Data Processing Agreement

Effective Date: February 2026

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Terms of Service or the UK GDPR, as applicable.

• "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any other applicable UK legislation relating to the processing of Personal Data and privacy.
• "Controller" means the Customer, as the entity that determines the purposes and means of Processing Personal Data through the Service.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller through the Service.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction.
• "Processor" means Lumina Dental Ltd, which Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

2. Scope and Roles

2.1 Data Processing Roles

The parties acknowledge and agree that:

• The Customer is the Data Controller for all Personal Data entered into or processed through the Service by the Customer or its Authorised Users, including patient data, clinical records, and staff information.
• Lumina is the Data Processor, processing Personal Data solely on behalf of and in accordance with the documented instructions of the Controller.

2.2 Lumina as Controller

Lumina acts as an independent Data Controller (not under this DPA) for the following categories of data:

• Customer account and organisational information (for account management)
• Billing and payment information (for invoicing and payment processing)
• Website visitor data on luminadental.co.uk (for website analytics)
• Marketing communications data (where consent has been obtained)

Lumina's processing of this data as Controller is governed by the Privacy Policy, not this DPA.

3. Details of Processing

3.1 Subject Matter and Purpose

The Processor shall Process Personal Data for the purpose of providing the Lumina dental practice management platform to the Controller, including:

• Hosting and storing patient records and clinical data
• Enabling clinical workflow management and scheduling
• Providing practice administration and reporting functionality
• Operating the Patient Portal for patient-facing services
• Providing AI-assisted features (where enabled by the Controller)
• Maintaining audit logs and compliance records
• Performing backups and disaster recovery

3.2 Categories of Data Subjects

• Patients of the Controller's dental practice(s)
• Staff and personnel of the Controller (dentists, hygienists, receptionists, managers)
• Other individuals whose data is entered into the Service by the Controller (such as emergency contacts or guarantors)

3.3 Types of Personal Data

3.4 Special Category Data

The Processor acknowledges that Personal Data processed under this DPA includes health data, which constitutes special category data under Article 9 of the UK GDPR. The Processor shall apply enhanced protections to such data as described in the security measures set out in this DPA.

3.5 Duration of Processing

Processing will continue for the duration of the Terms of Service between the parties, plus the post-termination retention period described in Section 11 of this DPA.

4. Processor Obligations

The Processor shall:

• (a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification)
• (b) Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 6
• (d) Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller, as set out in Section 7
• (e) Assist the Controller, taking into account the nature of Processing, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law
• (f) Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of Processing and the information available to the Processor
• (g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data
• (h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

5. Controller Obligations

The Controller shall:

• Ensure that it has a valid lawful basis for all Processing of Personal Data that it instructs the Processor to carry out
• Provide appropriate privacy notices to Data Subjects informing them of the Processing of their Personal Data, including the involvement of Lumina as a Data Processor
• Obtain any necessary consents from Data Subjects where consent is relied upon as the lawful basis for Processing
• Ensure that its Processing instructions to the Processor comply with Applicable Data Protection Law
• Respond to Data Subject rights requests in a timely manner, using the tools and assistance provided by the Processor
• Maintain appropriate records of Processing activities as required by Article 30 of the UK GDPR
• Notify the Processor promptly of any changes to Processing instructions or requirements

6. Technical and Organisational Measures

The Processor shall implement and maintain the following technical and organisational measures to protect Personal Data:

6.1 Encryption

• Encryption at rest using AES-256 for all stored data, including databases, file storage, and backups
• Encryption in transit using TLS 1.2 or higher for all data transmission
• HTTP Strict Transport Security (HSTS) enabled across all services

6.2 Access Control

• Mandatory multi-factor authentication (MFA) for all user accounts
• Role-based access control (RBAC) with granular permissions
• Real-time authorisation checks on every API request
• Complete data isolation between organisations (multi-tenancy controls)
• Principle of least privilege applied to all system access

6.3 Infrastructure Security

• All infrastructure hosted in AWS eu-west-2 (London) exclusively
• Multi-availability-zone deployment for resilience
• AWS Web Application Firewall (WAF) protection against OWASP Top 10 threats
• API rate limiting and request throttling
• Separate production, staging, and development environments with no production data in non-production environments

6.4 Backup and Recovery

• 35-day rolling point-in-time recovery for all database tables
• Document versioning for all stored files
• Deletion protection on production databases
• Target recovery time objective (RTO) of 4 hours for critical components

6.5 Monitoring and Audit

• Comprehensive audit logging of all data access and modifications
• Logs stored in append-only format, encrypted, and retained for compliance
• Continuous monitoring for anomalous access patterns and security events
• Automated alerting on security-relevant events

6.6 Personnel

• All Lumina personnel with access to Personal Data are subject to confidentiality obligations
• Access to production systems is restricted to authorised personnel on a need-to-know basis
• Developers do not have access to production data; all development uses synthetic/anonymised data only

7. Sub-processors

7.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage sub-processors, subject to the conditions set out in this Section 7.

7.2 Current Sub-processors

The current list of sub-processors is maintained at luminadental.co.uk/subprocessors and is incorporated into this DPA by reference.

7.3 Notification of Changes

The Processor shall notify the Controller in writing at least 30 days before adding or replacing any sub-processor. The notification shall include the identity of the proposed sub-processor, the Processing it will perform, and its location.

7.4 Right to Object

The Controller may object to a new or replacement sub-processor by notifying the Processor in writing within 14 days of receiving notice. The objection must include reasonable grounds for the objection. The Processor shall make reasonable efforts to address the Controller's concerns or provide an alternative. If the parties cannot resolve the objection, the Controller may terminate the Terms of Service in accordance with the termination provisions therein.

7.5 Sub-processor Obligations

Where the Processor engages a sub-processor, it shall:

• Impose on the sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA
• Remain fully liable to the Controller for the performance of the sub-processor's obligations

8. Data Subject Rights

8.1 Assistance

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under the UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

8.2 Tools Provided

The Processor provides built-in tools within the Service to enable the Controller to fulfil Data Subject rights requests, including data export, record modification, and account deletion functionality. The Controller is responsible for using these tools to respond to Data Subject requests.

8.3 Direct Requests

If the Processor receives a request directly from a Data Subject regarding the Controller's data, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request. The Processor shall not respond to the Data Subject directly unless instructed to do so by the Controller or required by applicable law.

9. Personal Data Breach

9.1 Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall include, to the extent known at the time:

• The nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned
• The likely consequences of the Personal Data Breach
• The measures taken or proposed to be taken to address the breach, including measures to mitigate possible adverse effects
• The name and contact details of the Processor's point of contact for further information

9.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. The Processor shall provide such additional information as becomes available on an ongoing basis.

9.3 Controller's Obligations

The Controller is responsible for determining whether to notify the Information Commissioner's Office (ICO) and affected Data Subjects in accordance with Articles 33 and 34 of the UK GDPR. The Processor shall assist the Controller with such notifications as reasonably requested.

10. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom unless:

• The transfer is to a country or territory that has been deemed to provide an adequate level of protection by the UK Secretary of State under Section 17A of the Data Protection Act 2018
• Appropriate safeguards are in place in accordance with Article 46 of the UK GDPR (such as the International Data Transfer Agreement)
• The Controller has provided prior written consent to the transfer

Customer Data is processed and stored within the United Kingdom (AWS eu-west-2, London). Payment processing via Stripe may involve processing outside the UK. Where any transfer of Personal Data outside the UK is required, appropriate safeguards will be used in accordance with Applicable Data Protection Law. Full details are set out in the Sub-processor Schedule.

11. Data Retention and Deletion

11.1 During the Subscription

Personal Data is retained for the duration of the Controller's active subscription. The Controller may delete individual records at any time using the tools provided in the Service. Deleted records are removed from active systems promptly. Backup copies of deleted records will expire within the 35-day rolling backup window.

11.2 Post-Termination

This timeline applies unless the Controller instructs otherwise in writing or applicable law requires retention. Following termination of the Terms of Service:

• Read-only access (30 days): The Controller has 30 days of read-only access to view and export data
• Retention buffer (30 days): After read-only access expires, data is retained in encrypted form for an additional 30 days for outstanding export requests or dispute resolution
• Secure deletion: After the retention buffer expires, all Personal Data is securely and permanently deleted from active systems
• Backup expiry: Backup copies expire naturally within 35 days of deletion from active systems

11.3 Extended Retention

If the Controller requires extended retention beyond the standard timeline (for example, to comply with GDC record retention requirements), the Controller must provide written instructions to Lumina before the end of the retention buffer period. Extended retention will be subject to a separate written agreement and may incur additional fees.

11.4 Confirmation of Deletion

Upon reasonable request, the Processor shall provide the Controller with written confirmation that Personal Data has been deleted in accordance with this Section.

12. Audits and Inspections

12.1 Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or an independent auditor appointed by the Controller) may conduct audits of the Processor's data processing practices, subject to the following conditions:

• The Controller shall provide at least 30 days' advance written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller shall bear its own costs in conducting the audit
• The auditor must agree to reasonable confidentiality obligations
• Audits shall be limited to once per 12-month period, unless a Personal Data Breach has occurred or is suspected, or the Controller is required to audit by a supervisory authority

12.2 Alternative Evidence

The Processor may satisfy the Controller's audit requirements by providing relevant certifications, audit reports, or other evidence of compliance, where such documentation addresses the Controller's reasonable concerns.

13. AI-Assisted Processing

Where the Controller enables AI-assisted features within the Service, the following additional provisions apply:

• AI features are optional and must be explicitly enabled by the Controller
• Prompts submitted to AI features are sanitised on a best-effort basis before processing
• Prompts are stored encrypted (AES-256) and are automatically deleted after 24 hours
• Only metadata (user identity and timestamp) is retained beyond 24 hours
• No identifiable patient data is used for AI model training
• All AI processing occurs within UK-based infrastructure (AWS eu-west-2)
• No data is transmitted outside the UK for AI processing

The Controller's use of AI features constitutes an instruction to the Processor to process data through AI systems as described in the AI Usage Policy. The Controller remains responsible for reviewing all AI-generated outputs before use.

14. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, except that no limitation shall apply to either party's liability for breaches of Applicable Data Protection Law to the extent such limitation is not permitted by law.

15. Term and Termination

This DPA shall come into effect on the Effective Date of the Terms of Service and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. The data retention and deletion obligations in Section 11 shall survive termination of this DPA.

16. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

17. Contact

For questions about this DPA or to exercise rights under this agreement: