This Data Processing Agreement ("DPA") forms part of the Terms and Conditions or any other main service agreement ("Main Agreement") between:
BrightPlans Kft. (registered address: 4300 Nyírbátor, Bartók u. 2, Hungary), referred to as the "Processor," "we," "us," or "our";
and
The customer accepting the Main Agreement, referred to as the "Controller," "you," or "your."
This DPA is intended to ensure that the processing of Personal Data by the Processor on behalf of the Controller complies with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR") and other applicable data protection laws.
1.1. The Processor agrees to process Personal Data received from the Controller only for the purposes of providing the services as specified in the Main Agreement and in accordance with the documented instructions of the Controller, the Main Agreement, and this DPA.
1.2. The details of the data processing activities (subject matter, duration, nature, purpose, categories of data subjects, and types of personal data) are set out in Appendix 1 of this DPA.
2.1. Processing According to Instructions: The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject.
2.2. Confidentiality: The Processor shall ensure that its personnel authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3. Data Security: The Processor shall implement and maintain appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. A list of these measures is provided in Appendix 2.
2.4. Use of Sub-processors: The Processor shall not engage any other processor ("Sub-processor") without the prior specific or general written authorization of the Controller. By entering into this DPA, the Controller provides general authorization for the engagement of the Sub-processors listed in Appendix 3. The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall remain fully liable to the Controller for the performance of that Sub-processor's data protection obligations.
2.5. Assistance with Data Subject Rights: The Processor shall, to the extent legally possible, provide reasonable assistance to the Controller with the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (e.g., access, rectification, erasure).
2.6. Data Breach Notification: In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay, and in any case within 48 hours of becoming aware of the breach. The notification shall include all necessary information to enable the Controller to meet its own reporting obligations under Article 33 of the GDPR.
3.1. The Controller is responsible for the lawfulness of the personal data processing and for ensuring a valid legal basis for it.
3.2. The Controller is responsible for ensuring that its instructions to the Processor are lawful.
4.1. Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller.
4.2. The Controller is responsible for exporting all necessary data (e.g., generated plans in PDF format) from the service before the termination of the Main Agreement.
4.3. Within 30 days following the termination of the Main Agreement, the Processor will delete all Personal Data related to the Controller from its active systems. Personal Data will be permanently deleted from backups in accordance with the backup cycle, but no later than 60 days following the termination.
5.1. This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Main Agreement.
5.2. In case of any conflict, the terms of this DPA shall prevail over the terms of the Main Agreement.
5.3. This DPA is governed by the laws of Hungary. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Debrecen, Hungary.
| Item | Description |
|---|---|
| Subject Matter and Purpose of Processing | To provide the BrightPlans software service, which enables the Controller to create, store, manage, and present dental treatment plans for its patients and users, in accordance with the Main Agreement. |
| Duration of Processing | For the term of the Main Agreement between the Parties. |
| Categories of Data Subjects |
|
| Types of Personal Data | For Patients: - General Data: Name, email address, date of birth. - Special Categories of Personal Data (Health Data): Dental status, diagnoses, treatment plan descriptions, dental X-rays, photos of the oral cavity. For Users (Clinic Staff): - Name, email address, phone number. |
| Measure | Description |
|---|---|
| Encryption | Personal Data is encrypted both at rest and in transit (using SSL/TLS). |
| Access Control | Access to Personal Data is strictly controlled and limited to authorized personnel (e.g., system administrators, support team) on a need-to-know basis, based on documented, case-by-case permissions. |
| Backups | Encrypted backups of the system are performed on a daily and weekly basis. Backups are stored separately in a secure environment. |
| Network and Physical Security | The service's infrastructure is hosted in secure, internationally certified data centers (e.g., ISO 27001). Generated plans (PDFs) are stored in the Amazon Web Services (AWS) Frankfurt region, and databases are hosted on a virtual private server (VPS) provided by Linuxweb Kft. (Hungary). |
| Incident Management | The Processor maintains an incident response plan to ensure the prompt and effective detection, investigation, and handling of data breaches. |
| Sub-processor Company | Service Type | Location of Processing (Country) |
|---|---|---|
| Amazon Web Services EMEA SARL | File Storage (e.g., PDF plans) | Ireland (EU) / Global |
| Linuxweb Kft. | VPS Hosting | Hungary (EU) |
| Paddle.com Market Ltd. | Client billing and contact details. | United Kingdom / Ireland (EU) |
| Brevo | Marketing Communications | France (EU) / Global |