Dentio AB – Data Processing Agreement (DPA)

Last updated: 3 March 2026

Norrtullsgatan 6, 113 29 Stockholm

Product: Dentio

Dentio AB, org nr. 559498-5136

Preamble

A. This Data Processing Agreement (“DPA”) is entered into by and between the dental clinic or organization below (the “Controller” or “Customer”) and Dentio AB (org.nr 559498-5136), Norrtullsgatan 6, 113 29 Stockholm, Sweden (“Dentio”, “Processor”, “we” or “us”).

B. The Parties have entered into a separate software-subscription contract or terms of service (the “Service Agreement”) under which Dentio provides AI-supported administrative tools for dental professionals to the Customer. In the course of providing the Services, Dentio will Process Personal Data on behalf of the Controller.

C. This DPA sets out the rights and obligations of the Parties with respect to such Processing, in accordance with Article 28 GDPR.

D. This DPA shall form an integral part of, and is incorporated by reference into, the Service Agreement. In the event of any conflict between this DPA and the Service Agreement, the provisions of this DPA shall prevail to the extent of the conflict, unless the Parties expressly agree otherwise in writing.

E. Capitalised terms not otherwise defined herein shall have the meanings given to them in the GDPR or, where relevant, in the Service Agreement.

F. The Parties expressly acknowledge and agree that this DPA does not establish a joint controllership arrangement under Article 26 GDPR. Each Party remains solely responsible for its own compliance with Applicable Law in respect of its separate processing activities. Dentio processes Personal Data solely on behalf of and under the documented Instructions of the Controller. Dentio does not engage in automated decision-making with legal or similarly significant effects on Data Subjects.

Parties & Contact Details

Role	Entity / Contact	Details
Controller	[Clinic legal name]	Address: [Clinic address] Reg./VAT no.: [insert number] Head clinician: [Name] Contact: [Data-protection contact]
Processor	Dentio AB	Org.nr 559498-5136 Norrtullsgatan 6, 113 29 Stockholm, Sweden CEO: Elias Afrasiabi DPO: Jonathan Ahrlind Privacy and 24h Incident mailbox: [email protected]

0. Structure and Interpretation

0.1 Integral Documents. This DPA consists of the main body and the following annexes: Annex 1 – Detailed Instructions for Processing; Annex 2 – Technical and Organisational Measures (TOMs); Annex 3 – Approved Sub-Processors.

0.2 Headings and References. Clause headings are for convenience only and do not affect interpretation. References to Articles are to those of the GDPR unless otherwise stated.

0.3 Incorporation of Law. References to any statute or statutory provision include any modification, extension or re-enactment thereof.

0.4 No Waiver. Failure or delay by either Party in exercising any right under this DPA shall not constitute a waiver of that right.

0.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

0.6 Order of Precedence. In the event of any conflict between the provisions of this DPA and the Service Agreement, the provisions of this DPA shall prevail with respect to data protection matters. In the event of conflict between the main body of this DPA and any Annex, the main body shall prevail unless the Annex expressly states otherwise.

1. Definitions

1.1 Statutory terms. Capitalised terms that are defined in Applicable Law—including Controller, Processor, Personal Data, Processing, and Personal-Data Breach—have the same meaning in this DPA and are not restated here.

1.2 Contract-specific terms:

Term	Meaning
Applicable Law	Any European Union or Member-State statute, regulation or binding decision that governs the Processing of Personal Data under this DPA.
Service Agreement	Has the meaning set out in preamble B.
Approved Purpose	The Processing strictly necessary to deliver the Services as described in Annex 1 or as otherwise documented in writing by the Controller.
Authorised Territory	The European Union (“EU”) and the European Economic Area (“EEA”) and any country recognised by the European Commission as providing an adequate level of protection under GDPR Art 45.
Approved Sub-Processor	A third-party processor listed in Annex 3, as amended in accordance with Section 4.
Instruction	A written instruction issued by the Controller that specifies how Dentio shall Process Personal Data; initial Instructions are set out in Annex 1.
Technical and Organisational Measures (“TOMs”)	The security controls implemented by Dentio and detailed in Annex 2.
Confidential Information	Non-public information disclosed by one Party to the other in connection with the Service Agreement or this DPA, subject to Section 11.
Personal Data Breach	The meaning given in Article 4(12) GDPR, being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Data Subject	An identified or identifiable natural person whose Personal Data is Processed under this DPA, including but not limited to patients of the Controller.
Service Data	Aggregated and de-identified data relating to the use, support, and operation of the Services, collected by Dentio for its own purposes including analytics, security monitoring, and product improvement. Service Data contains no identifiable patient information.

2. Roles and General Obligations

2.1 The Controller determines the purposes and means of Processing; Dentio acts solely as a Processor based on the Controller’s documented Instructions (Art 4(7) & (8) GDPR).

2.2 Obligations of the Controller (Customer)

2.2.1 Documented Instructions. The Controller shall provide Dentio with documented Instructions for the Processing of Personal Data. Initial Instructions are set out in Annex 1.
2.2.2 Lawful Basis. The Controller shall ensure that a valid legal basis exists for all Processing of Personal Data under this DPA. For special category data, including health data, the Controller shall ensure an appropriate legal basis exists under Article 9(2).
2.2.3 Transparency. The Controller shall inform Data Subjects of the Processing in accordance with Articles 13 and 14 GDPR including clear notice that AI-assisted transcription and documentation tools are used.
2.2.4 Consent. Where the legal basis for Processing is consent, the Controller shall ensure valid, informed, specific, and freely given consent has been obtained from Data Subjects prior to Processing.
2.2.5 Data Accuracy. The Controller shall ensure that all Personal Data provided to Dentio is accurate, complete, and kept up to date.
2.2.6 Supervision. The Controller shall supervise the Processing of Personal Data under this DPA throughout its duration.
2.2.7 AI Content Verification. The Controller shall ensure that clinicians review and verify all AI-generated content before such content is entered into patient records.
2.2.8 Healthcare Compliance. The Controller shall ensure compliance with all applicable healthcare-specific laws and regulations. In Sweden, this includes Patientdatalagen (2008:355), Patientsäkerhetslagen (2010:659), the regulations and general guidance issued by Socialstyrelsen under HSLF-FS, guidance from IMY, and applicable professional codes of conduct for dental practitioners.
2.2.9 Staff Training. The Controller shall ensure that all personnel authorised to use the Services receive appropriate training.

2.3 Obligations of the Processor (Dentio)

2.3.1 Dentio shall Process Personal Data only for the Controller’s documented Instructions.
2.3.2 If Dentio considers that an Instruction infringes the GDPR, Dentio shall immediately notify the Controller and may suspend the relevant Processing.
2.3.3 Dentio shall maintain the confidentiality of all Personal Data processed under this DPA.
2.3.4 Dentio shall ensure that personnel receive appropriate data protection training.
2.3.5 Dentio shall implement and maintain the technical and organisational security measures set out in Annex 2.
2.3.6 Dentio shall assist the Controller in responding to Data Subject requests.
2.3.7 Dentio shall assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR.
2.3.8 Dentio shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits.
2.3.9 Dentio shall notify the Controller of any Personal Data Breach without undue delay in accordance with Section 6.
2.3.10 Upon termination, Dentio shall delete or return all Personal Data in accordance with Section 8.

2.4 Dentio may refuse, suspend, or propose alternatives to any Instruction it reasonably believes would breach this DPA or Applicable Law.

2.5 If the Controller provides additional instructions beyond what is expressly stated in this DPA, Dentio is entitled to compensation for costs and additional work.

2.6 Dentio shall apply the principles of data protection by design and data protection by default in accordance with Article 25 GDPR.

2.7 The Controller shall not provide to Dentio any Personal Data beyond that which is strictly necessary for the provision of dental services. Accidental capture of such categories during a recorded clinical consultation is permitted to the extent it is unavoidable and clinically relevant.

3. Approved Locations for Processing and International Transfers

3.1 All Processing shall take place exclusively within the Authorised Territory.

3.2 Dentio shall not transfer Personal Data to, or allow access to Personal Data from, any location outside the Authorised Territory. All AI inference, storage, and processing are performed exclusively within EU regions. Dentio implements double-encryption with keys separated across independent services.

3.3 Operational staff with production access are based in Sweden or another EU/EEA Member State.

3.4 If a transfer outside the Authorised Territory becomes strictly necessary, Dentio will: (a) give 30 days’ prior written notice; (b) implement the EU Standard Contractual Clauses; (c) provide a documented Transfer Impact Assessment; and (d) honour the Controller’s right to object.

3.5 Dentio maintains up-to-date data-flow diagrams and region-lock logs.

3.6 If Dentio receives a legally binding request from any public authority to disclose Personal Data, Dentio shall immediately notify the Controller unless legally prohibited.

4. Sub-Processors

4.1 The Controller hereby grants Dentio a general written authorisation to engage the third-party processors identified in Annex 3.

4.2 On-boarding Procedure for New Sub-Processors. (a) Prior notice of 30 calendar days before authorising any additional or replacement Sub-Processor. (b) Right to object on reasonable, documented grounds relating to data protection. (c) Resolution: Dentio may cancel/delay engagement, propose mitigation, or offer the Controller the option to suspend the portion of Services that would involve the objected-to Sub-Processor.

4.3 Dentio shall ensure every Sub-Processor contract imposes obligations equivalent to those in this DPA.

4.4 Before on-boarding a Sub-Processor and at least annually thereafter, Dentio shall conduct a risk-based assessment of each Sub-Processor’s security posture.

4.5 Dentio shall remain fully liable to the Controller for the performance of each Sub-Processor’s obligations (Article 28(4) GDPR).

4.6 Emergency Replacement. Dentio may replace a Sub-Processor without the 30-day notice if urgently required, provided the Controller is informed as soon as practicable, the replacement meets or exceeds the previous provider’s level, and the Controller retains a right to object.

4.7 Annex 3 shall always reflect the current roster of Approved Sub-Processors.

5. Technical and Organisational Measures (“TOMs”)

Dentio maintains a documented information security programme based on recognised industry best practices. The measures are set out in Annex 2.

5.1 Governance and Risk Management: Board-approved security policy reviewed annually; security steering group reporting to CEO/DPO; formal risk register with quarterly review cycles.
5.2 Data Minimisation and Encryption: AES-256 encryption at rest; TLS 1.2+ for all data in transit; audio stream chunked into six-second segments and erased immediately after transcription; transcript text automatically deleted after 30 days.
5.3 Access Control and Authentication: Role-based access with zero default staff permissions; production consoles protected by mandatory MFA.
5.4 Segregation and Multi-Tenant Isolation: Customer data isolated at schema level in Supabase; row-level security prevents cross-tenant reads.
5.5 Resilience, Backup and Disaster Recovery: Daily encrypted snapshots stored in a separate EU region, retained 30 days.
5.6 Incident Response: 24×7 on-call rotation; documented incident-response plan with post-incident root-cause analysis; Controller notified within 24 h of confirmed Personal Data Breach.
5.7 Testing and Audit: Security controls tested before every production release; annual third-party penetration-test report summary provided to the Controller on request.
5.8 The Parties agree that these measures provide a level of security appropriate to the risk, consistent with Article 32 GDPR.

6. Personal Data Breach Notification and Management

6.1 A Personal Data Breach means any event that meets the definition in Article 4(12) GDPR.

6.2 Dentio shall notify the Controller without undue delay and in any event within twenty-four (24) hours of becoming aware.

6.3 Dentio will send the initial breach notice to (a) the Controller Contact Person named in the Parties table; and (b) the 24h incident mailbox supplied by the Controller, using encrypted e-mail.

6.4 Dentio’s initial notice shall contain, to the extent known: (a) the nature of the incident; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate number of Personal Data records affected; (d) likely consequences; (e) measures taken or proposed; and (f) name and contact details of Dentio’s DPO or incident lead.

6.5 Dentio shall promptly take all measures necessary to contain, eradicate and remedy the Personal Data Breach.

6.6 Dentio shall cooperate with and assist the Controller in meeting its obligations under Articles 33 and 34 GDPR.

6.7 If the Personal Data Breach has been caused by the Controller, Dentio is entitled to compensation for costs and additional work.

6.8 If the Controller determines to notify any governmental entity or Data Subjects in a way that identifies Dentio, the Controller agrees to notify Dentio in writing in advance.

7. Information and Rights of Data Subjects

7.1 The Controller is solely responsible for furnishing Data Subjects with the information required by Articles 12–14 GDPR.

7.2 Dentio shall assist the Controller with Data Subject requests for rights including: (a) right of access (Art. 15); (b) rectification (Art. 16); (c) erasure (Art. 17); (d) restriction of processing (Art. 18); (e) data portability (Art. 20); (f) right to object (Art. 21); and (g) rights related to automated decision-making (Art. 22). Dentio provides self-service tooling in the admin console. Dentio shall respond to Controller requests within five (5) business days.

7.3 If a Data Subject contacts Dentio directly, Dentio shall forward these requests to the Controller Contact Person and take no further action unless instructed in writing.

7.4 Dentio reserves the right to charge the Controller for the reasonable administrative costs of assistance with Data Subject requests.

8. Data Retention and Deletion Policy

8.1 Dentio retains Personal Data only for as long as is strictly necessary to accomplish the Approved Purpose.

8.2 Standard Retention Schedule:

Data Category	Processing Stage	Maximum Retention	Location and Protection	Deletion Method
Raw audio stream	During speech-to-text transcription	≤ 24 h buffer (FIFO)	Google Cloud Run ephemeral disk (EU)	GCP automatic deletion through memory deallocation
Full transcript and AI draft note	Post-transcription storage	30 days from upload	Supabase Postgres and object storage (encrypted at rest, EU)	SQL DELETE + object-lifecycle rule → secure overwrite; cryptographic erasure of KMS key

8.3 Controller-Initiated Deletion or Export. The Dentio admin console provides a “Delete session” button and PDF export functionality. Bulk deletion or export can be requested via [email protected] and will be completed within five (5) business days.

8.4 Automatic Deletion on Termination: (a) Export window of 14 calendar days; (b) Hard-delete 30 calendar days after termination; (c) Proof of destruction available on request; (d) Deleted data may persist in encrypted backups for up to 30 days.

8.5 Dentio’s deletion processes employ cryptographic erasure by destroying the encryption key (primary method) and secure overwrite procedures where applicable.

8.6 If Dentio is required by law to retain specific data beyond the periods above, it shall isolate the data, notify the Controller, and delete the data immediately after the legal retention obligation ceases.

8.7 Backups are encrypted using a separate, hierarchical KMS key. When source data is deleted, Dentio’s backup lifecycle policy ensures corresponding backup objects are also purged within thirty (30) days.

9. Audit & Inspection Rights

9.1 The Controller may audit Dentio’s compliance once per rolling twelve (12) month period, or if a confirmed Personal Data Breach directly involving the Controller’s data occurs.

9.2 Audits require: (a) 30 days prior written notice (or 5 days for breach-triggered audits); (b) scope limited to security controls, Sub-Processor contracts, and TOMs in Annex 2; (c) documentation review first, on-site only if insufficient.

9.3 Auditors must sign a confidentiality agreement. Audits must avoid disproportionate disruption.

9.4 ISO 27001 certificates, SOC 2 (Type II) reports, or equivalent third-party assessments may satisfy audit requirements.

9.5 Dentio shall bear its own internal costs. All external costs shall be borne by the Controller.

9.6 Dentio will remediate any identified non-conformities without undue delay.

9.7 If Dentio receives any request or inquiry from IMY or other supervisory authority, Dentio shall (a) notify the Controller within 48 hours; (b) provide copies of all relevant correspondence; (c) not respond substantively without first consulting the Controller; and (d) cooperate fully.

10. Liability and Indemnification

10.1 Each Party is liable for the damages it causes by breaching this DPA or Applicable Law.

10.2 Each Party’s aggregate liability is limited to the total subscription fees paid by the Controller to Dentio during the twelve (12) months immediately preceding the event.

10.3 Exclusions from the Cap: (a) wilful misconduct or gross negligence; (b) liability that cannot be limited under mandatory law; (c) breach of confidentiality obligations (Section 11); (d) Dentio’s breach of Section 3 (unauthorised international transfers); and (e) Dentio’s breach of Section 4 (unauthorised Sub-Processors).

10.4 Claims must be brought within two (2) years after the claimant became aware of the event.

10.5 Customer Indemnity. The Controller shall defend, indemnify, and hold harmless Dentio from any third-party claim arising from: (a) Controller’s Instructions that cause a breach; (b) failure to secure lawful basis or consents; (c) provision of Prohibited Data Categories; or (d) any breach of this DPA or Applicable Law by the Controller.

11. Confidentiality

11.1 “Confidential Information” includes all non-public information in any form—specifically patient data, security reports, pricing, business plans, and trade secrets.

11.2 The Receiving Party shall: (a) use Confidential Information solely to perform rights or obligations under the Service Agreement and this DPA; (b) apply reasonable care; (c) disclose only to personnel with a strict “need-to-know” bound by written confidentiality obligations; and (d) promptly notify of any unauthorised access.

11.3 The Receiving Party may disclose Confidential Information if required by law, provided it gives advance notice and cooperates to obtain a protective order.

11.4 Confidential Information excludes information that was already lawfully known, independently developed, is publicly available, or was lawfully received from a third party.

11.5 Upon written request or on termination, the Receiving Party will return or securely destroy all Confidential Information and certify completion in writing.

11.6 Confidentiality obligations survive five (5) years after termination; trade secrets must be kept confidential as long as they remain trade secrets under applicable law.

12. Term and Termination

12.1 This DPA takes effect on the date of the last signature and remains in force for the full term of the Service Agreement.

12.2 Termination Events: (a) Ordinary termination when the Service Agreement expires. (b) Termination for breach with 30 calendar days’ written notice to cure. (c) Termination required by law with immediate effect.

12.3 Effect of Termination: Dentio will cease all Processing of Personal Data; delete or return Personal Data per Section 8; and surviving sections (11, 10, 13, 8) remain in effect.

12.4 Termination does not entitle either Party to any refund or compensation except as provided in the Service Agreement.

13. Governing Law and Dispute Resolution

13.1 This DPA shall be governed by the laws of Sweden, without regard to its conflict-of-laws rules.

13.2 The Parties shall first attempt good-faith negotiation. Negotiations will be deemed to have failed if no settlement is reached within thirty (30) calendar days.

13.3 Arbitration. Disputes not resolved under 13.2 shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (SCC) under its Rules for Expedited Arbitrations. Seat: Stockholm, Sweden. Language: Swedish. Award is final and binding.

13.4 Nothing prevents either Party from applying to the Stockholm District Court for interim injunctive relief to prevent irreparable harm.

13.5 Both Parties agree to cooperate fully with IMY or any other competent supervisory authority.

14. Service Data and Analytics

14.1 Dentio may collect, use, and process Service Data for: (a) accounting, billing, audit; (b) improving the Services; (c) investigating fraud/security; (d) generating anonymised benchmarks; and (e) as otherwise permitted by Applicable Law.

14.2 Service Data is not Customer Personal Data and the obligations of this DPA do not apply to Dentio’s processing of Service Data.

14.3 De-identification shall be performed using industry-standard techniques that are irreversible.

14.4 No additional fee is due for Dentio’s processing of Service Data.

15. Use of Data for Artificial Intelligence and Machine Learning

15.1 Dentio shall not use any Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any AI or machine learning models, except as strictly necessary to provide the Services.

15.2 Personal Data shall be processed solely for the purposes of providing, maintaining, securing, and supporting the Services as described in this DPA and Annex 1.

15.3 Dentio may process fully anonymised and aggregated Service Data for statistical reporting, security analysis, or operational insights, provided that such information cannot be used to identify the Controller, its patients, or any natural person.

Annex 1 — Detailed Instructions for Processing

The Processing activities described below involve special categories of Personal Data within the meaning of Article 9 GDPR, specifically data concerning health.

#	Processing activity	Purpose	Categories of personal data	Data subjects	Max retention
1	Speech-to-text transcription of recorded consultations	Convert voice to text for later drafting	Audio stream containing patient voice; incidentally captured identifiers and clinical observations	Patients visiting the Controller’s clinic	Raw audio ≤ 24 h
2	AI draft generation (summaries, referral templates, journal text, and draft text descriptions related to dental status and periodontal observations as expressed by the clinician, for clinician review)	Supply a structured, editable draft for clinician review	Consultation transcript, metadata (recording time, user ID)	Same as row 1	Draft text 30 days
3	Copy-paste into EHR via user interface	Allow clinician to insert verified note into local patient record system	Draft text only (no additional identifiers)	Same as row 1	Not stored by Dentio once pasted
4	Application & security logging	Forensic readiness, legal accountability, intrusion detection	Pseudonymised patient reference (hash), user ID, timestamp, IP, event type	Clinic personnel; patients (hashed)	Maximum 400 days
5	Daily encrypted back-ups	Disaster-recovery resilience	Encrypted snapshots of DB blobs/files	All of the above	30 days
6	Service analytics (aggregate)	Product performance statistics	Fully anonymised counts, durations, error codes (no identifiers)	n/a (anonymous)	Indefinite (anonymised)
7	BankID authentication	Identity verification of clinic personnel	Social security number, name, authentication timestamp	Clinic personnel	During term of agreement

Annex 2 — Technical and Organisational Measures (TOMs)

The measures below are implemented and operational unless a “road-map” note is indicated.

1. Governance and Policy. Dentio maintains an ISO 27001-certified Information Security Management System (ISMS) with annual management review. A security steering group chaired by the CEO/DPO conducts quarterly risk register reviews.
2. Access Control. Dentio implements role-based access control with least-privilege defaults. Staff have zero access to patient text by default.
3. Encryption and Key Management. All data at rest encrypted using AES-256 with Google-managed encryption keys rotated yearly. All data in transit protected by TLS 1.2 or higher, with HSTS enabled for 12 months.
4. Data Minimisation and Retention Enforcement. Raw audio is chunked, stored in tmpfs, and purged automatically through overwrites. Thirty-day object-lifecycle rules govern retention. Application logs retained for up to 400 days.
5. Segregation and Tenant Isolation. Customer data is isolated using Supabase row-level security, schema separation, and user-specific encryption keys.
6. Backup and Disaster Recovery. Daily encrypted snapshots stored in eu-north-1 with a Recovery Point Objective (RPO) of 24 hours or less. Backups inherit deletion policies when source objects expire, with a 30-day hard limit.
7. Incident Response. Dentio maintains 24×7 on-call coverage with documented incident playbooks. Mandatory post-mortems completed within 10 business days of any incident. Controller notified within 24 hours of a confirmed Personal Data Breach.
8. Personnel and Training. Background checks required for all staff with production access. All personnel complete privacy and security training at hire and annually thereafter.
9. Physical Security. Dentio uses ISO 27001- and SOC 2-certified cloud data centres operated by the approved Sub-Processors listed in Annex 3, all located within the EU/EEA. Dentio does not operate any on-premise hosting.

Annex 3 — Approved Sub-Processors

Last updated: 3 March 2026

Provider	Purpose	Processing Location	Notes / Data Location
Google Ireland Ltd.	Cloud infrastructure (Cloud Run), storage, AI models (Vertex AI/Gemini)	EU/EEA	EU/EEA: europe-north1 (Finland), europe-north2 (Sweden), europe-west1 (Belgium), europe-central2 (Poland), europe-west4 (The Netherlands). ISO 27001, SOC 2 Type II.
Amazon Web Services EMEA SARL	AI inference for clinical documentation (Claude via Bedrock)	EU/EEA	eu-north-1 (Stockholm), eu-central-1 (Frankfurt), eu-west-1 (Ireland), eu-west-3 (Paris), eu-south-1 (Milan), eu-south-2 (Spain). No storage; transient. ISO 27001, SOC 2 Type II. Zero retention policy.
Supabase Inc.	Managed PostgreSQL database, authentication	EU/EEA	eu-north-1 (Stockholm). Drafts erased after 30 days. ISO 27001, SOC 2 Type II.
Soniox Inc.	Real-time speech-to-text transcription	EU	All processing within the EU/EEA. No storage; immediate erasure. ISO 27001, SOC 2 Type II. Zero retention.

För mer information, kontakta oss på [email protected].

Databehandleravtale