This page lists the third parties (“Sub-processors”) that Cavitech AI engages to process personal data on behalf of its customers. It is maintained in accordance with Article 28(2) of the GDPR, the equivalent UK-GDPR provisions, and section 21 of the Protection of Personal Information Act 4 of 2013 (POPIA), and is incorporated into our Data Processing Addendum.
The following sub-processors may process customer personal data in the course of delivering the Cavitech AI service. For each, we identify the purpose, the categories of personal data involved, the region in which the processing takes place, and a link to the sub-processor’s own privacy or trust page.
Primary application database. Stores patient records, users, organisations, appointments, findings, notes, treatment plans, and audit logs.
Data categories: Identifying data · health data · authentication data
Object storage for uploaded files — radiographs, intraoral photographs, CBCT volumes, generated annotated images, signatures, practice logos, profile photos.
Data categories: Health data (imaging) · identifying data (practice + user assets)
Speech-to-text transcription for the Ambient Scribe feature. Audio bytes are sent for transcription and not retained by Groq after processing.
Data categories: Clinical audio (ephemeral)
Routing layer for large-language-model inference — chat, treatment-plan drafting, SOAP-note synthesis, referral-letter drafting, soft-tissue narrative generation.
Data categories: Clinical text prompts (no patient imaging)
GPU serverless infrastructure for 3D CBCT projection, TMJ video/audio processing, and other heavy inference workloads. Data is processed ephemerally and not retained after each job.
Data categories: Health data (imaging, video, audio) — ephemeral
Hosts the private Cavitech AI inference server for the dental image-analysis models (teeth detection, pathology detection, bone segmentation).
Data categories: Radiograph imaging (ephemeral)
Transactional email delivery — sign-in codes, welcome emails, appointment reminders, recall notices, team invitations, password resets.
Data categories: Email address · communication metadata
Hosting and global edge delivery for the Cavitech AI web application and marketing website.
Data categories: Request metadata · IP address · session cookies
Cavitech provides reasonable advance notice of any intended addition or replacement of a sub-processor by updating this page, updating the page’s “Last updated” date, and — where the customer has subscribed — sending an email notification to the customer’s primary billing contact.
Customers may object on reasonable data-protection grounds within 30 days of notification. If the parties cannot agree on a resolution, the customer may terminate the affected service for convenience in accordance with the Data Processing Addendum.
For a description of the safeguards applied to international transfers, and the roles and responsibilities between Cavitech and its customers, see the Data Processing Addendum and the Privacy Policy.
Concerns about an existing or prospective sub-processor, or requests for further information about our processing arrangements, should be sent to privacy@kuumba.dev.
Cavitech AI