Data Processing Agreement

This Data Processing Addendum (“Addendum”) is entered into as of the first exchange of personal information, by and between Orca Dental AI Ltd. (“Orca”) and the customer using any of the services provided by or through Orca’s web-hosted Platform (“Customer” or “Provider“).

WHEREAS, Orca provides to Provider certain services (the “Services”), either pursuant to a specific Master Services Agreement between them or pursuant to Orca’s Term of Use, as applicable (the “Agreement”).

WHEREAS, the Agreement does not include a different Data Processing Agreement agreed between the parties and the Services involve processing certain personal data; and the parties wish to regulate Provider’s processing of such personal data, through this Data Processing Addendum to the Agreement, which shall be deemed attached to and become an integral part of the Agreement.

THEREFORE, the parties have agreed as follows:

  1. Provider commissions, authorizes and requests that Orca to provide Provider the Services, which Services involve the Processing Personal Data (as these capitalized terms are defined and used in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and in applicable national law implementing this Directive, or in any subsequent superseding legislation, including, without limitation, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR; these shall collectively be referred to as “Data Protection Law”).  
  2. Orca will Process the Personal Data only on Provider’s behalf and for as long as Provider instructs Orca to do so. Orca shall not Process the Personal Data for any purpose other than the purpose set forth in this Addendum.
  3. The nature and purposes of the Processing activities are as set out in the Agreement. The Personal Data Processed may include, without limitation:
  4. First name, Last name, Date of Birth/Age, Gender, and patient-provided dental images and clinical data (including from ceph, DICOM, and STL files).The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are:

Patients of the Provider

  1. In providing the Services, Orca is and will remain at all times the ‘Data Processor’ (as this capitalized term is defined and used in Data Protection Law). As a Data Processor, Orca will Process the Personal Data only as set forth in this Addendum. Orca and Provider are each responsible for complying with the Data Protection Law applicable to them in their roles. 
  2. Orca will Process the Personal Data only on instructions from Provider documented in this Addendum or otherwise provided either in writing or through the options of the Services configurable by Provider, including with regard to cross-border transfers of Personal Data. The foregoing applies unless Orca is otherwise required by law to which it is subject (and in such a case, Orca shall inform Provider of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Orca shall immediately inform Provider if, in Orca’s opinion, an instruction is in violation of Data Protection Law.
  3. Orca will make available to Provider all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Provider upon request.
  4. If, when and where required by Data Protection Law, Orca shall appoint a Data Privacy Officer (DPO) and, whether required to or voluntarily appointed, shall promptly inform Provider the contact information of that DPO and any changes in the fulfillment of that position.
  5. Orca will follow Provider’s instructions to accommodate, and shall assist by appropriate means to ensure compliance with the provisions on, Data Subjects’ rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Orca will pass on to Provider requests that it receives (if any) from Data Subjects regarding their Personal Data Processed by Orca.
  6. Provider authorizes Orca to engage a subprocessor for carrying out specific processing activities of the Services, provided that Orca informs Provider at least 30 business days in advance of any new or substitute subsprocessor, in which case Provider shall have the right to object, on reasoned grounds, to that new or replaced subprocessor. If Provider so objects, Orca may not engage that new or substitute subsprocessor for the purpose of Processing Personal Data in the provision of the Services or alternatively, have the right to terminate the Agreement.
  7. Without limiting the foregoing, in any event where Orca engages a subprocessor, Orca will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other subprocessor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the subprocessor fails to fulfil its data protection obligations, Orca shall remain fully liable to Provider and Provider’s customer (the controller) for the performance of that other subprocessor’s obligations.
  8. Orca and its subprocessors will only Process the Personal Data in member states of the European Economic Area, or if outside the member states of the European Economic Area then under adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Clauses). Orca must inform Provider at least 30 business days in advance of any cross-border data transfer scenario, which does not meet the foregoing obligations, in which case Provider shall have the right to object, on reasoned grounds, to that envisioned cross-border data transfer. If Provider so objects, Orca may not engage in that envisioned cross-border data transfer for the purpose of Processing Personal Data in the provision of the Services.
  9. In Processing Personal Data, Orca will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, including those listed in Exhibit 1, and will provide Provider means to control various security safeguards in respect of Personal Data. 
  10. Orca will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  11. Subject to reasonable prior written coordination and placement of customary safeguards to confidential and proprietary information as well as privacy rights of third parties, Orca shall allow for and contribute to audits, including carrying out inspections conducted by an auditor mandated and paid for by Provider (or Provider’s customer, the controller) in order to establish Orca’s compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Orca processes on behalf of the Provider. 
  12. Upon Provider’s written request, not more than once every year, Orca shall obtain and forward to Provider at Provider’s cost and expense (who may then use it with its customer, the controller), an audit report from an independent reputable third-party regarding Orca’s data processing and data protection measures confirming Orca’s compliance with Data Protection Law and the Addendum. The audit report shall be obtained based on a recognized standard for such audit reports. If Orca already has a current audit report for the requested period, meeting the foregoing criteria, but which was prepared by Orca or for the benefit of another third-party, then Orca may satisfy its obligations under this paragraph by providing the Provider such report.  
  13. Orca shall document any Personal Data Breach (as this term is defined and used in Data Protection Law and applicable regulatory guidelines). This documentation shall include all the facts relating to the personal data breach, its effects and the remedial action taken. Orca shall without undue delay, and in any event within 24 hours (in case of a severe breach) or within 7 business days (in any other case), notify the Provider through all the channels listed in Exhibit 2, of such Personal Data Breach that it becomes aware of regarding Personal Data of Data Subjects that Orca Processes. Orca will thoroughly investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Provider and Orca will cooperate in good-faith with Provider’s customer, the controller, on issuing any statements or notices regarding such breaches, to authorities and Data Subjects. The notification to Provider referred to in this subsection shall include at least the following information, if available at such time:
    1. A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. The name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. A description of the likely consequences of the personal data breach; and
    4. A description of the measures taken or proposed by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
    5. If it is not possible to provide the above information pursuant with the notification, Orca shall provide this information as soon as it is available.
  14. Orca will assist Provider and Provider’s customer (the controller) with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).
  15. Orca will provide Provider prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Provider’s behalf, so that Provider may contest or attempt to limit the scope of production or disclosure request.
  16. Upon Provider’s request, Orca will delete the Personal Data it has Processed on Provider’s behalf under this Addendum from its own and its subprocessor’s systems, or, at Provider’s choice, return such Personal Data and delete existing copies, and upon Provider’s request, will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section. 
  17. The duration of Processing that Orca performs on the Personal Data is for the period set out in the Agreement. This Addendum shall prevail in the event of inconsistencies between it and the Agreement or subsequent agreements entered into or purported to be entered into after the date of this Addendum – except where explicitly agreed otherwise in writing.
  18. Orca will indemnify and hold Provider harmless at all times against any loss, damage or costs suffered, sustained or incurred by Provider, including but not limited to claims from data subjects, Provider’s customer (the controller) and penalties imposed by the authorities, that arise from any acts or omissions of Orca or its other subprocessors, under this Addendum or the Data Protection Law, unless and insofar as these acts or omissions were performed under the specific instructions of the Provider, in all cases, subject to and to the same scope and extent set forth in the Agreement.

*  *  *

Exhibit 1

Orca shall take commercially reasonable and customary measures to:

(a) deny unauthorized persons access to processing equipment used for processing (‘equipment access control’); 

(b) prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’); 

(c) prevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data (‘storage control’); 

(d) prevent the use of automated processing systems by unauthorized persons using data communication equipment (‘user control’); 

(e) ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorization (‘data access control’); 

(f) ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’); 

(g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’); 

(h) prevent the unauthorized reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’); 

(i) ensure that installed systems may, in the case of interruption, be restored (‘recovery’); 

(j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).

(k) implement a process for regularly testing, assessing, evaluating and enhancing the effectiveness of technical and organizational measures for ensuring the security of the Processing (‘assessments’)

Provider acknowledges that, notwithstanding the taking by Orca of the foregoing security safeguards and precautions, use of, or connection to, the world-wide-web provides the opportunity for unauthorized third parties to circumvent such safeguards and precautions and illegally gain access to Orca’s platform and potentially to personal data.  

Additionally, personnel of Provider, its Customers and business partners, who may have access to Orca’s platform and/or to such personal data, may abuse their rights and permissions to access and use the platform and such personal data.  

Accordingly, without derogating from Orca’s obligations hereunder, Orca cannot and does not guaranty the privacy, security, integrity or authenticity of any information so transmitted over or stored in any system connected to the world-wide-web or that any security precautions taken will be adequate or sufficient to prevent all damage thereto whether by authorized or unauthorized users gaining access to the platform.

Exhibit 2

Orca shall notify Provider of data breaches through all of the following channels:

  1. Email, to the following addresses: moshe@cephx.com;
  2. Phone, to the following numbers: +972538789977