Data Processing Agreement (DPA)
Between SmileOS Pty Ltd ("Processor") and [Clinic/Agency Name] ("Controller")
Last updated: 17th Sep 2025
1. Purpose
1.1 This Data Processing Agreement ("DPA") governs the processing of Personal Data by SmileOS Pty Ltd ("SmileOS", "Processor") on behalf of the Clinic or Agency ("Controller") under the Privacy Act 1988 (Cth), the General Data Protection Regulation (GDPR) (EU), and where applicable, the Health Insurance Portability and Accountability Act (HIPAA) (US).
1.2 The parties agree to comply with applicable data protection and privacy laws in respect of all Personal Data processed under this Agreement.
2. Definitions
2.1 Personal Data means any information relating to an identified or identifiable individual, including health information, images, treatment details, and contact details.
2.2 Processing means any operation performed on Personal Data, including collection, recording, storage, disclosure, transfer, and deletion.
2.3 Controller means the Clinic or Agency that determines the purposes and means of processing Personal Data.
2.4 Processor means SmileOS, which processes Personal Data on behalf of the Controller.
2.5 Sub-processor means any third party engaged by SmileOS to process Personal Data (e.g., AWS, Stripe, Twilio).
3. Roles and Responsibilities
3.1 Controller Responsibilities:
(a) Ensure lawful basis and consent for collecting and processing patient Personal Data.
(b) Ensure notices and consents are provided to patients in compliance with applicable laws.
(c) Remain responsible for accuracy, quality, and legality of Personal Data provided to SmileOS.
3.2 Processor Responsibilities:
(a) Process Personal Data only on documented instructions from the Controller.
(b) Not process Personal Data for its own purposes.
(c) Ensure confidentiality and train staff handling Personal Data.
(d) Assist the Controller in meeting its compliance obligations, including access, correction, and erasure requests.
4. Sub-Processing
4.1 The Controller authorises SmileOS to engage Sub-processors for hosting, storage, communication, and payment processing. Current Sub-processors may include, but are not limited to:
• Amazon Web Services (hosting and storage)
• Stripe (payment processing)
• Twilio (communications/SMS)
4.2 SmileOS will notify the Controller of changes to Sub-processors and ensure each Sub-processor is bound by obligations no less protective than those in this DPA.
5. Data Transfers
5.1 Personal Data may be transferred and stored outside Australia, including in the European Union, Singapore, Germany, and the USA.
5.2 SmileOS will ensure such transfers are made subject to appropriate safeguards, including:
(a) Standard Contractual Clauses (SCCs) where applicable under GDPR.
(b) Reasonable technical and contractual measures to ensure equivalent protection under the Privacy Act 1988 (Cth).
6. Data Retention and Deletion
6.1 Personal Data will be retained only as long as necessary for the purposes of providing the services or as required by law.
6.2 Upon termination of services, SmileOS will:
(a) Return all Personal Data to the Controller, or
(b) Delete such data, unless retention is required by law.
7. Data Security
7.1 SmileOS shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, misuse, loss, or disclosure.
7.2 Measures may include:
(a) Encryption at rest and in transit.
(b) Secure access controls and authentication.
(c) Logging and monitoring of system access.
(d) Regular security testing and patching.
8. Data Breach Notification
8.1 In the event of a Personal Data Breach, SmileOS shall:
(a) Notify the Controller without undue delay, and within 72 hours where feasible.
(b) Provide details of the breach, including nature, scope, likely consequences, and remedial action taken.
(c) Cooperate with the Controller in fulfilling notification obligations to regulators and affected individuals.
9. Data Subject Rights
9.1 SmileOS shall assist the Controller in responding to requests from data subjects under the Privacy Act, GDPR, or HIPAA, including rights to:
(a) Access personal data.
(b) Correct inaccuracies.
(c) Request deletion or restriction of processing.
(d) Request portability of data (where applicable).
10. Audit and Compliance
10.1 The Controller may, on reasonable notice, request information to demonstrate compliance with this DPA.
10.2 SmileOS shall make available all information necessary to demonstrate compliance and, where required, allow audits or inspections by the Controller or an appointed auditor.
11. Term and Termination
11.1 This DPA remains in force for the duration of the services agreement between SmileOS and the Controller.
11.2 Upon termination, SmileOS will delete or return all Personal Data in accordance with Clause 6.
12. Governing Law
12.1 This DPA is governed by the laws of New South Wales, Australia.
Contact Information
For questions regarding this Data Processing Agreement, please contact:
SmileOS Pty Ltd
Email: hello@smilesearch.com.au