1. Scope and Purpose

This Data Processing Agreement ("Agreement") governs the processing of personal and health-related data by Processor on behalf of Controller in connection with the provision of dental CAD design services.

Processor shall process personal data solely for the purpose of providing the services described in the main service agreement and as instructed by Controller.

2. Data Processing Principles

Consent-Based Processing

Processor shall only process personal data where Controller has obtained appropriate consent from data subjects or where another lawful basis exists.

Limited Purpose

Personal data shall be processed only for the specific purposes identified in this Agreement and the service agreement.

Data Minimization

Processor shall only process personal data that is necessary for the provision of services.

3. Security Measures

Processor shall implement industry-standard security measures including:

• Encryption of data at rest and in transit
• Role-based access controls
• Multi-factor authentication
• Regular security assessments
• Automated backup systems
• Intrusion detection and prevention

4. Confidentiality

All personal data shall be treated as confidential information. Processor shall ensure that personnel authorized to process personal data have committed to confidentiality obligations and shall not disclose personal data to third parties except as necessary to provide services or as required by law.

5. Sub-processors

Processor may engage sub-processors (including cloud service providers) to assist in providing services. Sub-processors shall be required to comply with data protection standards equivalent to those in this Agreement.

Current sub-processors include cloud infrastructure providers compliant with international data protection standards.

6. Data Subject Rights

Processor shall support Controller in responding to data subject requests for:

• Access: Right to obtain a copy of personal data
• Correction: Right to correct inaccurate data
• Deletion: Right to request deletion of personal data
• Restriction: Right to restrict processing
• Portability: Right to receive data in a portable format

7. Data Retention and Deletion

Personal data shall be retained only as long as necessary for service provision, legal compliance, or dispute resolution.

Standard retention periods:

• Active case files: Duration of case plus 7 years
• Account information: Duration of account plus 3 years
• Audit logs: 6 years

Upon termination of services or upon Controller's request, Processor shall return personal data to Controller or securely destroy it and certify such destruction.

8. Data Breach Notification

Processor shall notify Controller within 72 hours of becoming aware of any personal data breach. Such notification shall include:

• Description of the breach
• Categories of data affected
• Approximate number of data subjects affected
• Measures taken to address the breach

9. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada.

Contact Information