Data Processing Agreement (DPA)
Last updated: June 4, 2026
Introduction
This Data Processing Agreement ("DPA") is entered into between the dental clinic using the DENTARI platform (the "Controller") and DENTARI, the platform operator (the "Processor").
This DPA forms part of the Terms of Service and governs the processing of personal data by DENTARI on behalf of the clinic, in accordance with Article 28 of the GDPR (EU 2016/679).
1. Definitions
- "Controller" — the dental clinic that determines the purposes and means of processing patient data.
- "Processor" — DENTARI, which processes personal data on behalf of the Controller.
- "Personal Data" — any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
- "Special Category Data" — health data as defined in GDPR Art. 9, including dental records and treatment information.
- "Data Subject" — the patient or clinic staff member whose data is processed.
- "Sub-processor" — any third party engaged by the Processor to process Personal Data.
- "GDPR" — General Data Protection Regulation (EU) 2016/679.
2. Subject Matter, Nature, and Purpose of Processing
The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the DENTARI dental clinic management platform, including: appointment scheduling, patient record management, treatment plan storage, and revenue analytics.
The nature of processing includes: collection, storage, retrieval, display, modification, and deletion of data within the platform.
This DPA applies for the duration of the subscription agreement between the parties.
3. Types of Personal Data Processed
- Clinic staff: name, email address, role.
- Patients: name, contact information (phone, email), date of birth, appointment history, treatment plans, dental records, clinical notes.
Categories of Data Subjects: clinic staff; patients of the clinic.
Patient health data constitutes special category data under GDPR Art. 9. The Controller is responsible for ensuring a valid legal basis for its collection and use.
4. Roles and Responsibilities
| Party | Role | Responsibility |
|---|---|---|
| Dental Clinic | Data Controller | Determines what data to collect, for what purpose, and obtains consent where required. Responsible for patient-facing compliance obligations. |
| DENTARI | Data Processor | Processes data only on documented instructions from the Controller. Implements technical and organisational security measures. |
5. Processor Obligations (GDPR Art. 28(3))
The Processor shall:
- (a) Process only on documented instructions — process Personal Data solely according to the Controller's instructions. Where the Processor is required by EU or national law to process Personal Data without such instructions, it shall inform the Controller beforehand unless prohibited by law.
- (b) Confidentiality — ensure that authorised personnel are subject to a contractual or statutory obligation of confidentiality with respect to Personal Data.
- (c) Security — implement appropriate technical and organisational measures in accordance with GDPR Art. 32, including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security testing.
- (d) Sub-processors — engage Sub-processors only with prior written consent of the Controller (general consent is given for the Sub-processors listed in Section 6). Impose equivalent data protection obligations on all Sub-processors.
- (e) Data Subject Rights — assist the Controller in fulfilling its obligations to respond to Data Subject rights requests (access, erasure, portability, etc.) within 5 business days of the Controller's request.
- (f) Deletion or Return — upon termination of the agreement, delete all Personal Data within 30 days and provide a written confirmation, unless longer retention is required by EU or national law.
- (g) Audit cooperation — make available all information necessary to demonstrate compliance and allow for audits or inspections conducted by the Controller or an authorised auditor, with reasonable prior notice (minimum 14 days).
- (h) Notify of unlawful instructions — immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other EU/national data protection law.
6. Authorised Sub-processors
The Controller grants general written consent to the use of the following Sub-processors. DENTARI will notify the Controller of any changes to this list with at least 14 days' notice, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt, Germany) | DPA + EU data residency |
| Stripe Inc. | Payment processing (billing data only) | EU + US | SCCs + PCI DSS |
| Google LLC | Authentication (OAuth only) | EU + US | SCCs |
| Vercel Inc. | Application hosting and CDN | Global (EU primary) | DPA + SCCs |
Note: Patient data is stored exclusively in the Supabase EU (Frankfurt) region and does not transit through Stripe or Google.
7. Security Measures (GDPR Art. 32)
DENTARI implements the following technical and organisational measures:
- Encryption of data in transit (TLS 1.2 minimum) and at rest (AES-256).
- Role-based access control (RBAC) — clinic staff access only their own clinic's data.
- Row-level security enforced at the database layer (Supabase RLS policies).
- Multi-factor authentication available for all accounts.
- Regular security updates and dependency audits.
- Automated database backups with point-in-time recovery.
- Monitoring and alerting for unusual access patterns.
8. Personal Data Breach Notification
In the event of a personal data breach affecting Controller's Personal Data, the Processor shall:
- Notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware of the breach.
- Provide, as soon as reasonably possible: the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; measures taken or proposed to address the breach.
- Cooperate with the Controller to enable timely notification to the supervisory authority (within 72 hours as required by GDPR Art. 33).
Breach notifications shall be sent to the Controller's email address on record.
9. International Data Transfers
Patient and clinic data is stored in Supabase's EU (Frankfurt) region. Transfers to Sub-processors located outside the EEA (Stripe, Google for OAuth) are governed by Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c).
10. Audit Rights
The Controller has the right to conduct, or commission, an audit of the Processor's data processing activities once per calendar year, or immediately following a confirmed data breach. The Controller must provide at least 14 days' written notice. Audits must be conducted during business hours and in a manner that minimises disruption to operations.
The Processor may satisfy the audit requirement by providing a current third-party security assessment or penetration test report in lieu of on-site inspection, unless the Controller has specific reason to require a direct audit.
11. Liability
Each party is liable to the other for any direct damages caused by breach of this DPA. The Processor's total liability under this DPA shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.
The Processor shall not be liable for any damages arising from the Controller's failure to fulfil its own obligations as a Data Controller under the GDPR.
12. Duration and Termination
This DPA is effective from the date the Controller first uses the Service and remains in force for the duration of the subscription agreement. It terminates automatically upon termination of the subscription, at which point the Processor will delete all Personal Data within 30 days (see Section 5(f)).
13. Governing Law
This DPA is governed by the laws of the Republic of Bulgaria and interpreted in accordance with EU Regulation 2016/679 (GDPR). Any disputes shall be resolved before the competent courts of Burgas, Bulgaria.
14. Contact
For any queries relating to data processing under this DPA:
DENTARI
Burgas, Bulgaria
E-mail: info@dentari.app