Skip to main content
DentalScan Logo

Data Processing Agreement (DPA)

Last Updated: December 3, 2025

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms and Conditions and governs how DentalScan Platform ("DentalScan", "we", "us", "our") processes personal data on behalf of its customers ("Customer", "you", "your") in connection with DentalScan services.

This DPA is designed to satisfy the requirements of:

  • HIPAA (U.S. Health Insurance Portability and Accountability Act)
  • GDPR (EU General Data Protection Regulation, Article 28)
  • CCPA/CPRA (California Consumer Privacy Act)
  • PIPEDA/PHIPA (Canada)
  • LGPD (Brazil)
  • Other applicable international privacy laws

If you do not agree to this DPA, you must cease using DentalScan services.

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person, including names, phone numbers, email addresses, images, device data, usage logs, audio, or other identifiers.

"Processing"

Any operation performed on personal data, including collection, storage, transmission, analysis, or deletion.

"Controller"

The party determining the purpose and means of processing personal data (generally the Customer).

"Processor"

The party processing personal data on behalf of the Controller (DentalScan).

"Sub-Processor"

Any third party appointed by DentalScan to process personal data.

"Data Protection Laws"

All applicable state, federal, and international privacy laws, including HIPAA, GDPR, CCPA/CPRA, LGPD, PIPEDA, and others.

"Services"

The DentalScan platform, telephony system, AI analysis, messaging features, dashboards, and any related tools or APIs provided to the Customer.

2. Roles of the Parties

  1. Customer is the Data Controller.
  2. DentalScan is the Data Processor.
  3. For HIPAA-covered entities, DentalScan is a Business Associate.
  4. Sub-processors engaged by DentalScan act as Sub-Processors.

DentalScan processes personal data solely on documented instructions from the Customer.

3. Purpose of Processing

DentalScan processes personal data only as necessary to:

  • Provide telephony, AI inference, and messaging services
  • Deliver missed-call automation and call/text handling
  • Run AI-powered scan analysis and reporting
  • Manage user accounts and subscriptions
  • Maintain system logs, security, and auditing
  • Provide support and troubleshooting
  • Execute workflows configured by the Customer
  • Comply with legal or regulatory requirements

DentalScan does not process data for marketing or unrelated purposes.

4. Customer Instructions

DentalScan will process personal data only:

  • In accordance with this DPA
  • Under Customer instructions
  • As required to provide the services
  • As required by applicable law

If an instruction violates applicable law, DentalScan will notify Customer.

5. Security Measures

DentalScan maintains industry-standard technical and organizational safeguards, including:

Technical Controls

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions
  • Secure APIs
  • Application firewalls
  • Automatic session expiration
  • Data redundancy and backups

Organizational Controls

  • Security training for authorized personnel
  • Strict access logging
  • Multi-factor authentication
  • Least-privilege access principles

Infrastructure Controls

  • Secure hosting and physical security via AWS
  • Monitoring, logging, and alerting
  • Regular penetration testing and vulnerability scanning

6. Confidentiality

DentalScan ensures that all personnel with access to personal data:

  • Are authorized
  • Are contractually bound to confidentiality
  • Receive training on secure handling and privacy laws
  • Only access data when necessary

7. Sub-Processors

DentalScan may engage sub-processors to support service delivery.

A current list of sub-processors is maintained at:

dentalscan.us/subprocessors

DentalScan will:

  • Notify customers of changes where legally required
  • Ensure sub-processors provide equal or greater security
  • Enter into binding contracts with each sub-processor
  • Remain responsible for their performance

8. International Data Transfers

DentalScan may transfer data internationally where necessary.

All transfers comply with applicable laws, using:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • HIPAA Business Associate requirements
  • LGPD-compliant mechanisms

Sub-processors must maintain equivalent protections.

9. Data Subject Rights

Where applicable, DentalScan will assist Customers in responding to:

  • Access requests
  • Correction requests
  • Deletion requests
  • Restriction or objection requests
  • Data portability

DentalScan does not respond directly to end-users unless instructed by Customer.

10. Data Breach Notification

If DentalScan becomes aware of a breach affecting personal data, we will notify Customer without undue delay, including:

  • Nature of the breach
  • Data categories and approximate volume affected
  • Likely consequences
  • Mitigation and corrective actions
  • Contact information for further support

Customer remains responsible for any required notifications to individuals or regulators, except where laws require DentalScan to notify directly.

11. Return or Deletion of Data

Upon termination of services:

  1. Customer may request data export.
  2. Customer may request deletion of data.
  3. DentalScan will delete remaining personal data after retention obligations expire.
  4. DentalScan may retain minimal records for:
    • Compliance
    • Security logs
    • Legal defense

HIPAA and state retention laws may require data retention for 7 years.

12. Compliance with HIPAA (Business Associate Addendum)

If Customer is a HIPAA Covered Entity or Business Associate:

  • This DPA incorporates DentalScan's Business Associate Addendum (BAA)
  • DentalScan will comply with all HIPAA/HITECH requirements
  • PHI will be protected in accordance with HIPAA security rules

The BAA is available at:

dentalscan.us/baa

13. Limitation of Liability

DentalScan's liability under this DPA is subject to the limitations in the Terms and Conditions, except where prohibited by HIPAA or GDPR.

14. Term and Termination

This DPA remains in effect:

  • As long as Customer uses DentalScan services
  • Until all processing is complete
  • Until all personal data is deleted or returned

Termination of the main service agreement automatically terminates this DPA.

15. Governing Law

This Agreement is governed by:

  • U.S. federal privacy law (HIPAA, etc.)
  • State privacy laws (CCPA/CPRA, etc.)
  • GDPR (for EU customers)
  • LGPD (for Brazil)
  • Any applicable international privacy regulations

16. Contact Information

For questions regarding this DPA:

Email: hello@dentalscan.us