Data Processing Agreement

Parties

Data Controller (Clinic)

The dental clinic, healthcare entity, or licensed professional registered on the dentisti.pro platform who determines the purposes and means of processing Patient Data.

Data Processor (dentisti.pro)

dentisti.pro SRL
Via Example 123, 00100 Rome, Italy
VAT ID: IT12345678901
Email: dpo@dentisti.pro

This DPA applies to all processing of personal data (including special category health data) by dentisti.pro on behalf of the Clinic through the Platform.

Processing Details

Subject Matter

Provision of cloud-based dental practice management software-as-a-service, including patient record management, appointment scheduling, billing, communication, and analytics tools.

Duration

The duration of the processing is the term of the Clinic's subscription to the Platform, plus any post-termination period required for data deletion or legal retention obligations.

Nature & Purpose

The Processor processes personal data exclusively for the purpose of providing the Platform services to the Controller, including: storing patient records, processing appointments, generating invoices, sending communications, and producing reports. The nature of processing includes collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, alignment, restriction, erasure, and destruction.

Categories of Data Subjects

Patients of the Clinic (including minors where applicable), guardians/relatives, Clinic staff (dentists, hygienists, assistants, administrators), and third parties whose data is incidentally processed (e.g., emergency contacts, insurance representatives).

Categories of Personal Data

Identity data, contact data, special category health data (dental charts, X-rays, diagnoses, treatment plans, medical history), financial data, appointment data, communication logs, and technical/usage data. See the Privacy Policy for the complete data inventory.

Processor Obligations

As Data Processor, dentisti.pro undertakes to:

1. Process Only on Documented Instructions

We process personal data only on documented instructions from the Clinic, including with regard to transfers of personal data to third countries or international organizations, unless required to do so by Union or Member State law.

Clinics provide instructions through:

The configuration settings within the Platform interface
The Terms of Service and this DPA
Written requests submitted through the Platform's support system or to dpo@dentisti.pro

2. Ensure Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All dentisti.pro staff undergo annual data protection training and sign confidentiality agreements.

3. Implement Security Measures

We implement appropriate technical and organizational measures as described in Article 32 GDPR, detailed in Section 9 of our Privacy Policy. These measures are proportionate to the risk and may include encryption, access controls, audit logging, and incident response procedures.

4. Respect Conditions for Engaging Subprocessors

We may engage subprocessors listed in Section 8 of the Privacy Policy. We will notify the Clinic of any intended changes at least 30 days in advance. The Clinic has the right to object to new subprocessors on data protection grounds.

Where we engage a subprocessor, we enter into a written contract imposing the same data protection obligations as those in this DPA. We remain fully liable to the Clinic for the performance of the subprocessor's obligations.

5. Assist with Data Subject Rights

Taking into account the nature of the processing, we assist the Clinic by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Clinic's obligation to respond to requests for exercising data subject rights under Chapter III GDPR.

The Platform includes built-in tools for data export (portability), rectification logging, and erasure certificates to facilitate compliance.

6. Assist with Compliance Obligations

We assist the Clinic in ensuring compliance with Articles 32–36 GDPR, including:

Security of processing (Article 32)
Notification of personal data breaches (Article 33)
Communication of personal data breaches to data subjects (Article 34)
Prior consultation with supervisory authorities (Article 36)

7. Delete or Return Data

At the choice of the Clinic, we delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data.

Deletion is performed using cryptographic erasure (destruction of encryption keys) or secure overwrite methods. A deletion certificate is provided upon request.

8. Make Information Available for Audits

We make available to the Clinic all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Clinic or an auditor mandated by the Clinic.

Audit requests must be submitted with at least 30 days' notice. We may charge a reasonable fee for excessive or repetitive audit requests.

Controller Obligations

The Clinic, as Data Controller, undertakes to:

Ensure that the processing of personal data through the Platform is lawful, fair, and transparent
Obtain valid consent or establish another lawful basis for processing before entering patient data into the Platform
Inform patients of their GDPR rights and how to exercise them
Only instruct us to process data in compliance with applicable data protection law
Notify us promptly (within 24 hours) of any suspected personal data breach
Not use the Platform to process data in any manner that violates GDPR or applicable healthcare regulations
Maintain appropriate professional liability insurance as required by national law

International Data Transfers

Any transfer of personal data to a third country or international organization shall only occur on the basis of documented instructions from the Clinic and with appropriate safeguards in place, such as:

An adequacy decision by the European Commission (Article 45 GDPR)
EU Standard Contractual Clauses (Commission Decision 2021/914)
Binding corporate rules (Article 47 GDPR)
Approved codes of conduct or certification mechanisms (Articles 40 and 42 GDPR)

See Section 8 of the Privacy Policy for the current subprocessor list and applicable transfer mechanisms.

Breach Notification

We will notify the Clinic without undue delay and in any case within 24 hours of becoming aware of a personal data breach. The notification will include:

The nature of the breach including categories and approximate number of data subjects and records concerned
The name and contact details of the DPO or other contact point
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its effects

Acceptance

By creating an account and using the dentisti.pro platform, the Clinic agrees to the terms of this Data Processing Agreement. This DPA is effective as of the date the Clinic first accesses the Platform.

For Enterprise plans, a signed counterpart of this DPA may be executed upon request.

Version: 3.0 · Last Updated: 2025-05-01 · Next Review: 2026-05-01