Data Processing Agreement

This Data Processing Agreement forms part of the Terms of Service between the clinic ("Controller") and DentalPolyglot SRL (in formation) ("Processor"). It applies because the Service processes patient personal data, including special-category health data, on the Controller's behalf. Companion document: Privacy Policy.

1. Roles and scope

1.1 The Controller (the clinic) determines the purposes and means of processing Patient Data. The Processor processes Patient Data only on the Controller's documented instructions, which include the Terms of Service and the Controller's use of the Service's features.

1.2 This Agreement applies to all processing of Patient Data the Processor carries out on the Controller's behalf.

1.3 The Controller warrants that it has a valid lawful basis under Articles 6 and 9 GDPR for the Patient Data it submits or invites patients to submit through the Service, and that it provides patients with the privacy information required of it as controller.

2. Description of processing

The subject matter, duration, nature and purpose of processing, the categories of data subjects, and the types of personal data are set out in Annex A.

3. Processor obligations

The Processor shall:

• process Patient Data only on the Controller's documented instructions, including for international transfers, unless required by law;
• ensure persons authorized to process Patient Data are bound by confidentiality;
• implement the security measures in Annex C;
• engage subprocessors only under Section 4;
• assist the Controller, given the nature of processing, in responding to data-subject requests;
• assist the Controller with security, breach notification, data protection impact assessments, and prior consultation;
• notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Patient Data, with the information needed for the Controller's own notification duties;
• not use Patient Data for its own purposes, including the training or improvement of AI models;
• forward to the Controller, without answering on the merits, any request it receives directly from a patient concerning Patient Data;
• at the Controller's choice, delete or return Patient Data when services end, subject to legal retention and routine backups as described in the Privacy Policy;
• make available the information needed to demonstrate compliance and allow audits under Section 6.

4. Subprocessors

4.1 The Controller grants general authorization for the subprocessors in Annex B.

4.2 The Processor will give the Controller at least 30 days' notice of intended subprocessor additions or replacements, allowing objection on reasonable data-protection grounds. If an objection cannot be resolved, the Controller may terminate the affected part of the Service.

4.3 The Processor binds each subprocessor to obligations no less protective than this Agreement and remains liable for their performance.

5. International transfers

Where Patient Data is transferred outside the EEA, the Processor relies on a valid transfer mechanism (such as Standard Contractual Clauses). Locations and mechanisms are in Annex B.

6. Audit

The Processor will respond to reasonable audit requests, which may be satisfied through documentation, security summaries, or third-party reports, so as not to disrupt the Service or compromise other clinics' data.

7. Liability

Liability under this Agreement is subject to the limitations of liability in the Terms of Service.

8. Term

This Agreement remains in effect for as long as the Processor processes Patient Data on the Controller's behalf.

Annex A: Description of processing

• Data subjects: the clinic's patients and prospective patients.
• Personal data: name, contact details, free-text messages, scheduling data.
• Special-category data: health data within treatment plans (diagnoses, per-tooth findings), uploaded medical documents (such as x-rays), and any identity or insurance documents patients upload.
• Nature and purpose: storage, translation (including AI-assisted), display, and transmission of patient communications, treatment-plan management, scheduling, and email delivery, to operate the Tenant Site and dashboard.
• Duration: the term of the Service, plus the retention periods in the Privacy Policy.

Annex B: Authorized subprocessors

• Neon (database, EU Frankfurt): all stored Patient Data. Data at rest in the EU; vendor DPA with Standard Contractual Clauses for residual US access.
• Vercel (hosting, CDN, file storage, EU Frankfurt primary): page traffic, uploaded patient documents. EU-US Data Privacy Framework; vendor DPA.
• Anthropic (AI-assisted translation, plan text extraction, AI chat assistance): message and treatment-plan text submitted for translation or extraction. Standard Contractual Clauses; API inputs are not used for model training.
• Resend (transactional email): recipient name and email, message subject and body. EU-US Data Privacy Framework; vendor DPA.
• Meta Platforms Ireland (WhatsApp Business Platform) (where the Controller enables the WhatsApp line): phone number, message content, and media, transiently retained by Meta for delivery. EU-US Data Privacy Framework; WhatsApp Business Data Processing Terms. Meta processes message metadata as an independent controller for its own purposes.
• Upstash (rate limiting and cache): IP-keyed request counters only, no message content. EU-US Data Privacy Framework with SCC fallback.
• Sentry (error monitoring): error reports with personal data scrubbed before transmission. EU-US Data Privacy Framework with SCC fallback.

Payment processing (Stripe) concerns the Controller's billing data only; no Patient Data reaches Stripe, so it is not a subprocessor under this Agreement (see the Privacy Policy).

Annex C: Security measures

Encryption in transit; hashed passwords (Argon2id); tenant data isolation enforced with database row-level security; role-based access controls; rate limiting on sensitive endpoints; personal-data scrubbing in error logs; restricted administrative access with second-factor authentication; backups with point-in-time recovery.