Data Processing Agreement
This Data Processing Agreement ("DPA") is automatically incorporated into your DentyBot subscription and governs how we process personal data on your behalf as required by GDPR and HIPAA.
1. Definitions
"Controller" means the dental clinic subscribing to DentyBot. "Processor" means DentyBot. "Personal Data" means any information relating to an identified or identifiable natural person, including patient names, contact details, and health-related enquiries.
2. Scope of processing
DentyBot processes personal data on behalf of the Controller solely for the purpose of providing the Denty chat service. Processing activities include: receiving patient messages, generating AI responses, logging conversations, and transmitting appointment data to connected calendar services.
3. Our obligations as Processor
- Process personal data only on documented instructions from the Controller
- Ensure all staff with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data at the end of the service relationship
- Provide all information necessary to demonstrate compliance with this DPA
4. Sub-processors
We use the following categories of sub-processors to deliver the service. All are bound by equivalent data protection obligations:
- Cloud infrastructure and hosting providers
- AI model API providers (for generating chat responses)
- Calendar integration services (e.g. Google Calendar, Calendly)
- Email delivery services
We will notify you at least 14 days before adding or replacing any sub-processor that handles personal data.
5. Security measures
We implement the following measures to protect personal data:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls limiting data access to authorised personnel only
- Regular security assessments and penetration testing
- Incident response procedures with 72-hour breach notification
6. HIPAA compliance
For US-based dental clinics, DentyBot operates as a Business Associate under HIPAA. We will execute a Business Associate Agreement (BAA) upon request. Email hello@dentybot.com with the subject line "BAA Request" to receive a signed BAA within 3 business days.
7. Data transfers
We process data within the European Economic Area where possible. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or equivalent mechanisms).
8. Duration and deletion
This DPA remains in force for the duration of the service agreement. Upon termination, we will delete all personal data within 30 days unless legal retention obligations require otherwise. We will provide written confirmation of deletion upon request.
9. Contact
For data processing enquiries or to request a BAA: hello@dentybot.com