Data Controller: The dental clinic or authorised organisation using the DentinCloud platform.

Data Processor: DentinCloud — the party operating the platform infrastructure and processing data on behalf of the clinic.

Data Subject: The patient or clinic staff member whose data is processed.

Personal Data: Any information relating to an identified or identifiable natural person as defined under GDPR Article 4.

Special Category Personal Data: Data under GDPR Article 9, including health and biometric data (treatment records in a dental context may fall into this category).

DentinCloud processes personal data on behalf of the controller solely for the purpose of providing the following services:

• Appointment and calendar management
• Patient records, treatment notes, and dental charting
• Billing and insurance claims
• SMS/WhatsApp/email notifications
• Inventory and clinic management
• Reporting and analytics

DentinCloud may not process personal data outside the controller's instructions under any circumstances, and may not sell data to or use it for advertising by third parties.

• Process data only on documented instructions from the controller
• Ensure all personnel with data access are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures per GDPR Article 32 (AES-256 encryption, TLS 1.2+, access control, regular audits)
• Notify the controller before engaging any sub-processor and obtain written approval
• Notify the controller within 72 hours of becoming aware of a personal data breach
• Return or securely delete all data upon termination of the agreement or on request
• Make available all information necessary to demonstrate compliance and permit audits

• Ensure the legal basis and consents required to process personal data are in place
• Inform data subjects (including patients) as required under GDPR
• Enter only data that is relevant and necessary for the service into the platform
• Obtain explicit consent where special category personal data (health data) is processed
• Regularly review staff access permissions

DentinCloud engages the following sub-processors to deliver the service:

Changes to the sub-processor list will be notified to controllers at least 14 days in advance.

Transfers of personal data outside Turkey or the EU/EEA are only permitted with one of the following safeguards:

• Standard Contractual Clauses under GDPR (Commission Decision 2021/914/EU)
• Direct transfer to countries with an adequacy decision
• Explicit consent where required by applicable law

Transfers to US-based Intercom are carried out under current SCCs supplemented by additional technical safeguards (end-to-end encryption, data minimisation).

• AES-256 encryption for data at rest and in transit
• Secure communications via TLS 1.2+
• Role-based access control (RBAC) and multi-factor authentication
• Annual penetration testing and independent security audit
• ISO 27001-aligned processes (target: Q4 2026 certification)
• SOC 2 Type II readiness assessment

DentinCloud will notify the controller within 72 hours of becoming aware of a personal data breach. The notification will include: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

DentinCloud will cooperate with the controller for any notifications required to the relevant EU supervisory authority.

This agreement terminates automatically upon termination of the Terms of Service between the parties. DentinCloud will return or permanently delete all controller data within 90 days of the termination date and provide written confirmation of deletion.

For data processing agreement enquiries: [email protected]