights necessary for Customer Data to be submitted to, processed by, and otherwise used in connection with the Services, including, where applicable, claimant authorizations required under 38 U.S.C. § 5701 and 38 C.F.R. § 14.631.

Customer is solely responsible for verifying the completeness, accuracy, legality, and appropriateness of all Customer Data and all Output before using, relying upon, sharing, filing, transmitting, or acting upon it. Customer shall maintain appropriate supervisory review, human oversight, and quality controls commensurate with the nature of the work being performed, the sensitivity of the data involved, and applicable professional responsibility rules.

Customer shall promptly notify Vala if Customer becomes aware of any use of the Services that violates these Terms, applicable law, or professional obligations, or that poses a risk to Vala, other customers, or the integrity of the Services.

6. Accounts; Access Controls; Security; Audit Logging

Customer is responsible for establishing and maintaining accurate account information and for ensuring that access to the Services is limited to authorized Users. Customer shall implement and maintain commercially reasonable administrative, technical, and physical safeguards to prevent unauthorized access, which shall include at minimum:

  • Multi-factor authentication (MFA) for all User accounts with access to the Services or to VA API-sourced data.

  • Role-based access controls (RBAC) that limit each User’s access to only the data and features required for that User’s role.

  • Secure storage of all login credentials, API keys, OAuth tokens, and access mechanisms — credentials shall not be stored in plain text or in unencrypted repositories.

  • Timely deprovisioning of access for Users who no longer require it, and immediate deprovisioning upon termination or role change.

  • Maintenance of access audit logs sufficient to identify which User accessed which data and when, retained for a minimum of three (3) years or such longer period as required by applicable law or VA requirements.

Customer shall notify Vala without undue delay — and in any event within twenty-four (24) hours — after becoming aware of any actual or reasonably suspected: unauthorized access to an account or Customer Data; credential compromise; security incident affecting the Services or VA API-sourced data; or misuse of the Services. Customer remains responsible for all actions taken through its accounts except to the extent caused directly by Vala’s breach of these Terms.

Vala may require Customer to rotate credentials, enable additional security features, or adopt enhanced controls if Vala determines that a security risk exists. Customer shall cooperate promptly with any such request.

7. Acceptable Use Restrictions

Customer shall not use the Services in any manner that is unlawful, fraudulent, deceptive, harmful, infringing, threatening, abusive, defamatory, harassing, or otherwise objectionable. Customer shall not use the Services to submit or process data in violation of law, professional duty, confidentiality obligation, court order, regulatory restriction, or third-party right.

Without limiting the foregoing, Customer shall not use the Services to:

  • Transmit malware, ransomware, viruses, or other harmful code.

  • Probe, scan, or circumvent security controls, authentication mechanisms, or access restrictions of the Services or any connected system.

  • Scrape or extract data beyond permitted API access or rate limits.

  • Interfere with the integrity, performance, or availability of the Services or any connected system.

  • Use the Services to train competing AI or machine learning models, or to develop or improve any product or service that competes with Vala, without Vala’s prior written consent.

  • Misrepresent the origin of Output or use the Services to generate content intended to deceive any person, agency, tribunal, or claimant.

  • Impersonate another person, entity, or VA-accredited representative.

  • Access VA APIs, data feeds, or government systems through the Services in violation of applicable API terms of service, the Computer Fraud and Abuse Act (18 U.S.C. § 1030), or other applicable law.

  • Use VA-sourced data for any purpose not authorized by the VA’s applicable API terms, including commercial purposes not covered by the approved use case, reselling veteran data, or profiling veterans for non-claims-related commercial purposes.

  • Register for, access, or use the Services under a false identity, fictitious business name, fabricated VA accreditation status, or any other misrepresentation of the User’s or Customer’s identity, credentials, or organizational affiliation.

  • Access or attempt to access the Services, or any Customer account or Customer Data, by impersonating a Customer, User, client, claimant, or any other person — including through credential sharing, session hijacking, social engineering, or use of another person’s login credentials without their authorization.

  • Access or use the Services for the purpose of competitive intelligence gathering, reverse engineering, benchmarking, or development of a competing product or service, whether by a Competitor or any person acting on a Competitor’s behalf.

Vala may monitor use of the Services to the extent necessary to operate, secure, support, and improve the Services, to enforce these Terms, and to comply with law or valid legal process.

8. Customer Data; Processing Rights; Usage Data

As between the parties, Customer retains all right, title, and interest in and to Customer Data, subject to the rights granted herein. Customer grants Vala and its authorized subprocessors a non-exclusive, worldwide, limited right to host, copy, transmit, display, process, adapt, analyze, and otherwise use Customer Data solely as necessary to provide, maintain, support, secure, improve, and make available the Services; to prevent fraud or misuse; to comply with law or valid legal process; and as otherwise permitted by these Terms, the Privacy Policy, and any applicable Data Processing Addendum or Business Associate Addendum.

Vala will not sell Customer Data to third parties, share Customer Data with third parties for their independent marketing or advertising purposes, or use Customer Data to build profiles about individual claimants or veterans for purposes unrelated to providing the Services to Customer.

Vala may collect, generate, and use Usage Data for lawful business purposes, including service administration, analytics, security, troubleshooting, optimization, billing validation, product improvement, and business operations. Vala may create and use aggregated or de-identified data derived from Customer Data that does not identify Customer or any individual, provided such data is maintained in de-identified form and used in accordance with applicable law, including applicable VA data use restrictions.

9. AI Features; Output; Human Review; Prohibited Reliance

The Services may include artificial intelligence, machine learning, automation, transcription, extraction, summarization, recommendation, classification, or similar features (collectively, “AI Features”). Such features may produce Output that is incomplete, inaccurate, outdated, biased, misleading, non-unique, or inappropriate for a given context. Customer acknowledges and agrees that Output is generated probabilistically or through automated processes and may contain errors or omissions.

Customer shall not, and shall ensure that Users do not, use Output as a substitute for professional judgment, legal review, factual verification, or independent analysis. Customer is solely responsible for reviewing and validating all Output before using it in any operational, legal, regulatory, client-facing, or other consequential context. This obligation is absolute and is not modified by the quality, confidence score, or apparent accuracy of any Output.

The following uses of AI Features and Output are specifically prohibited:

  • Submitting any VA form, claim, appeal, or supporting document to the VA or any government agency based solely on AI-generated Output without independent human review and approval by a VA-accredited attorney or claims agent.

  • Using Output as a substitute for the professional judgment and supervision required by 38 C.F.R. § 14.629 and applicable state bar rules.

  • Representing to any claimant, court, or agency that AI-generated Output has been independently reviewed or verified unless such review has in fact occurred.

  • Using AI Features to make or implement automated decisions with legal or significant effects on veterans or claimants without human oversight.

Vala disclaims responsibility for decisions made or actions taken based on Output that has not been independently reviewed by qualified personnel. Customer assumes all risk associated with reliance on Output.

10. Compliance with Law; VA API Requirements; VA Data Use; Regulated Data

Customer shall use the Services in compliance with all applicable federal, state, local, and international laws, rules, regulations, and orders, including without limitation laws relating to privacy, data protection, consumer protection, anti-discrimination, export controls, sanctions, record retention, electronic communications, and professional responsibility.

VA-Specific Compliance

To the extent Customer uses the Services in connection with veterans-benefits matters, VA-related workflows, or VA API-sourced data, Customer is solely responsible for compliance with all of the following, as applicable:

  • 38 U.S.C. § 5701 — prohibiting unauthorized disclosure of VA beneficiary records and personally identifiable information.

  • 38 U.S.C. § 5705 — confidentiality of medical quality-assurance records.

  • 38 U.S.C. § 7332 — special confidentiality protections for records relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus (HIV), and sickle cell anemia.

  • 38 C.F.R. Part 1, Subpart G (§§ 1.575–1.584) — VA Privacy Act regulations.

  • 38 C.F.R. Part 14 — VA accreditation, fee, and representation requirements, including § 14.629 (conduct of VA representatives).

  • The Privacy Act of 1974 (5 U.S.C. § 552a) — to the extent Customer processes records subject to the Privacy Act.

  • HIPAA and the HITECH Act — to the extent Customer Data includes Protected Health Information (as defined under HIPAA).

  • All applicable VA Lighthouse API terms of service and developer agreements — including any data use restrictions, rate limits, and prohibited uses specified by the U.S. Department of Veterans Affairs.

VA API Data Use Restrictions

Customer acknowledges that access to VA APIs (including the VA Lighthouse / developer.va.gov platform) is granted by the VA subject to specific terms. When accessing VA APIs through or in connection with the Services, Customer shall:

  • Use VA API-sourced data only for the specific authorized purpose for which API access was approved, and for no other commercial, research, or secondary purpose without express written authorization from the VA.

  • Not resell, sublicense, monetize, or otherwise commercially exploit VA API-sourced data or provide it to third parties except as required to fulfill the approved use case.

  • Not use VA API-sourced data to train, fine-tune, evaluate, or benchmark any AI or machine learning model without express written authorization from the VA.

  • Store and process all VA API-sourced data exclusively within the United States. Customer shall not transfer VA API-sourced data to any system, facility, or subprocessor located outside the United States.

  • Not retain VA API credentials (OAuth tokens, client secrets, API keys) in plain text, in version control systems, or in any system not designed for secure credential management.

  • Implement and maintain access controls that restrict VA API-sourced data to Users with a legitimate need for such access in connection with the approved use case.

  • Cooperate with any VA audit, inspection, or inquiry relating to Customer’s use of VA API access or VA API-sourced data.

Regulated Data — General

Customer shall not submit to the Services any regulated data for which additional contractual or compliance measures are required unless such measures have been fully executed and implemented. Where the Services involve Protected Health Information or similar regulated data, the parties shall execute an appropriate Business Associate Addendum before such data is processed through the Services. Vala reserves the right to restrict access to the Services for any Customer that submits regulated data without completing required prerequisite agreements.

11. Privacy; Security; Incident Response; Data Processing Addendum; BAA

Vala’s collection, use, disclosure, retention, and protection of personal information are governed by the Vala Privacy Policy, available at valaclaims.com/privacy, as updated from time to time. To the extent Vala processes personal information on Customer’s behalf in a manner subject to applicable privacy or data protection laws requiring a processor agreement (including the CCPA, GDPR, or applicable state privacy laws), the parties may execute a separate Data Processing Addendum. To the extent applicable law or VA requirements mandate a Business Associate Agreement or similar regulated-data agreement, the parties shall execute such agreement before the relevant regulated data is processed through the Services.

Vala will maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, alteration, or disclosure. These safeguards include, without limitation: encryption of Customer Data in transit using TLS 1.2 or higher; encryption of Customer Data at rest using AES-256 or equivalent; access controls and authentication requirements; and vulnerability management practices. Customer acknowledges that no system or transmission method is completely secure and that Vala does not warrant that the Services will be immune from all security threats.

Incident Response and Breach Notification

In the event of a confirmed or reasonably suspected Security Incident involving Customer Data, Vala will apply the following tiered notification obligations:

Tier 1 — VA API-Sourced Data Incidents

Where a Security Incident involves or reasonably appears to involve VA API-Sourced Data, Vala will provide Customer with an initial notification within one (1) hour of Vala’s internal determination that a Security Incident has occurred or is reasonably suspected. This initial notification may be brief and will include: the nature of the suspected incident, the VA API connection(s) or data categories potentially affected, and an immediate point of contact at Vala. Customer acknowledges that Customer, as the VA API account holder of record, bears primary responsibility for reporting Security Incidents involving VA API access to the VA in accordance with VA Lighthouse developer agreement timelines and any applicable federal incident-reporting obligations. Vala will cooperate fully with Customer’s VA-directed reporting obligations.

Tier 2 — All Other Customer Data Incidents

For confirmed Security Incidents involving Customer Data that does not include VA API-Sourced Data, Vala will notify Customer without undue delay, and in any event within seventy-two (72) hours of Vala’s confirmation of the Security Incident.

All Incidents — Common Obligations

For all Security Incidents, Vala will:

  • Provide Customer with a description of the nature of the Security Incident, the categories and approximate volume of Customer Data affected, and the steps Vala is taking or has taken to contain and remediate the incident.

  • Cooperate reasonably with Customer in connection with Customer’s obligations to notify affected individuals, regulators, or government agencies as required by applicable law, including HIPAA breach notification rules and applicable VA reporting requirements.

  • Provide a written incident summary within thirty (30) days of confirmed discovery, unless prohibited by a law enforcement request, court order, or active forensic investigation.

Notification by Vala under this section does not constitute an admission of fault or liability. The obligations in this section are in addition to, and do not limit, any obligations set forth in a separately executed Business Associate Addendum or Data Processing Addendum.

Notification by Vala under this section is not an admission of fault or liability. The obligations in this section are in addition to, and do not limit, any obligations set forth in a separately executed Business Associate Addendum or Data Processing Addendum.

12. Confidentiality

Each party may receive Confidential Information from the other party in connection with these Terms. The receiving party shall use the disclosing party’s Confidential Information solely as necessary to perform its obligations or exercise its rights under these Terms and shall not disclose such Confidential Information to any third party except to its employees, contractors, professional advisors, and service providers who have a need to know such information and are bound by confidentiality obligations at least as protective as those contained herein.

The obligations in this section shall not apply to information that the receiving party can demonstrate: (a) was already lawfully known to it without restriction prior to disclosure; (b) was independently developed without use of the disclosing party’s Confidential Information; (c) was rightfully received from a third party without breach of any duty; or (d) becomes publicly available through no breach by the receiving party. The receiving party may disclose Confidential Information to the extent required by law, subpoena, court order, or governmental request, provided that, where legally permitted, it gives prompt prior written notice to the disclosing party and cooperates reasonably in any effort to limit or contest the disclosure.

The parties acknowledge that Customer Data and VA API-sourced data are treated as Confidential Information of Customer (as applicable) and are subject to additional obligations under Sections 8, 10, and 11 of these Terms.

13. Intellectual Property Rights

Vala and its licensors retain all right, title, and interest in and to the Services, the Documentation, all software, models, algorithms, workflows, interfaces, know-how, designs, and technology underlying the Services, and all improvements, modifications, and derivative works thereof, together with all associated intellectual property rights. Except for the limited rights expressly granted to Customer under these Terms, no license or other right is granted by implication, estoppel, or otherwise.

To the extent Output is uniquely generated for Customer based substantially on Customer Data and does not incorporate Vala’s proprietary models, methods, or generalized training data in a manner that would prevent assignment, Vala assigns to Customer such right, title, and interest, if any, that Vala may have in such Output. Vala retains all right, title, and interest in the Services, models, generalized methods, Usage Data, and de-identified aggregated data in all cases.

14. Feedback

If Customer or any User provides suggestions, comments, recommendations, enhancement requests, corrections, ideas, or other feedback relating to the Services (“Feedback”), Vala may use, disclose, reproduce, modify, distribute, perform, display, and otherwise exploit such Feedback for any purpose, without restriction, attribution, or compensation of any kind, provided Vala does not publicly identify Customer as the source without Customer’s consent. Feedback shall not constitute Confidential Information of Customer.

15. Fees; Invoicing; Payment; Taxes; Suspension for Nonpayment

Customer shall pay all fees specified in the applicable order form or subscription flow in accordance with the stated payment terms. Except as expressly set forth otherwise, all fees are stated in U.S. dollars, are non-cancelable, and are non-refundable once invoiced or paid. If no payment term is specified, invoices are due within thirty (30) days after the invoice date.

Amounts not paid when due will accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, compounded monthly from the due date until paid in full. Customer shall be responsible for all applicable sales, use, excise, value-added, goods and services, withholding, or similar taxes or levies imposed by any taxing authority on or with respect to the transactions contemplated by these Terms, excluding taxes based on Vala’s net income, property, or employees.

If Customer fails to pay any undisputed amounts when due, Vala may, upon five (5) business days’ written notice, suspend access to the Services. Customer may dispute an invoice in good faith by providing written notice to Vala within fifteen (15) days of the invoice date, specifying the basis for the dispute in reasonable detail; Vala will not suspend access solely on account of a timely and good-faith payment dispute while the parties work to resolve it.

16. Service Levels; Support; Changes to the Services

Unless expressly set forth in an order form or separate service level agreement (“SLA”), Vala does not commit to any specific uptime percentage, availability threshold, response time, support metric, or recovery objective. Vala will use commercially reasonable efforts to maintain the availability and performance of the Services and will provide standard support in accordance with its then-current support practices and Documentation.

Vala may modify, update, enhance, replace, or discontinue any aspect of the Services from time to time. Vala will not materially reduce the core functionality of the Services purchased by Customer during a paid subscription term, except where such reduction is reasonably necessary to: comply with applicable law or VA API requirements; address security or integrity concerns; avoid infringement or other material legal risk; or discontinue a feature that has become technically or commercially infeasible to support. Vala will provide reasonable advance notice of material changes where practicable.

17. Third-Party Services; Subprocessors; Dependencies; Beta Features

The Services may interoperate with or depend upon third-party software, AI models, hosting providers, communications providers, data sources, government APIs (including VA Lighthouse APIs), or integrations not controlled by Vala. Vala is not responsible for the acts, omissions, products, services, availability, security, or performance of such third parties, and Customer’s use of any third-party service is governed by the applicable third-party terms.

Subprocessors

Vala may engage third-party subprocessors to process Customer Data in connection with the Services. Vala maintains a list of its current subprocessors, which is available upon Customer’s written request. Vala will: (a) enter into written agreements with each subprocessor imposing data protection obligations at least as protective as those applicable to Vala under these Terms with respect to Customer Data; (b) remain liable for the acts and omissions of its subprocessors to the same extent Vala would be liable if it performed the subprocessing itself; and (c) provide Customer with at least thirty (30) days’ prior notice of any material changes to its subprocessor list if Customer has requested such notifications in writing.

Where the Services involve VA API-sourced data, Vala will ensure that no subprocessor processes or stores VA API-sourced data outside the United States without the VA’s express authorization.

Beta Features

From time to time, Vala may make available beta, pilot, early-access, preview, or experimental features. Such features are provided “as is,” may be changed or withdrawn at any time, may be subject to additional terms, are not covered by any SLA, and may not be appropriate for production use or for use in connection with consequential veteran claims decisions.

18. Representations and Disclaimers

Each party represents and warrants that: (a) it has the full power and authority to enter into these Terms; (b) these Terms have been duly authorized and, upon execution, constitute a binding obligation; and (c) its execution and performance of these Terms does not violate any agreement, obligation, or applicable law.

Customer further represents and warrants that: (a) it will use the Services in accordance with these Terms and all applicable laws and professional obligations; (b) Customer Data does not infringe, misappropriate, or violate any third-party right; (c) Customer has obtained all required authorizations to submit Customer Data to the Services; and (d) Customer is not on any denied-party, debarment, or sanctions list.

EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICES, DOCUMENTATION, OUTPUT, AND ALL RELATED MATERIALS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VALA EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, AVAILABILITY, QUIET ENJOYMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. VALA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF HARMFUL COMPONENTS, OR THAT OUTPUT WILL BE ACCURATE, COMPLETE, CURRENT, OR FIT FOR CUSTOMER’S INTENDED USE.

19. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL VALA OR ITS AFFILIATES, LICENSORS, SERVICE PROVIDERS, OR SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, PUNITIVE, OR ENHANCED DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUES, GOODWILL, DATA, BUSINESS OPPORTUNITY, ANTICIPATED SAVINGS, OR INTERRUPTION OF BUSINESS, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF VALA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE AGGREGATE LIABILITY OF VALA AND ITS AFFILIATES ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO VALA FOR THE SERVICES GIVING RISE TO THE CLAIM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

The foregoing limitations shall not apply to: (a) liability arising from Vala’s gross negligence, willful misconduct, or fraud; (b) liability that cannot be excluded or limited under applicable law; or (c) Customer’s payment obligations under these Terms.

20. Indemnification

Customer’s Indemnification of Vala

Customer shall defend, indemnify, and hold harmless Vala, its affiliates, and their respective officers, directors, employees, contractors, agents, successors, and permitted assigns from and against any third-party claims, actions, proceedings, damages, liabilities, judgments, settlements, penalties, fines, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Customer Data or Customer’s submission of Customer Data to the Services; (b) Customer’s use of the Services in violation of these Terms; (c) Customer’s violation of applicable law or professional obligation; (d) Customer’s infringement or misappropriation of any third-party intellectual property right; or (e) Customer’s unauthorized use of VA API-sourced data.

Vala’s Indemnification of Customer

Vala shall defend, indemnify, and hold harmless Customer from and against any third-party claims alleging that the Services, as used by Customer in accordance with these Terms, infringe any U.S. patent, copyright, trademark, or trade secret of a third party. This obligation shall not apply to the extent a claim arises from: (i) Customer’s modification of the Services; (ii) use of the Services in combination with technology not provided or authorized by Vala; (iii) use of the Services in violation of these Terms; or (iv) Customer’s own intellectual property.

Indemnification Procedure

The indemnified party shall: (a) promptly notify the indemnifying party of any indemnified claim; (b) grant the indemnifying party reasonable control over the defense and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle any claim in a manner that admits fault of or imposes non-monetary obligations on the indemnified party without the indemnified party’s prior written consent.

21. Suspension Rights

Vala may suspend or restrict access to the Services, in whole or in part, immediately upon notice or, where necessary to prevent harm, without prior notice, if Vala reasonably determines that: (a) Customer or any User has violated these Terms or any applicable law; (b) Customer or any User poses a security risk to the Services, Vala, other customers, or third parties; (c) Customer’s use of the Services may create liability for Vala; (d) Customer has failed to pay undisputed fees when due and has not cured after notice; (e) suspension is required to comply with law, court order, subpoena, or VA or government directive; or (f) there is an active Security Incident affecting Customer’s account.

Vala will use commercially reasonable efforts to: limit any suspension to the affected account, feature, or conduct; notify Customer of the reason for suspension as soon as legally and operationally practicable; and restore access once the underlying issue has been resolved, where restoration is appropriate. Suspension does not relieve Customer of its payment obligations.

22. Term; Termination

These Terms commence on the earlier of the date Customer first accepts them or first accesses the Services and will continue until terminated in accordance with these Terms. If Customer purchases a subscription term, the subscription will continue for the period stated in the applicable order form and will automatically renew as provided therein unless either party provides written notice of non-renewal at least thirty (30) days before the end of the then-current term.

Either party may terminate these Terms or any applicable order form if the other party materially breaches these Terms and fails to cure such breach within thirty (30) days after written notice specifying the nature of the breach in reasonable detail, except that termination may be immediate where the breach is not curable by its nature. Vala may terminate these Terms immediately upon written notice if Customer: (a) becomes insolvent, ceases business operations, or is subject to bankruptcy, insolvency, receivership, or assignment-for-the-benefit-of-creditors proceedings not dismissed within sixty (60) days; (b) uses the Services in a manner that creates material legal, regulatory, security, or reputational risk to Vala or constitutes a violation of applicable VA API terms or government regulations; or (c) engages in unauthorized use of VA API-sourced data.

23. Effect of Termination; Data Export; Retention; Deletion

Upon expiration or termination of these Terms or an applicable order form, Customer’s rights to access and use the affected Services will cease, and Customer shall discontinue all use of the Services. Sections 4, 5, 8, 10, 12, 13, 14, 18, 19, 20, 23, 24, and 27, and all payment obligations accrued prior to termination, shall survive expiration or termination of these Terms.

Subject to Vala’s then-current product capabilities, Documentation, and any applicable addendum, Vala will make Customer Data available for export in a standard, machine-readable format for a period of thirty (30) days following the effective date of termination or expiration, after which Vala may delete or render inaccessible Customer Data in accordance with its then-current retention schedules and internal policies. Customer is solely responsible for exporting Customer Data prior to the end of the post-termination export period.

Notwithstanding the foregoing, Vala may retain Customer Data to the extent required by: applicable law, regulation, or VA record-retention requirements; subpoena, court order, or audit obligation; backup and disaster-recovery practices (subject to scheduled purge cycles); enforcement of these Terms; resolution of disputes; collection of fees; or protection of legal rights. Such retained data shall remain subject to the confidentiality and security obligations of these Terms.

24. Governing Law; Mandatory Arbitration; Class Action Waiver

Governing Law

These Terms and any dispute arising out of or relating to these Terms or the Services shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflicts-of-law principles, except that the Federal Arbitration Act (9 U.S.C. §§ 1 et seq.) shall govern the interpretation, enforcement, and all proceedings pursuant to the arbitration clause in this Section 24.

Mandatory Binding Arbitration

PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO FILE A LAWSUIT IN COURT.

Except for the limited exceptions set forth below, any dispute, controversy, or claim arising out of or relating to these Terms, the Services, or the breach, termination, enforcement, interpretation, or validity thereof (collectively, “Dispute”), shall be resolved by final and binding arbitration administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules (or, if Customer is a consumer, its Consumer Arbitration Rules), as in effect at the time the Dispute is submitted. The arbitration shall be conducted by a single arbitrator, except that Disputes involving claims exceeding five hundred thousand dollars ($500,000) shall be conducted by a panel of three arbitrators. The seat of arbitration shall be San Francisco, California, and the arbitration may be conducted remotely where the parties and the arbitrator agree. The language of arbitration shall be English.

The arbitrator shall have exclusive authority to resolve any Dispute, including any dispute as to the scope, applicability, or enforceability of this arbitration clause. The arbitrator’s award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction. Each party shall bear its own fees and costs in connection with arbitration, except that the arbitrator may award fees and costs to the prevailing party in accordance with applicable law.

Exceptions to Arbitration

The following claims are exempt from mandatory arbitration and may be brought in a court of competent jurisdiction: (a) claims for injunctive or other equitable relief to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights or Confidential Information; (b) claims that applicable law expressly requires to be resolved in court; and (c) small-claims-court actions, if eligible.

CLASS ACTION WAIVER

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL DISPUTES SHALL BE RESOLVED ON AN INDIVIDUAL BASIS. NEITHER PARTY MAY BRING OR PARTICIPATE IN ANY CLASS, COLLECTIVE, CONSOLIDATED, PRIVATE ATTORNEY GENERAL, OR REPRESENTATIVE ACTION OR ARBITRATION. THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S OR ENTITY’S CLAIMS, AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF REPRESENTATIVE PROCEEDING. IF THIS CLASS ACTION WAIVER IS FOUND UNENFORCEABLE IN A PARTICULAR CASE, THE ARBITRATION AGREEMENT SHALL NOT APPLY TO THAT CASE, AND THE CASE SHALL PROCEED IN COURT.

Jury Trial Waiver

TO THE EXTENT ANY DISPUTE IS NOT SUBJECT TO ARBITRATION, EACH PARTY IRREVOCABLY WAIVES ANY RIGHT TO A TRIAL BY JURY IN CONNECTION WITH SUCH DISPUTE. THE STATE AND FEDERAL COURTS LOCATED IN THE STATE OF CALIFORNIA SHALL HAVE EXCLUSIVE JURISDICTION OVER SUCH MATTERS, AND EACH PARTY IRREVOCABLY CONSENTS TO PERSONAL JURISDICTION AND VENUE IN SUCH COURTS.

25. Notices

Any notice required or permitted under these Terms must be in writing and will be deemed given when: (a) delivered personally; (b) sent by nationally recognized overnight courier (effective on the date of confirmed delivery); (c) sent by certified or registered mail, return receipt requested (effective three business days after mailing); or (d) for operational, billing, and routine notices only, sent by email to Customer’s designated account or billing address and confirmed by electronic delivery receipt.

Notices of termination, indemnifiable claims, Security Incidents, legal proceedings, or other notices where formal delivery is legally required shall not be given solely by email. Notices to Vala shall be addressed to: Vala, Inc., Attn: Legal Department, 53325 Avenida Madero, La Quinta, CA 92253, with a copy to legal@valaclaims.com. Customer is responsible for keeping its account and billing contact information current in the Services.

26. Modifications to These Terms

Vala may modify these Terms from time to time. If Vala makes a material change to these Terms, Vala will provide notice at least thirty (30) days before the change takes effect by: posting the updated Terms on its website; notifying Customer through the Services; or sending notice to Customer’s email address on file.

Customer’s continued access to or use of the Services after the effective date of modified Terms constitutes acceptance of the modified Terms. If Customer does not agree to the modified Terms, Customer must provide written notice of non-acceptance to Vala before the effective date and stop using the Services; in such case, if Customer is in a paid subscription term, Vala will provide a pro-rated refund for the unused portion of the prepaid term as Customer’s sole remedy.

Notwithstanding the foregoing, Vala may make immediate modifications to these Terms without advance notice where required to comply with applicable law, VA requirements, or to address security concerns.

27. Miscellaneous; Force Majeure; Export; Accessibility

Entire Agreement; Order of Precedence

These Terms, together with all documents incorporated by reference, applicable order forms, and addenda, constitute the entire agreement between the parties with respect to the subject matter hereof and supersede all prior or contemporaneous proposals, communications, statements, negotiations, and agreements, whether oral or written, relating to such subject matter. In the event of conflict, the order of precedence is: (1) executed Business Associate Addendum or Data Processing Addendum (for their respective subject matter); (2) executed order form (for commercial subject matter); (3) these Terms.

Force Majeure

Neither party shall be liable for any failure or delay in performance to the extent caused by circumstances beyond such party’s reasonable control, including acts of God, natural disasters, pandemics, government actions, cyberattacks originating from nation-state actors, war, terrorism, labor disputes, or widespread internet or infrastructure outages (each, a “Force Majeure Event”), provided that the affected party: (a) gives prompt written notice of the Force Majeure Event to the other party; (b) uses commercially reasonable efforts to mitigate the effects of the Force Majeure Event; and (c) resumes performance as soon as reasonably practicable. If a Force Majeure Event continues for more than sixty (60) days, either party may terminate the affected order form upon written notice, and Vala shall refund any prepaid fees for Services not delivered during the Force Majeure period.

Export Compliance

Customer represents and warrants that it will not access or use the Services in violation of U.S. export laws and regulations, including the Export Administration Regulations (EAR, 15 C.F.R. Parts 730–774) and the International Traffic in Arms Regulations (ITAR, 22 C.F.R. Parts 120–130). Customer represents that neither Customer nor any User is located in, or acting on behalf of, a country or territory subject to a U.S. government embargo, or is a party identified on any U.S. government denied-party or restricted-party list. Customer shall not permit any such person to access or use the Services.

Accessibility

Vala endeavors to maintain the Services in a manner consistent with applicable accessibility standards, including Section 508 of the Rehabilitation Act (29 U.S.C. § 794d) where applicable to the Services, and will provide a current Voluntary Product Accessibility Template (VPAT) upon Customer’s written request. Customer is responsible for ensuring that its own use of the Services — including any customer-configured interfaces, forms, or workflows — meets applicable accessibility obligations.

Severability; Waiver; Construction

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be enforced to the maximum extent permitted by law or replaced by an enforceable provision that most closely reflects the original intent. The failure of either party to enforce any provision of these Terms will not operate as a waiver of that provision or any other provision. No waiver will be effective unless in writing and signed by an authorized representative of the waiving party. These Terms shall be construed without regard to any presumption or rule requiring construction against the drafting party.

Assignment

Customer may not assign or transfer these Terms, in whole or in part, without Vala’s prior written consent, which shall not be unreasonably withheld, except that Customer may assign these Terms without consent in connection with a merger, acquisition, or sale of substantially all of Customer’s assets to a non-competitor of Vala. Vala may assign these Terms without restriction in connection with a merger, acquisition, corporate reorganization, financing transaction, sale of assets, or by operation of law. Any purported assignment in violation of this section is null and void.

Relationship of the Parties; No Third-Party Beneficiaries

Nothing in these Terms creates any partnership, joint venture, franchise, fiduciary, employment, agency, or other special relationship between the parties. There are no third-party beneficiaries to these Terms except as expressly stated herein. In particular, veterans and claimants whose data may be processed through the Services are not third-party beneficiaries of, and have no direct rights under, these Terms.

Government Customers

If Customer is a U.S. federal, state, or local government entity, the Services are provided as “commercial items” as defined in 48 C.F.R. § 2.101 and constitute “commercial computer software” and “commercial computer software documentation” as used in 48 C.F.R. § 12.212. Government customers acquire the Services with only those rights specified in these Terms.

Feedback on Arbitration / Class Waiver (Note for Review)



28. Definitions

As used in these Terms, the following capitalized terms have the meanings set forth below.

“Authorized Purpose”: means the specific use case for which Customer has received access to VA APIs, as approved by the U.S. Department of Veterans Affairs and described in Customer’s approved developer application.

“Business Associate Addendum” or “BAA”: means a business associate agreement, business associate addendum, or similar agreement executed between Vala and Customer governing Vala’s processing of Protected Health Information on Customer’s behalf, as required by HIPAA.

“Competitor”: means any individual or entity whose primary or substantial business activity includes developing, marketing, operating, licensing, or commercially providing a software platform, AI-enabled tool, or SaaS product that operates in the veterans benefits claims technology space — regardless of whether that product is currently offered on a business-to-business (B2B), business-to-consumer (B2C), business-to-government (B2G), or hybrid basis — including platforms that assist veterans directly with claims filing, platforms that serve VA-accredited practitioners, and platforms that aggregate or analyze veterans benefits data in a manner that could be used to enter or expand into the market served by the Services. This includes any employee, contractor, officer, or director acting in their capacity for such entity. For the avoidance of doubt, this definition does not apply to VA-accredited attorneys, VA-accredited claims agents, VSOs, or individual practitioners who are customers or prospective customers of Vala and who also use or evaluate other software tools in the ordinary course of their professional practice, provided their access to the Services is for legitimate practice management purposes and not for competitive intelligence gathering.

“Confidential Information”: means non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential based on its nature and the circumstances of disclosure, excluding information that falls within any of the exceptions in Section 12.

“Customer”: means the person or entity accepting these Terms or identified in the applicable order form.

“Customer Data”: means all data, documents, records, files, prompts, inputs, communications, images, text, metadata submitted by Customer or Users that are submitted to, stored in, transmitted through, or processed by the Services on Customer’s behalf, including any personal information, Protected Health Information, or VA API-sourced data contained therein, excluding Usage Data and de-identified aggregated data created by Vala.

“Data Processing Addendum” or “DPA”: means a data processing agreement, data processing addendum, or similar agreement executed between Vala and Customer governing Vala’s processing of personal data on Customer’s behalf under applicable privacy law.

“Documentation”: means Vala’s user guides, help materials, technical documentation, implementation instructions, and product usage guidance made available for the Services, as updated from time to time.

“Feedback”: has the meaning set forth in Section 14.

“Force Majeure Event”: has the meaning set forth in Section 27.

“HIPAA”: means the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191) and its implementing regulations, including the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

“Order Form”: means any ordering document, statement of work, online checkout flow, subscription page, or similar commercial record specifying the Services purchased, subscription term, fees, or other commercial terms.

“Output”: means any summary, extraction, recommendation, transcript, classification, draft, analysis, report, generated text, or other content returned or produced by the Services in response to Customer Data or User inputs.

“Protected Health Information” or “PHI”: has the meaning set forth in HIPAA (45 C.F.R. § 160.103).

“Security Incident”: means any confirmed unauthorized access to, disclosure of, or destruction, modification, or loss of Customer Data processed by Vala, or any confirmed breach of Vala’s security controls materially affecting the confidentiality, integrity, or availability of the Services.

“Services”: means the website, software, hosted platform, APIs, applications, AI-enabled tools, integrations, Documentation, and related offerings provided by Vala under these Terms, as described in applicable Documentation and order forms.

“User”: means any employee, contractor, representative, agent, or other individual authorized by Customer to access or use the Services on Customer’s behalf.

“Usage Data”: means technical logs, telemetry, analytics, metadata, event records, and similar information generated by or collected through operation of the Services, excluding Customer Data in identifiable form.

“VA”: means the U.S. Department of Veterans Affairs.

“VA API-Sourced Data”: means any data, records, or information retrieved through VA APIs, including the VA Lighthouse platform (developer.va.gov), or otherwise obtained from VA data systems in connection with Customer’s use of the Services.

“Vala”: means Vala, Inc., a Delaware corporation, together with its successors and permitted assigns.