Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)
Premium Soft Ventures – Dentalogic

Last updated: 2026-02-12

This Data Processing Agreement ("DPA") forms part of the agreement between Premium Soft Ventures ("Processor") and the customer entity ("Controller") that uses the Dentalogic Service.

This DPA applies where and to the extent that Premium Soft Ventures processes Personal Data on behalf of the Controller in the course of providing the Service, under the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and Irish data protection law.

1. Parties
Processor:
Premium Soft Ventures
Address: 13 Ard na Greine, New Ross, Co. Wexford, Y34NH67, Ireland
CRO: 758213
Email: ireland.psv@gmail.com

Controller:
The entity identified in the applicable order form / account registration.

2. Definitions
Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority" have the meanings given in the GDPR.

3. Subject matter and duration
3.1 Subject matter: Provision of the Dentalogic CRM Service.
3.2 Duration: From the Effective Date until termination/expiry of the Customer's Subscription, plus any limited post-termination period described in this DPA for return/deletion.

4. Nature and purpose of processing
Processor will process Personal Data to:
- Host, store, transmit, and display Customer Data as instructed by Controller
- Provide customer support and technical operations
- Maintain and secure the Service

5. Types of personal data and categories of data subjects
See Annex 1.

6. Controller obligations
Controller is responsible for:
- Determining lawful basis for processing and providing required notices to Data Subjects
- Ensuring it has rights/permissions to upload and process data (including special category data)
- Configuring the Service appropriately (roles, access controls)
- Handling Data Subject requests unless otherwise agreed

7. Processor obligations
7.1 Instructions: Processor will process Personal Data only on documented instructions from Controller, including with respect to transfers outside the EEA.
7.2 Confidentiality: Processor ensures personnel are bound by confidentiality.
7.3 Security: Processor implements appropriate technical and organizational measures (see Annex 2).
7.4 Subprocessors: Processor may engage subprocessors (see Section 9).
7.5 Assistance: Processor will assist Controller in meeting GDPR obligations, including security, DPIAs, and consultation with Supervisory Authorities, taking into account the nature of processing.
7.6 Data Subject requests: Processor will promptly notify Controller if it receives a request from a Data Subject and will not respond except on Controller's documented instruction.
7.7 Breach notification: Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and provide information reasonably required to support Controller's obligations.
7.8 Deletion/return: Upon termination, Processor will delete or return Personal Data as described in Section 12.

8. Special category data
The Service may process special category data (e.g., health data) if Controller uploads such data. Controller is responsible for ensuring it meets the additional GDPR requirements for special category data and that it has appropriate lawful basis and safeguards.

9. Subprocessors
9.1 Authorization: Controller provides general authorization for Processor to engage subprocessors for the Service.
9.2 Protections: Processor will impose data protection obligations on subprocessors no less protective than this DPA.
9.3 List: Controller may request a current list of subprocessors by contacting ireland.psv@gmail.com.
9.4 Liability: Processor remains responsible for subprocessors' performance of their obligations.

10. International data transfers
Where processing involves transfers outside the EEA, Processor will ensure appropriate safeguards (e.g., EU Standard Contractual Clauses) and, where required, supplementary measures.

11. Audits
Controller may audit Processor's compliance with this DPA no more than once per 12-month period, with reasonable prior notice, and subject to confidentiality and security constraints. Processor may satisfy audit requests by providing relevant third-party audit reports or security documentation where available.

12. Deletion / return of data
Upon termination or expiry of the Subscription, Processor will:
- Make Customer Data available for export for a limited period (if applicable), and
- Thereafter delete or anonymize Customer Data within a reasonable time, unless retention is required by law.

13. Liability
Liability under this DPA is subject to the limitations and exclusions in the main Terms and Conditions, to the extent permitted by law.

14. Order of precedence
If there is a conflict between this DPA and the Terms, this DPA will prevail solely with respect to data protection obligations.

ANNEX 1 – PROCESSING DETAILS
A. Subject matter: SaaS CRM for dental clinics.
B. Nature of processing: collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, and deletion.
C. Purpose: providing, maintaining, and supporting the Service.
D. Categories of Data Subjects (examples): patients, prospective patients, clinic staff, clinic administrators, contractors.
E. Types of Personal Data (examples):
- Identification data (name, date of birth, patient ID)
- Contact details (email, phone, address)
- Appointment and treatment-related data
- Notes entered by clinic staff
- Billing/invoice references (as uploaded by Controller)
F. Special categories: health data may be processed if uploaded.

ANNEX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
Processor maintains measures appropriate to risk, which may include:
- Access controls (role-based access, least privilege)
- Authentication controls (strong passwords; optional MFA if enabled)
- Encryption in transit (TLS)
- Encryption at rest where appropriate
- Logging and monitoring of system events
- Backup and recovery procedures
- Vulnerability management and patching
- Segregation of environments and tenant isolation measures
- Incident response procedures

Note: This annex describes a baseline. Specific measures may evolve over time.