Between Dentflow Pro Ltd and the Client named below
Data Processor
Dentflow Pro Ltd
Company No. 17152155 Registered in England & Wales hello@dentflowpro.co.uk dentflowpro.co.uk
Data Controller (Client)
Practice Name:
Registered Address:
Contact Email:
1. Background
Dentflow Pro Ltd ("Processor") provides patient acquisition automation services to dental practices ("Controller"). In providing these services, the Processor will process personal data on behalf of the Controller. This Data Processing Agreement ("DPA") sets out the terms under which such processing takes place, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Definitions
"Personal Data" — any information relating to an identified or identifiable natural person processed under this agreement
"Data Subject" — patients and prospective patients of the Controller whose data is processed
"Processing" — any operation performed on personal data (collection, storage, use, transmission, deletion)
"Sub-processor" — any third party engaged by the Processor to process personal data on behalf of the Controller
3. Subject Matter of Processing
Item
Detail
Purpose
Automated patient enquiry response, lead qualification, appointment booking, reminder sequences, and review requests on behalf of the Controller
Nature
Collection, storage, automated processing, transmission, and deletion of patient contact and enquiry data
Patients and prospective patients of the Controller's dental practice
Duration
For the term of the service agreement, plus 30 days post-termination (unless otherwise instructed)
4. Obligations of the Processor
Dentflow Pro Ltd agrees to:
Process personal data only on documented instructions from the Controller, unless required to do so by law
Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and access controls
Not engage any sub-processor without prior written authorisation from the Controller (general authorisation is granted by the Controller signing this agreement, subject to clause 6)
Assist the Controller in fulfilling obligations to respond to data subject rights requests
Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach
Delete or return all personal data upon termination of services, as directed by the Controller
Make available all information necessary to demonstrate compliance with this DPA
5. Obligations of the Controller
The Controller (dental practice) agrees to:
Ensure there is a lawful basis for processing patient data under UK GDPR
Ensure patients are appropriately informed (e.g. via a privacy notice) that their data may be processed by third-party automation systems
Provide accurate and complete setup information to enable the Processor to deliver the service
Not instruct the Processor to process data in a manner that would violate UK GDPR or any other applicable law
Promptly notify the Processor of any data subject rights requests relating to data processed under this agreement
6. Sub-processors
The Controller grants general written authorisation for the Processor to engage sub-processors to deliver the service. The Processor will:
Inform the Controller of any intended changes to sub-processors with at least 14 days notice
Impose equivalent data protection obligations on all sub-processors via written contracts
Remain fully liable to the Controller for the performance of sub-processors
A current list of sub-processors is available on request from hello@dentflowpro.co.uk.
7. Data Transfers
Some sub-processors may process data outside the UK. Where this occurs, the Processor will ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions) in accordance with UK GDPR Chapter V.
8. Security
The Processor maintains appropriate technical and organisational security measures including:
Encryption of personal data in transit (TLS)
Access controls limiting data access to authorised personnel only
Regular review of security practices
Incident response procedures for data breaches
9. Data Retention & Deletion
Personal data processed under this agreement will be retained for the duration of the service, plus a maximum of 30 days post-termination. Upon written request from the Controller, the Processor will delete or return all personal data within 14 days and confirm deletion in writing.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms & Conditions between the parties. Nothing in this DPA limits liability for matters that cannot be excluded by law.
11. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Signatures
By signing below, both parties agree to the terms of this Data Processing Agreement.
For Dentflow Pro Ltd (Processor)
Signed:
Name: Sharif
Title: Founder, Dentflow Pro Ltd
Date:
For the Controller (Client)
Signed:
Name:
Title:
Date:
How to use: Print this page (or Save as PDF), sign the Processor section, send to your client to countersign. Keep a copy for your records. This DPA should be signed before or at the same time as the client's first payment.