Data Processing Agreement

1.1 Parties and Roles

The Clinic is the Controller; Dentospire is the Processor. The Clinic is responsible for the lawful basis of processing and for obtaining consents from patients and staff. Dentospire processes personal data only on the Clinic's documented instructions (including the use of the Service) and as required by law.

1.2 Subject Matter

Processing of personal data for dental practice management: patient records, clinical notes, X-rays and intraoral photos, appointments, invoices, communications, and related audit logs.

1.3 Categories of Data

• Identification: name, contact, date of birth, gender
• Clinical: history, diagnosis, treatment plans, notes, X-rays, intraoral photos
• Financial metadata: invoice line items, payment method category (no card numbers stored)
• Operational: appointment history, communication logs, audit trails

1.4 Categories of Data Subjects

Patients, clinic staff, lab partners, suppliers, and other contacts entered by the Clinic.

1.5 Processor Obligations

1. Process only on Clinic's documented instructions.
2. Ensure authorised personnel are under confidentiality obligations.
3. Implement the technical and organisational security measures in §2.
4. Engage sub-processors only on conditions no less protective than this Agreement.
5. Assist the Clinic with data subject rights requests.
6. Notify the Clinic of data breaches within 72 hours.
7. Delete or return data on termination.
8. Make compliance information available on reasonable request (max once/year, or after a breach).

1.6 Sub-Processors

The current list of sub-processors is published at /legal/sub-processors. Dentospire will notify the Clinic of new sub-processors at least 30 days before engagement. The Clinic may object on reasonable data-protection grounds.

Technical Measures

• Encryption at rest: AES-256 on database (Neon PostgreSQL), file storage (Cloudflare R2, Vercel Blob), and backups.
• Field-level encryption: AES-256-GCM on PII fields.
• Encryption in transit: TLS 1.2+ on all connections; HSTS enforced.
• Authentication: Clerk-managed with bcrypt, JWT, optional 2FA, and OAuth.
• Access control: 7-role RBAC scoped by clinicId for multi-tenant isolation.
• Audit logging: Append-only logs for sensitive actions.
• Rate limiting: 60 req/min general; 10 req/min auth.
• Bot detection: Middleware-layer blocking of 35+ patterns.
• Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Organisational Measures

• Production access limited to named personnel under signed NDAs.
• Sub-processors selected based on security posture (SOC 2 / ISO 27001 where applicable).
• Daily encrypted backups across multiple providers (dual-cloud: Cloudflare R2 + Google Drive; selective mirror to MEGA).
• Backup payloads are AES-256-GCM encrypted before upload.
• Documented incident response procedure (§6 below).

Primary data storage is in India (Neon PostgreSQL, Mumbai / ap-south-1). Other sub-processors may store or process personal data outside the Clinic's country — see /legal/sub-processors for specific locations.

For Clinics in jurisdictions that restrict cross-border transfer, Dentospire relies on the applicable transfer mechanism:

• UK: UK International Data Transfer Agreement (IDTA) — see §4.
• EU/EEA: Standard Contractual Clauses (2021/914) — addendum forthcoming.
• India: No restriction applies for domestic transfers (primary data in India).

This section applies in addition to the Core Terms for UK-established Clinics.

4.1 Article 28 Compliance

This Agreement is intended to satisfy UK GDPR Article 28 in all material respects (see Core Terms §1.5 obligations).

4.2 UK → India Transfer Mechanism

India is not on the UK government's adequacy list. Accordingly, the parties incorporate the UK International Data Transfer Agreement (IDTA) issued by the ICO (in force 21 March 2022, as amended) to govern transfers of UK Clinic data to India.

A counter-signed PDF copy of the DPA with completed IDTA Part 1 tables is available on request: privacy@dentospire.com.

4.3 Transfer Impact Assessment

Dentospire has conducted a Transfer Impact Assessment considering Indian data-access laws (IT Act 2000, DPDP Act 2023, CrPC warrants), the risk profile for dental clinical data, and supplementary measures (AES-256-GCM field-level encryption). The parties consider the transfer to provide protection essentially equivalent to UK GDPR. TIA available on request.

4.4 ICO Registration

Dentospire is registered with the ICO as a data processor. Registration number: [PENDING — filing in progress, target within 7 days of first UK Clinic sign-up].

4.5 CQC Inspection Support

On reasonable request, Dentospire will provide audit logs, access records, and security-configuration evidence to support Care Quality Commission or ICO inspections of the Clinic. SLA: 5 working days.

4.6 Governing Law (this section)

The UK Addendum is governed by the laws of England and Wales. Disputes arising from UK data-protection obligations may be brought in the courts of England and Wales.

This section applies in addition to the Core Terms for India-established Clinics.

5.1 Roles under DPDP

Under India's Digital Personal Data Protection Act 2023, the Clinic is the Data Fiduciary and Dentospire is the Data Processor. The Clinic is responsible for notice and consent of Data Principals (patients, staff).

5.2 Grievance Officer

Dentospire has appointed a Grievance Officer for DPDP Act matters. Contact privacy@dentospire.com with "DPDP GRIEVANCE" in the subject line. Response SLA: 30 days from receipt (statutory maximum).

5.3 Data Residency

Primary Personal Data of India Clinics is stored in India (Neon PostgreSQL, Mumbai region). Some sub-processors process certain categories outside India (see /legal/sub-processors) — these transfers are permitted under DPDP §16 pending the Central Government's final country list.

5.4 Data Principal Rights

Dentospire supports the Clinic in responding to:

• Right to access (DPDP §11) — export tools in dashboard.
• Right to correction and erasure (§12) — direct edit + deletion on request.
• Right to grievance redressal (§13) — via the Grievance Officer.
• Right to nominate (§14) — Clinic captures nomination in patient record.

5.5 Children's Data

Processing of children's personal data (under 18) by the Clinic requires verifiable parental consent under DPDP §9. Dentospire provides fields in the patient record to capture guardian consent; the Clinic remains responsible for obtaining it.

Timing

Dentospire will notify the Clinic of any personal data breach within 72 hours of becoming aware of it.

Contents

• Nature of the breach, categories and approximate numbers affected.
• Likely consequences.
• Measures taken or proposed.
• Contact point for further information.

Cooperation

Dentospire will cooperate with the Clinic's notifications to the ICO (UK), DPB India, or other supervisory authorities, and with notifications to affected data subjects where required.

Clinics may request earlier deletion at any time via privacy@dentospire.com, subject to legal-hold obligations.

Data Protection Contact: privacy@dentospire.com

Grievance Officer (India DPDP): same address, subject line "DPDP GRIEVANCE".

UK / EU correspondence: same address. A UK Representative will be appointed if required under Article 27 UK GDPR.

Signed Copy

A counter-signed PDF of the full DPA (Core + UK/India Addenda + IDTA Part 1 tables) is available on written request. Most Clinics find this link sufficient evidence for CQC, ICO, or DPDP audit files; a signed PDF is available for those who require one.

By continuing to use the Service after this Agreement is published, the Clinic accepts these terms. The canonical version of this DPA is https://dentospire.com/legal/dpa.