DATA PROCESSING AGREEMENT

This Data Processing Agreement (“Agreement” or “DPA”) forms part of and is incorporated into the agreement governing the provision of services between the Parties (the “Main Agreement”).

Incorporation by Reference

This Data Processing Agreement forms part of and is incorporated into the AlineCloud Terms of Service or other binding agreement accepted electronically by the Controller when creating an account or using the Platform. Acceptance of the Terms of Service constitutes acceptance of this DPA

Acceptance

By accessing or using the Platform, or by otherwise electronically accepting the Terms of Service, the Controller acknowledges that it has read, understood, and agreed to be bound by this Data Processing Agreement.

PARTIES

This Data Processing Agreement applies between:

  1. AlineCloud OÜ, a private limited company incorporated under the laws of Estonia, registered under number 17391447, having its registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, Estonia ("AlineCloud" or the "Processor"); and
  2. (2) Any clinic, dental practice, orthodontist, or other legal entity that creates an account on, accesses, or uses the Platform ("Customer" or the "Controller").

Processor and Controller may be referred to individually as a “Party” and collectively as the “Parties.”

1. DEFINITIONS AND INTERPRETATION.

1.1. Definitions.

For the purposes of this Data Processing Agreement, the terms “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Personal Data Breach,” “Supervisory Authority,” “UK GDPR,” and “Standard Contractual Clauses” shall have the meanings ascribed to them in Regulation (EU) 2016/679 (the “GDPR”) and, where applicable, the UK GDPR, as amended or replaced from time to time.

1.2. Interpretation.

In this DPA:

  1. references to statutes or regulations include any amendments, replacements, or successor legislation;
  2. headings are for convenience only and do not affect interpretation;
  3. the words “include” and “including” shall be construed without limitation;
  4. references to “writing” include electronic communications.

1.3. Precedence.

In the event of any conflict or inconsistency between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall prevail solely with respect to data protection, privacy, and Processing of Personal Data.

2. SCOPE AND PURPOSE OF PROCESSING.

2.1. Subject Matter.

This DPA governs the Processing of Personal Data by AlineCloud OÜ, acting as Processor, on behalf of the Controller, in connection with the provision of a business-to-business orthodontic treatment planning Platform and related technical, operational, and support services.

2.2. Nature and Purpose of Processing.

Personal Data shall be Processed strictly in accordance with the Controller’s documented instructions and solely for the following purposes:

  1. hosting, storing, and managing digital clinical case files and related records;
  2. generating, modifying, and delivering digital orthodontic treatment plans;
  3. facilitating secure communication and collaboration between clinics, dentists, orthodontists, and authorised planners;
  4. providing technical support, troubleshooting, system maintenance, and service continuity;
  5. complying with applicable legal, regulatory, and professional obligations.

2.3. Prohibited Processing.

The Processor shall not Process Personal Data for its own purposes, including for marketing, profiling, advertising, or product development unrelated to the services. This restriction shall not prevent the Processor from carrying out limited, non-intrusive Processing strictly necessary for Platform security, performance monitoring, system integrity, error detection, or operational analytics, provided that such Processing:

  1. does not involve patient health data for analytical or profiling purposes;
  2. is not used to identify or profile individual Data Subjects; and
  3. remains proportionate, access-restricted, and aligned with applicable data protection law.

2.4. Duration of Processing.

Processing shall commence on the effective date of the Main Agreement and shall continue for:

  1. the duration of the Main Agreement, during which Personal Data shall be retained and made available on the Platform until deleted by the Controller or upon documented instructions from the Controller; and
  2. any post-termination retention period expressly permitted under this DPA or required by applicable law.

3. CATEGORIES OF DATA AND DATA SUBJECTS.

3.1. Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed under this DPA include:

  1. patients of the Controller whose data is uploaded for orthodontic treatment planning;
  2. dentists and orthodontists using or interacting with the Platform;
  3. clinic staff, administrators, and other authorised users acting on behalf of the Controller.

3.2. Categories of Personal Data.

The categories of Personal Data Processed may include, without limitation:

  1. patient photographs, intraoral images, 3D scans, impressions, and related digital files;
  2. clinical notes, treatment objectives, and orthodontic treatment plans;
  3. names, contact details, and professional information of dentists and clinics;
  4. user account credentials, access logs, and usage metadata;
  5. billing, invoicing, and transactional information, where applicable.

3.3. Special Categories of Data.

The Processing of special categories of Personal Data, including health data within the meaning of Article 9 of the GDPR, shall:

  1. occur solely at the documented instruction of the Controller;
  2. be limited to what is strictly necessary for orthodontic treatment planning;
  3. be subject to enhanced technical and organisational security measures;
  4. rely on a valid legal basis established and maintained by the Controller.

4. CONTROLLER OBLIGATIONS.

4.1. Lawful Instructions.

The Controller represents, warrants, and undertakes that:

  1. it has established and maintains a valid legal basis under applicable data protection laws, including Article 6 and, where applicable, Article 9 of the GDPR, for all Processing of Personal Data carried out under this DPA;
  2. it has obtained, recorded, and can demonstrate all necessary patient consents, authorisations, or other lawful permissions required for the Processing of Personal Data, including special category health data;
  3. all instructions provided to the Processor are lawful, documented, and compliant with applicable data protection, medical confidentiality, and healthcare regulations.

4.2. Responsibility for Data Accuracy and Content.

The Controller is solely responsible for:

  1. the accuracy, completeness, quality, and currency of all Personal Data submitted to the Platform;
  2. ensuring that Personal Data uploaded does not infringe third-party rights or violate applicable law;
  3. maintaining appropriate records demonstrating compliance with data protection obligations.

4.3. Responsibility for Data Subject Information.

The Controller shall be solely responsible for:

  1. providing Data Subjects with all required information notices under applicable data protection laws;
  2. ensuring transparency regarding Processing activities carried out via the Platform;
  3. handling communications with Data Subjects unless otherwise expressly agreed in writing.

4.4. Clinical Responsibility and Regulatory Obligation.

The Controller acknowledges and agrees that:

  1. the Platform and services provided by the Processor constitute technical, administrative, and workflow-support tools and do not constitute medical advice, diagnosis, or clinical decision-making;
  2. the Processor does not replace, override, or assume responsibility for professional clinical judgment exercised by dentists, orthodontists, or other licensed professionals;
  3. the Controller remains solely responsible for all diagnoses, treatment planning decisions, clinical outcomes, patient care, and compliance with applicable medical, professional, and healthcare laws and regulations;
  4. the Platform is not intended to function as a regulated medical device unless and until expressly designated as such under applicable law, and no responsibility for medical device compliance is assumed by the Processor unless expressly agreed in writing.

5. PROCESSOR OBLIGATIONS.

5.1. Processing on Instructions.

The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to:

  1. the purpose and scope of Processing;
  2. categories of Personal Data and Data Subjects;
  3. transfers of Personal Data to third countries or international organisations.

Where the Processor is required by applicable law to Process Personal Data outside the Controller’s instructions, the Processor shall, to the extent legally permitted, inform the Controller of such legal requirement prior to Processing.

5.2. Confidentiality of Processing Personnel.

The Processor shall ensure that all persons authorised to Process Personal Data:

  1. are subject to binding confidentiality obligations, whether contractual or statutory;
  2. receive appropriate training on data protection and information security;
  3. access Personal Data only to the extent necessary to perform their assigned duties.

5.3. Technical and Organisational Measures.

Taking into account the state of the art, the costs of implementation, and the nature of the Processing, the Processor shall implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, without limitation:

  1. encryption of Personal Data at rest and in transit;
  2. role-based access controls and authentication mechanisms;
  3. logging and monitoring of access to Personal Data;
  4. secure backup and disaster recovery procedures;
  5. systems for detecting, responding to, and mitigating security incidents.

5.4. Continuous Improvement.

The Processor shall periodically review and, where appropriate, update its technical and organisational measures to address evolving security risks, technological developments, and regulatory guidance.

6. SUB-PROCESSORS

6.1. Authorised Sub-Processors

The Controller provides general authorisation for the Processor to engage Sub-Processors for the following categories of services:

  1. hosting and cloud infrastructure;
  2. database, storage, and backup services;
  3. email delivery for transactional communications;
  4. customer support and ticketing tools;
  5. payment processing services, when activated.

6.2. Notification.

The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors without undue delay, and, in any event, within thirty (30) days of such change becoming effective.

6.3. Right to Object.

The Controller may object to the engagement of a new SubProcessor on reasonable grounds relating to data protection. Any objection must be raised in writing within a reasonable period following notification. The Parties shall cooperate in good faith to address such objection, including by implementing additional safeguards where appropriate.

6.4. Flow-Down Obligations.

The Processor shall ensure that each Sub-Processor is bound by a written agreement imposing data protection obligations that are no less protective than those set out in this DPA, including obligations relating to:

  1. confidentiality;
  2. security measures;
  3. international transfers;
  4. assistance with Data Subject rights;
  5. breach notification.

6.5. Processor Liability for Sub-Processors

The Processor shall remain fully responsible to the Controller for the performance of its Sub-Processors’ obligations in accordance with this DPA.

7. INTERNATIONAL DATA TRANSFERS.

7.1. Access Outside the EU/EEA.

The Controller acknowledges and authorises that Personal Data may be accessed remotely by the Processor’s authorised personnel, contractors, and orthodontic treatment planners located outside the European Union and the European Economic Area, solely for the purposes of providing the services under the Main Agreement and in accordance with documented instructions of the Controller. Such access shall be limited to individuals who are:

  1. subject to confidentiality obligations;
  2. trained in data protection and information security;
  3. granted access strictly on a role-based, need-to-know basis.

7.2. Transfer Mechanism Safeguards.

Where access to or Processing of Personal Data constitutes a transfer of Personal Data outside the EU/EEA, the Processor shall ensure that such transfers are subject to appropriate safeguards in accordance with Chapter V of the GDPR, including, as applicable:

  1. the European Commission-approved Standard Contractual Clauses (Module Two - Controller to Processor);
  2. the UK GDPR International Data Transfer Addendum;
  3. any replacement or successor transfer mechanisms recognised under applicable law.

7.3. Supplementary Technical and Organisational Measures.

In addition to contractual safeguards, the Processor shall implement supplementary technical and organisational measures designed to ensure a level of protection essentially equivalent to that guaranteed within the EU, including, where appropriate:

  1. encryption of Personal Data in transit and at rest;
  2. access controls and authentication mechanisms;
  3. logging and monitoring of access;
  4. policies governing remote access and device security

7.4. Countries of Access.

Personal Data may be accessed from the European Union, the United States, the United Kingdom, and solely where such access is necessary for the performance of the services and subject at all times to appropriate legal, technical, and organisational safeguards in accordance with this DPA and applicable data protection law.

8. DATA SUBJECT RIGHTS.

8.1. Assistance.

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as reasonably possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2. Handling Methods.

Data Subject requests shall be handled manually through secure email communication. The Processor shall not respond directly to Data Subjects unless expressly instructed in writing by the Controller or required by applicable law.

8.3. Timeline.

The Processor shall provide reasonable assistance to enable the Controller to respond to Data Subject requests within the statutory timeframe and in any event within thirty (30) days of receipt of the request by the Controller.

8.4. Verification and Security.

The Processor shall take reasonable steps to assist the Controller in verifying the identity of the Data Subject making the request and shall ensure that Personal Data is disclosed only to duly authorised recipients.

9. PERSONAL DATA BREACH.

9.1. Notification Obligation.

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.

9.2. Content of Breach Notification.

The notification shall, to the extent known at the time, include:

  1. a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  2. the likely consequences of the Personal Data Breach;
  3. the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

9.3. Ongoing Cooperation.

The Processor shall promptly provide additional information as it becomes available and shall cooperate fully with the Controller in:

  1. investigating the Personal Data Breach;
  2. complying with notification obligations to Supervisory Authorities and Data Subjects;
  3. implementing remedial and preventive measures.

9.4. No Admission on Fault.

Breach notifications provided under this Section shall not be construed as an admission of fault or liability by the Processor.

10. DATA RETENTION AND DELETION.

10.1.Deletion After Termination

Upon termination or expiration of the Main Agreement or this DPA for any reason, the Processor shall, at the election of the Controller and subject to applicable law:

  1. permanently delete all Personal Data Processed on behalf of the Controller; or
  2. return such Personal Data to the Controller in a commonly used, structured, and machine-readable format.

Deletion shall occur within a thirty (30) day buffer period following termination, during which time the Controller may retrieve or export its Personal Data. After the expiration of this buffer period, the Processor shall permanently delete such Personal Data from its active systems.

10.2.Backup and Archival Systems.

Notwithstanding Section 10.1, Personal Data contained in backup, disaster recovery, or archival systems may be retained for up to ninety (90) days, provided that:

  1. such Personal Data is not actively Processed during the retention period;
  2. access is strictly limited to security, recovery, or compliance purposes;
  3. deletion occurs automatically in accordance with the Processor’s standard backup cycles.

Backup retention shall not extend the permitted use of Personal Data beyond the purposes defined in this DPA.

10.3.Certification or Deletion.

Upon written request by the Controller, the Processor shall provide written certification confirming that deletion of Personal Data has been completed in accordance with this Section 10, except to the extent retention is required by applicable law

10.4.Post-Termination Access.

Following termination, the Controller shall be granted access to the Platform solely for the purpose of exporting Personal Data for a period of thirty (30) days. Such access shall be read-only and subject to the same security and confidentiality obligations applicable during the term of the Main Agreement.

11. AUDITS AND COMPLIANCE.

11.1.Demonstration of Compliance.

The Processor shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA and Article 28 of the GDPR, including relevant policies, certifications, and summaries of technical and organisational measures.

11.2.Audit Rights.

Where the information provided under Section 11.1 is insufficient, the Controller may conduct an audit of the Processor’s data protection practices, provided that:

  1. audits are conducted no more than once per calendar year, unless required by a Supervisory Authority or triggered by a Personal Data Breach;
  2. the Controller provides at least thirty (30) days’ prior written notice;
  3. audits are conducted during normal business hours and in a manner that minimises disruption.

11.3.Cooperation and Information Obligations.

Audits shall not:

  1. compromise the confidentiality of other customers’ data;
  2. expose proprietary or trade-secret information of the Processor beyond what is strictly necessary;
  3. require access to source code or internal systems not relevant to data protection compliance.

11.4.Cost Allocation.

Unless otherwise required by applicable law or a Supervisory Authority, the Controller shall bear its own costs associated with any audit conducted under this Section. The Processor shall not charge for reasonable cooperation time unless audits are excessive, repetitive, or conducted in bad faith, provided that any such charges shall be reasonable and proportionate.

12. LIABILITY.

12.1.Allocation of Liability

Each Party shall be liable for damages caused by its own breach of this DPA or applicable data protection law, subject to the limitations set forth herein.

12.2.Liability Cap

To the maximum extent permitted by law, the Processor’s total aggregate liability arising out of or in connection with this DPA shall not exceed an amount equal to six (6) months of fees paid or payable under the Main Agreement in the six (6) months preceding the event giving rise to the claim.

12.3.Excluded Damages.

Except in cases of wilful misconduct or where liability cannot be limited under applicable law, neither Party shall be liable for:

  1. indirect or consequential damages;
  2. loss of profit, revenue, or business opportunity;
  3. loss of data not attributable to a breach of this DPA.

12.4.Data Protection Fines.

Nothing in this Section shall limit liability where such limitation is prohibited by applicable data protection law, including administrative fines imposed directly on a Party by a Supervisory Authority.

13. TERMINATION.

13.1.Termination for Material Breach.

Either Party may terminate this DPA immediately upon written notice if the other Party commits a material breach of this DPA and fails to cure such breach within thirty (30) days of receiving written notice, where such breach is capable of cure.

13.2.Effect.

Termination of this DPA shall not affect:

  1. any rights or obligations accrued prior to termination;
  2. the survival of confidentiality, data protection, audit, and liability provisions;
  3. any obligations required by applicable law to continue after termination.

14. GOVERNING LAW AND JURISDICTION.

14.1.Governing Law.

This DPA and any dispute, claim, or obligation arising out of or in connection with it shall be governed by and construed in accordance with the laws of Estonia, without regard to conflict-of-law principles.

14.2.Exclusive Jurisdiction.

The courts of Estonia shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA. Each Party irrevocably submits to such

14.3.Regulatory Carve-Out.

Nothing in this DPA shall restrict or limit the rights of any Data Subject or the powers, duties, or authority of any Supervisory Authority under applicable data protection law.

ANNEX I – DETAILS OF PROCESSING

A. Parties

Controller: The clinic, dentist, orthodontist, or dental organisation entering into the Main Agreement.

Processor: AlineCloud OÜ.

B. Subject Matter of Processing

Provision of a B2B orthodontic treatment planning platform and related technical and operational services.

C. Nature and Purpose of Processing

Processing activities include hosting, storing, modifying, and delivering digital orthodontic treatment plans and facilitating secure communication between authorised users.

D. Categories of Data Subjects

Patients of the Controller, dentists, orthodontists, clinic staff, and authorised users.

E. Categories of Personal Data

Patient photographs, scans, clinical files, treatment plans, professional identification data, account credentials, usage logs, and billing data (where applicable).

F. Special Categories of Data

Health data processed solely on the documented instructions of the Controller for orthodontic treatment planning purposes

G. Duration of Processing

For the duration of the Main Agreement and any post-termination retention period specified in the DPA.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  1. encryption of Personal Data at rest and in transit;
  2. role-based access controls and authentication mechanisms;
  3. access logging and monitoring;
  4. secure backup and recovery procedures;
  5. incident detection and response processes;
  6. confidentiality obligations for authorised personnel.

Measures are reviewed periodically and updated as necessary to address evolving risks and regulatory expectations.

ANNEX III – SUB-PROCESSORS

The Controller authorises the engagement of Sub-Processors for the following categories of services:

  1. cloud hosting, infrastructure, storage, and backup services;
  2. transactional email delivery services;
  3. customer support and ticketing tools;
  4. payment processing services, where activated.

Sub-Processors are engaged under written agreements imposing data protection obligations no less protective than those set out in this DPA.