Book demo Start trial
Legal

Data Processing Agreement.

The Article 28 UK GDPR agreement that governs how we process patient personal data on your behalf when you use dentdial.

Last updated: 26 May 2026 · Version 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (the “Controller”) and the company operating dentdial (the “Processor”) for the provision of the dentdial Service. Terms used but not defined here have the meaning given in the UK GDPR or our Terms of Service.

1. Subject matter, duration & nature

Subject matter: Processing of personal data necessary for the Processor to provide the Service. Duration: For so long as the Processor provides the Service, plus any tail period needed for export or deletion. Nature and purpose: Provision of an AI-powered telephone reception service for the Controller’s dental practice(s), including call answering, transcription, appointment booking, triage, dashboards, payments and integrations.

2. Categories of data subject & personal data

Data subjects: The Controller’s patients, prospective patients, callers, employees and contractors.

Personal data:

  • Identification data — name, date of birth, address, phone, email.
  • Caller-line identification (CLI) and call metadata.
  • Call audio recordings.
  • Transcripts and AI-generated summaries.
  • Appointment, treatment and payment information.
  • Information voluntarily disclosed by callers, which may include special category data (health information) under Article 9 UK GDPR.

3. Roles

The Controller determines the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller and as required by law. The Controller represents that it has a lawful basis for processing (under Article 6) and, where special category data is involved, a valid condition under Article 9 — typically Article 9(2)(h) for the provision of healthcare under the responsibility of a regulated dental professional.

4. Processor obligations

  • Instructions. Process personal data only on documented instructions from the Controller, including these set out in the Terms, this DPA and the Controller’s configuration of the Service. Notify the Controller if instructions appear to infringe UK law.
  • Confidentiality. Ensure personnel authorised to process personal data are under appropriate confidentiality obligations.
  • Security. Implement and maintain appropriate technical and organisational measures, as set out in Annex A.
  • Sub-processors. Engage sub-processors only as permitted under Section 5.
  • Assistance. Assist the Controller with data subject rights, DPIAs, prior consultations and notifications of breaches to authorities, taking into account the nature of processing and information available.
  • Breach notification. Notify the Controller without undue delay (and in any event within 48 hours) on becoming aware of a personal data breach, with the information required by Article 33(3) where available.
  • Audits. Make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, on reasonable notice and during business hours, no more than once per 12 months unless required by a supervisory authority.
  • Deletion. On termination of the Service, at the Controller’s choice, return or delete all personal data, except where retention is required by law.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors necessary to provide the Service. The Processor maintains a current list of sub-processors at our contact form (also published at /sub-processors).

The Processor will give the Controller at least 30 days’ notice of any intended changes. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a solution; if none can be reached, the Controller may terminate the Service with respect to the affected processing.

The Processor remains liable to the Controller for the acts and omissions of its sub-processors as if they were its own.

6. International transfers

The Processor stores personal data within the United Kingdom. Where any transfer outside the UK is necessary, the Processor will ensure that an appropriate transfer mechanism is in place — UK adequacy regulations, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses as supplemented by the UK Addendum — and will provide a copy on request.

7. Data subject rights

The Processor will, taking into account the nature of the processing, assist the Controller through appropriate technical and organisational measures, insofar as possible, in responding to requests by data subjects to exercise their rights under the UK GDPR. Where a request is made directly to the Processor, the Processor will refer the data subject to the Controller without delay.

8. Liability

The liability provisions in the Terms of Service apply equally to this DPA. Nothing in this DPA limits any liability that cannot be limited by law, including liability under Article 82 UK GDPR.

9. Order of precedence

In case of conflict between this DPA and the Terms, this DPA prevails on data-protection matters.

10. Governing law

This DPA is governed by the laws of England and Wales.

Annex A — Technical & organisational measures

  • Encryption. AES-256 at rest; TLS 1.3 in transit; per-tenant keys for call recordings.
  • Access control. Role-based access; least privilege; multi-factor authentication for all internal personnel; SSO and MFA enforced for Customer admin accounts.
  • Logging. Authentication, administrative actions, access to recordings, and integration events are logged with timestamps; logs retained per security policy.
  • Network. Private networking between components; restricted egress; DDoS protection.
  • Vulnerability management. Continuous dependency monitoring; regular vulnerability scanning; annual penetration test by an independent CREST-accredited provider.
  • Backups. Encrypted, segregated, regular, restoration-tested. Retained in the UK.
  • Personnel. Background checks; written confidentiality undertakings; mandatory security and data-protection training on hire and annually.
  • Sub-processors. Contractually bound to equivalent obligations; reviewed before onboarding and at least annually.
  • Business continuity. Documented disaster recovery and business continuity plans; multi-AZ deployment within UK region.
  • Incident response. 24/7 on-call rotation; documented playbook; breach notification within 48 hours of awareness.

Annex B — Sub-processors

Current sub-processor list available at our contact form. Categories include: cloud infrastructure (AWS, UK region); voice infrastructure; AI model providers (with no-training contractual commitments and UK/EU residency); transactional email; error monitoring; customer support.

Annex C — How to sign

For most customers, this DPA is incorporated by reference into the Terms of Service on first use of the Service. Customers requiring a counter-signed copy, or a custom DPA, should email our contact form.

This DPA is a draft template. Specific clauses may be amended for Group customers via a Master Services Agreement.