Terms
1. What is this agreement about?
1.1 Purpose. The parties, as set out in Annex I, are entering into this Data Processing Agreement (DPA) for the purpose of processing personal data.
1.2 Adequate country, Controller, data subject, personal data, process/processing Processor, Sub-processor and supervisory authority have the same meanings as in the Data Protection Laws.
1.3 Structure. The parties acknowledge that Annex I to this DPA sets out the list of parties, description of transfers and competent supervisory authority, governing law and choice of forum and jurisdiction, Annex II sets out the relevant security measures, and Annex III sets out the approved third party sub-processors.
2. What are each party’s obligations?
2.1 Controller obligations. Controller is responsible for obtaining all consents, licences and legal bases required to allow Processor to process personal data.
2.2 Processor obligations. Processor will:
(a) only process personal data in accordance with this DPA and Controller’s and Processor’s instructions (unless legally required to do otherwise),
(b) not sell, retain or use any personal data for any purpose other than as permitted by this DPA and the Main Agreement,
(c) inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws,
(d) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved as set out in Annex II,
(e) notify Controller of a personal data breach within the Breach Notification Period,
(f) ensure that anyone authorised to process personal data is committed to confidentiality obligations,
(g) provide Controller with reasonable assistance in responding to a personal data breach and comply with breach notification obligations,
(h) without undue delay, provide Controller with reasonable assistance with:
(i) data protection impact assessments,
(ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws, and
(iii) engagement with supervisory authorities,
(i) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
(j) allow for audits at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a security incident, and
(k) after termination of this DPA, delete or return personal data upon Controller’s written request unless retention is required to meet legal or regulatory obligations.
2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
3. Sub-processing
3.1 Use of sub-processors. Controller consents to Processor using sub-processors when processing personal data. Processor’s existing sub-processors are listed in Annex III.
3.2 Sub-processor obligations. Processor will:
(a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,
(i) ensure appropriate safeguards are in place before internationally transferring personal data to its sub-processor, and
(ii) be liable for any acts, errors or omissions of its sub-processors under this DPA.
3.3 Approvals. Processor may appoint new sub-processors provided that they notify Controller in writing within the Sub-processor Notification Period.
3.4 Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.
4. International personal data transfers
4.1 Instructions. Processor will transfer personal data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.
4.2 Transfer mechanism. Where a party processes personal data outside the UK, the EEA or an adequate country:
(a) that party will act as the data importer, (b) the other party is the data exporter, and (c) the Transfer Mechanism will apply, as stated in Annex III.
4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transfer, the data importer will promptly implement additional or replacement measures as necessary to ensure personal data is protected to the same standard as under Data Protection Laws.
4.4 Disclosures. If the data importer receives a request from a public authority to access personal data, it will (if legally possible):
(a) challenge the request and promptly notify the data exporter about receiving it, and
(b) if it is necessary to disclose personal data, only disclose the minimum amount required to the public authority and keep a record of the disclosure.
5. Other important information
5.1 Survival. Any term of this DPA which is intended to survive termination will remain in full force.
5.2 Order of precedence. In case of a conflict between this DPA and other relevant terms, they will take priority in this order:
(a) Transfer Mechanism, (b) DPA, (c) Main Agreement.
5.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the Agreement’s front page as may be updated by a party to the other in writing.
5.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
5.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this Agreement.
5.6 Amendments. Any amendments to this DPA must be agreed in writing.
5.7 Assignment. Neither party can assign this DPA to anyone else without the other party’s consent.
5.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
5.9 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.
Annex I: Variables
| Parties’ relationship | Controller to Processor |
|---|---|
| Parties’ roles | For the purpose of this agreement, the Parties agree that Dentascribe acts as Processor and Customer acts as Controller as those terms are defined under Data Protection Laws. |
| Contacts | Anuj Gupta (Founder) |
| privacy@dentascribe.uk | |
| Term | This DPA will commence on the final date of signature and will continue for Equivalent to the term of the Main Agreement |
| Breach Notification Period | 72 hours |
| Sub-processor Notification Period | 14 days before the new sub-processor takes effect |
| Governing Law and Jurisdiction | This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales. The courts of [England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement or its subject matter or formation. |
| Data Protection Laws | All laws and regulations which apply to the processing of personal data, including in the United Kingdom (“UK”) , as amended from time to time. |
| Services related to processing | The Data Processor shall process Personal Data and PHI only as necessary to provide clinical note-taking and AI-driven documentation services to the Data Controller, including but not limited to: (a) Storage of encrypted draft clinical notes and documents (b) Audio transcription using AI (c) Generation of draft clinical notes and documents using AI These Services are designed to improve the efficiency and accuracy of clinical note and document creation. |
| Duration of processing | The duration of the processing shall be for the term of the Main Agreement. |
| Purpose of processing | Provision of the Services, which include AI solutions. |
| Nature of processing | The collection, storage and processing of the personal data for the purpose of providing the Services. |
| Types of personal data | Names, Date of Birth, Contact Details (if included in notes or incidentally in audio) Health Data |
| Data subjects | Patients of the Data Controller |
Annex II: Technical and organisational measures to ensure the security of the data
1. Access Control
- System Access Control: We implement strong password policies, multi-factor authentication, role-based access control, and conduct regular access reviews to prevent unauthorised system access.
- Role-based access: Dentascribe personel are granted the minimum access necessary to perform their tasks.
- Data Access Control: Dentascribe does not access any Personal Data processed on behalf of the data controller.
- Transmission Control: We secure Personal Data transfers using encryption protocols (TLS/SSL). Data is encrypted in transit.
2. Data Security and Integrity
- Encryption: We use industry-standard encryption methods including TLS/SSL for data in transit and database encryption for data at rest. For synced notes, we implement symmetrical AES-256 GCM zero-knowledge encryption to the highest degree of data confidentiality and security.
- Zero data retention for audio and transcriptions: We do not store audio or transcriptions containing Personal Data.
- Integrity Controls: Dentascribe does not make alterations to personal data.
- Data Backups: We maintain secure, encrypted, daily backups to ensure data preservation in case of disaster.
3. Data Minimisation
- Opt-in Features: Dentascribe features that involve the processing of potentially Personal Data (Synced Notes, Live Appointment Recording and AI Note Generation) are strictly opt-in. By default, and until actively enabled by the Data Controller, Dentascribe does not process any Personal Data.
- Zero-Knowledge Encryption (Synced Notes): Synced drafts of clinical notes are encrypted using zero-knowledge symmetrical encryption. This ensures that Dentascribe itself has no access to the content of the notes, further minimising the extent to which Dentascribe processes potentially personal data contained within them.
- Data Retention Policies: Clear and documented data retention policies are in place.
- Synced notes are retained only for as long as the Data Controller actively maintains them in their Dentascribe account. Data Controllers have full control to delete synced notes at any time.
- Upon subscription termination, synced drafts are deleted according to the data deletion terms outlined in the DPA and main agreement.
- Audio and transcriptions for AI live appointment recording and note generation are not subject to long-term retention as they are processed transiently.
4. Purpose Limitation
Processing of Personal Data is strictly limited to the specified purposes of providing the Dentascribe services, namely:
- For Synced Notes: Facilitating the saving and accessibility of clinical note drafts across a Data Controller’s devices.
- For AI Note Generation: Assisting Data Controllers in drafting clinical notes from appointment audio.
- Personal Data is not processed for any other purposes, such as marketing, profiling, or analytics by Dentascribe beyond the operational needs of providing the Service to the Data Controller.
5. Organisation Measures
- Data Protection Policy: We maintain a comprehensive data protection policy that is regularly reviewed, documented, and actively enforced across our organisation.
- Data Protection Officer (DPO): Our designated data protection contact is accessible for all privacy-related inquiries and compliance matters.
- Sub-processor Management: We carry out due diligence on all of our sub-processors to ensure they comply with the adequate security compliance and maintain data processing agreements.
- Incident Response Plan: We have an incident response plan for data breaches.
- Data Protection Audits: We conduct regular internal data protection audits to ensure the ongoing effectiveness of our technical and organisational measures. These audits are conducted bi-annually and cover key areas including access controls, data security, and adherence to our data protection policies. The findings of these audits are reviewed and used to drive continuous improvement in our data protection practices.
Annex III: List of approved sub-processors
| Name | Description | Location of processing | Safeguards for international transfers |
|---|---|---|---|
| Vercel, Inc | IaaS - AI transcription and generation | US/UK | Adequacy agreement EU SSCs with UK addendum |
| Groq, Inc | IaaS - AI transcription | US | EU SSCs with UK addendum Transfer risk assessment |
| OpenAI, Inc | SaaS - AI generation | US | EU SSCs with UK addendum Transfer risk assessment |
| Supabase, Inc | IaaS - Severless functions BaaS - Storage of encrypted synced notes | US/UK | EU SSCs with UK addendum Transfer risk assessment |
