DATA PROCESSING AGREEMENT

This Data Processing Agreement is entered into by and between the Company’s customer requesting remote IT support services from Business Associate ("Customer") and Dental Imaging Technologies Corporation (DITC), 450 Commerce Dr Quakertown, PA, 18951-3729 United States ("Company") and/or any other affiliated company of our group from which Customer received a DEXIS product and/or solution (collectively "Company") (collectively referred to herein as the "Parties"), and supplements, amends and is incorporated into the existing End User Licence Agreement between Company and Customer and is effective as of the date it is agreed upon by the Customer by accepting the terms of the IT support session.

For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Customer and Company agree as follows:

  1. This Agreement shall apply to all Processing of Personal Data by the Company on behalf of the Customer, as described in Appendix 1 and Appendix 2 of this Agreement and which are an integrated part of this Agreement. In case of any direct conflict between this Agreement and the Terms, the provisions of this Agreement shall prevail.

    Unless the context dictates otherwise, all terms which are not defined in this Agreement shall have the meaning ascribed to them in the Terms. For the purpose of this Agreement, Data ProcessorData SubjectPersonal Data Breach, and Processing (or equivalent terms used in Applicable Data Protection Laws) have the meanings ascribed to them or to the equivalent terms Applicable Data Protection Laws. Applicable Data Protection Laws means all applicable UK, Swiss, EEA, EU, EU Member State and Canadian laws and regulations relating to the privacy, confidentiality, security or protection of Personal Data as replaced from time to time, including, without limitation, (i) the GDPR and EU Member State laws supplementing the GDPR, (ii) the EU Directive 2002/58/EC (e-Privacy Directive), and EU Member State laws implementing the e-Privacy Directive; (iii) the UK GDPR; (iv) the Swiss Federal Act on Data Protection; and (v) PIPEDA. Personal Data means any information relating to an identified or identifiable natural person that is Processed by Company on behalf of the Customer in the performance of the Services and references to "personal data" should be read as references to "personal information" under other Applicable Data Protection Laws as necessary.
     

  2. In relation to its Processing of Personal Data, Company shall:
    1. Process Personal Data only in accordance with the documented instructions of the Customer, unless the Company is required to do otherwise by an applicable law, in which case the Company shall inform the Customer of the relevant legal requirement before Processing the Personal Data unless informing Customer is prohibited by the applicable law on important grounds of public interest;
    2. Comply with the Applicable Data Protection Laws in connection with the processing of Personal Data pursuant to this Agreement;
    3. Ensure that Company's employees or subcontractors authorized to Process the Personal Data have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality and do not transfer Personal Data to unauthorized third-parties;
    4. Take and maintain written technical, physical and organizational security measures necessary to ensure the protection of the Personal Data and that are appropriate to (i) the size, scope and type of Company's business; (ii) the type and sensitivity level of Personal Data; and (iii) the need for security and confidentiality of such Personal Data;
    5. Taking into account the nature of the Processing, assist the Customer, by appropriate technical, physical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to Data Subject's requests for exercising their rights under Applicable Data Protection Laws;
    6. Where required to do so by Applicable Data Protection Law notify the Customer upon becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed under this Agreement;
    7. Assist the Customer in complying with its obligations relating to data security, Personal Data Breaches and data protection impact assessments, taking into account the nature of the Processing and the information available to the Company;
    8. Make available to the Customer, for inspection on Company's premises only, the information necessary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer and approved by the Company, provided that the Customer gives the Company at least 30 days' prior written notice of its intention to carry out an audit. This notice shall include a detailed work plan for the audit. Any third party involved in the audit must agree to the Company's confidentiality undertakings and the Customer will bear all costs and expenses incurred by Company in connection with the audit; and
    9. The Company shall immediately inform the Customer if, in Company's opinion, an instruction provided by the Customer infringes applicable law.
       
  3. Customer agrees that the Company may subcontract its Processing operations performed on behalf of the Customer under the Agreement to any subcontractor (“Sub-Processor”). Prior to providing any Sub-Processor with access to Personal Data, Company shall require such Sub-Processor to enter into a written agreement that imposes the same data protection obligations as set out in this Agreement. As at the date of this Agreement, a list of the Sub-Processors used by Company is set out in Appendix 2 to this Annex. Company shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving Customer the opportunity to object to such changes. Company will notify the Customer of any intended changes concerning the addition or replacement of its Sub-Processors and provide the Customer with the opportunity to object to such changes. If the Customer reasonably objects to a Sub-Processor, the Customer must inform the Company within seven (7) days. If the Company is unable to resolve the Customer's objection, either party may, upon notice and without liability, terminate the Processing operations that use the objected-to Sub-Processor.
     
  4. The Customer agrees that Company may transfer Personal Data to third countries for the purpose of providing the Services and fulfilling its obligations to Customer under the Agreement and on the condition that Company has implemented appropriate safeguards for the transfer of the Personal Data in accordance with Applicable Data Protection Laws.

This Agreement shall come into effect upon the effective date of the Agreement and shall expire or terminate concurrently therewith. Termination or expiration of this Agreement shall not discharge the Company from its confidentiality and data protection obligations until Personal Data is anonymized, returned to the Customer or destroyed.

DXIS01492 Rev00