Last updated: 2026-07-14

Data Processing Agreement (DPA)

Data processing agreement between the Clinic (controller) and DentOrd (processor).

Working draft DPA. Legal review is required before paid production in 2027. Accepted via Terms at signup (clickwrap).

1. Parties

Clinic (Controller) ↔ DentOrd (Processor).

This DPA governs processing of patient data and related categories the Clinic enters into DentOrd.

2. Subject and duration

Subject: processing of personal and health data to provide the DentOrd SaaS service.

Duration: while the Clinic has an active account or while retention/deletion obligations after termination continue.

3. Nature of processing

Hosting, storage, in-app display, email delivery (reminders/transactional), backup and related technical operations needed for the service.

4. Types of data

Identity and contact data, health data and documents entered by the Clinic, appointments, invoices and related admin records.

5. Data subject categories

Clinic patients and Clinic employees/users whose data is processed in the service.

6. Processor obligations

The Processor processes patient data solely to provide DentOrd to the Clinic and on the Controller’s documented instructions (including in-app configuration).

The Processor does not use patient data to train public third-party AI models without an explicit contractual basis and Controller approval.

Obligations include: staff confidentiality, appropriate technical and organisational measures, assistance with data-subject rights, and engagement of sub-processors under equivalent protections.

7. Sub-processors

Current sub-processors include: Supabase, Vercel, Resend, Sentry, PostHog (no patient names in analytics), and Stripe once billing starts.

Material sub-processor changes will be notified to the Controller within a reasonable time, with a right to object under applicable law.

8. International transfers

Default processing is in the EU. If a transfer outside the EEA is ever required, appropriate mechanisms (e.g. SCCs) will be used where legally necessary.

9. Data-subject rights — assistance

The Processor will reasonably assist the Controller in responding to data-subject requests (access, rectification, erasure, portability) via in-app tools and support.

10. Breach notification

In case of a personal-data breach, the Processor will notify the Controller without undue delay — indicative 72 hours from awareness — with information available at that time.

11. Deletion / return after termination

After termination, the Controller may export data within the stated window. The Processor then deletes or anonymises Clinic data, except where law requires longer retention.

12. Audit rights

The Controller may, at reasonable intervals, under NDA and prior notice, request information or an audit relevant to the Processor’s compliance with this DPA.

13. Acceptance (clickwrap)

This DPA is deemed accepted when the Clinic owner checks acceptance of Terms + Privacy at signup. No additional signature is required for v1 unless parties agree otherwise.

Questions: support@dentord.com.