Data Processing Addendum

Terms capitalised in this DPA carry the meaning given to them in the Terms & Conditions or in the applicable data-protection law. In particular:

• Personal Data means any information relating to an identified or identifiable natural person, including patient health information processed through the platform.
• Controller / Responsible Party: the Customer, who determines the purposes and means of the processing.
• Processor / Operator: Cavitech, who processes Personal Data on the Controller’s behalf.
• Sub-processor: any third-party processor engaged by Cavitech to process Personal Data on the Controller’s behalf. The current list is published at /legal/subprocessors.
• Data Subject: the natural person to whom the Personal Data relates — typically a patient or an authorised user.
• Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Roles.

The Customer is the Controller / Responsible Party of Personal Data uploaded to or generated within the platform on their behalf. Cavitech is the Processor / Operator. Where the Customer is itself acting as a processor for a third party (for example, a dental service organisation operating on behalf of member practices), Cavitech acts as a sub-processor to that arrangement.

Subject matter and duration.

The subject matter is the provision of the Cavitech AI platform and related services. The duration of processing is the Customer’s active subscription term plus any post-termination retention described in Section 10.

Nature and purpose of processing.

Cavitech processes Personal Data to operate the platform’s AI clinical features, generate reports, power the ambient scribe, manage appointments and recalls, and perform administrative workflows. Processing is strictly limited to what is necessary for these purposes and to the Customer’s documented instructions.

Categories of data subjects.

Patients of the Customer, authorised users of the Customer (dentists, hygienists, support staff, team members), referring practitioners, and invitees.

Categories of Personal Data.

Identifying data (name, date of birth, contact details), special category health data (dental and medical history, radiographs, intraoral photographs, CBCT volumes, clinical notes, treatment plans, scribe transcriptions, AI-generated findings), authentication data, device and session metadata.

Cavitech will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by law. The Customer’s acceptance of these Terms and use of the platform constitutes their documented instructions for the processing described in Section 2.

Cavitech will immediately inform the Controller if, in its opinion, an instruction infringes applicable data-protection law.

Cavitech will not use Personal Data for the purpose of training, fine-tuning or improving any machine-learning or artificial-intelligence model, whether its own or a third party’s. This prohibition is absolute for the duration of this DPA.

Cavitech ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is restricted on a strict need-to-know basis and audited. All personnel with production-data access are bound by confidentiality provisions in their employment or service contracts.

Cavitech implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
• Strict organisation-scoped access isolation enforced in application, database, and file-storage layers.
• Session-based authentication with CSRF protection and rate limiting on authenticated endpoints.
• Separation of AI-inference infrastructure from public endpoints; no patient Personal Data is transmitted to third-party AI APIs for medical-device features.
• Regular review of access controls, backups, and recovery procedures.
• Logging of access to Personal Data sufficient to detect anomalous activity.

A current summary of our technical and organisational measures is available on request to security@kuumba.dev.

The Customer provides general written authorisation for Cavitech to engage Sub-processors for the purposes described in Section 2. The current Sub-processor list is maintained at /legal/subprocessors and identifies each Sub-processor’s role, region, and governing privacy statement.

Cavitech will give the Customer reasonable advance notice of any intended addition or replacement of Sub-processors by updating the Sub-processor page and, where the Customer has subscribed, by email. The Customer may object on reasonable data-protection grounds within 30 days, in which case the parties will co-operate in good faith to identify a resolution. Failing resolution, the Customer may terminate the affected service for convenience.

Cavitech remains fully liable to the Customer for the performance of each Sub-processor’s obligations. Cavitech imposes data-protection obligations on each Sub-processor that are substantively equivalent to those in this DPA.

Taking into account the nature of the processing, Cavitech assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If Cavitech receives a data-subject request directly, Cavitech will promptly forward it to the Controller and will not respond to the data subject directly except at the Controller’s documented instruction or as required by law.

Cavitech notifies the Controller without undue delay — and in any event within 72 hours of becoming aware of it — of any Security Incident affecting Personal Data processed under this DPA. The notification includes, as far as possible:

• The nature of the Security Incident, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of Cavitech’s point of contact for further information.
• The likely consequences of the Security Incident.
• The measures taken or proposed to address the Security Incident, including mitigations of adverse effects.

Cavitech reasonably assists the Controller in complying with its own notification obligations to supervisory authorities and affected data subjects.

Cavitech provides the Controller, on reasonable written request, with all information necessary to demonstrate compliance with this DPA, and reasonably assists the Controller in carrying out Data Protection Impact Assessments and prior consultations under GDPR Articles 35-36, UK-DPA equivalents, and POPIA.

Cavitech allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. In practice, Cavitech satisfies audit rights by providing its security and compliance documentation on request; on-site audits may be scheduled where the Controller has a reasonable basis to require one and agrees to commercially sensible notice, confidentiality, and scope constraints.

On termination of the services, or on the Controller’s written request at any time, Cavitech will, at the Controller’s election, return all Personal Data to the Controller or delete existing copies. A 30-day export window is provided by default. After that window, Personal Data is permanently deleted from production systems; residual copies are removed from backups on the ordinary backup rotation cycle.

Cavitech may retain Personal Data to the extent required by law, in which case the same security, confidentiality and use restrictions of this DPA continue to apply.

Some Sub-processors are located outside the Controller’s jurisdiction. Where Personal Data is transferred to a country that does not benefit from an adequacy decision under GDPR / UK-GDPR, or to a country that is not a prescribed country under POPIA, the parties rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914) and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office, both of which are incorporated into this DPA by reference. For POPIA, Cavitech relies on section 72(1)(a) where the data subject has consented, or section 72(1)(b) where the transfer is necessary for the performance of a contract between the Controller and Cavitech.

If there is any conflict between this DPA and the Terms & Conditions in relation to the processing of Personal Data, this DPA prevails. Cavitech may update this DPA from time to time to reflect changes in law or in Cavitech’s processing activities. Material changes will trigger a version bump of the onboarding acknowledgement, and Customers will be asked to re-accept.

This DPA is governed by the law of the Republic of South Africa, without prejudice to the mandatory application of EU / UK data-protection law where it applies to a particular transfer or data subject.