Data Processing Addendum (DPA)
Last updated: October 2025
Introduction
This Data Processing Addendum (“Addendum” or “DPA”) forms part of and supplements the Terms of Use and Acceptable Use Policy of www.nexo-aligners.com (the “Website”), operated by FACE Orthodontics SRL, Str. Pompiliu Teodor 26, Cluj-Napoca, Romania (“Processor” or “FACE Orthodontics SRL”). This Addendum governs the processing of personal data carried out by FACE Orthodontics SRL on behalf of the licensed dental professional or orthodontist (“Controller”) in connection with the use of the Website, the Doctors’ Portal, the case submission system, and related services (“Services”). This Addendum ensures that all processing of personal data complies with the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection laws.
1. Purpose and Scope
This Addendum defines the terms and conditions under which FACE Orthodontics SRL processes personal data on behalf of the Controller in the course of providing orthodontic case management and digital aligner planning services. Processing includes collection, storage, transfer, and other operations performed on personal data provided or uploaded by the Controller via the Website or associated systems.
2. Roles of the Parties
The Controller determines the purposes and means of processing personal data of patients and other individuals. The Processor, FACE Orthodontics SRL, processes such personal data solely on behalf of and in accordance with the documented instructions of the Controller.
3. Categories of Data and Data Subjects
The Processor may process the following categories of personal data, as described in Annex I of this Addendum, including:
- Patient identification data
- Intraoral scans, Xrays and CBCT
- Facial and intraoral photographs
- Orthodontic treatment plans
- Professional account and contact information (of Controllers and their staff)
Data subjects may include patients, dental professionals, and other persons involved in the treatment or support process.
4. Processor’s Obligations
FACE Orthodontics SRL shall:
1. Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to third countries.
2. Ensure that persons authorized to process personal data are bound by confidentiality obligations.
3. Implement appropriate technical and organizational security measures to protect personal data.
4. Assist the Controller in ensuring compliance with obligations relating to data security, breach notification, data protection impact assessments, and consultations with supervisory authorities.
5. Notify the Controller without undue delay after becoming aware of any personal data breach.
6. Upon termination of the services, delete or return all personal data at the Controller’s request, unless retention is required by law.
5. Confidentiality
All personal data processed under this Addendum shall be treated as strictly confidential. The Processor shall ensure that any person acting under its authority who has access to personal data does not process such data except on the Controller’s instructions.
6. Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
- Data encryption and pseudonymization
- Access control and user authentication
- Secure data transfer and encrypted communications
- Regular data backups and system audits
- Secure storage within EU-based data centers.
7. Sub-Processors
The Controller authorizes the Processor to engage sub-processors for specific data processing activities, provided that:
- The sub-processor is bound by written obligations equivalent to those set forth in this Addendum.
- The Processor remains fully liable to the Controller for the performance of any sub-processor.
A list of approved sub-processors may be provided upon written request.
8. Assistance to the Controller
The Processor shall assist the Controller in:
- Responding to requests from data subjects seeking to exercise their rights under GDPR.
- Conducting data protection impact assessments.
- Ensuring compliance with data breach notification obligations.
9. Data Subject Rights
The Controller is responsible for responding to data subjects’ requests to exercise their rights (access, rectification, erasure, restriction, portability, and objection). The Processor shall notify the Controller promptly if it receives any such request directly and shall not respond except upon the Controller’s documented instruction.
10. Data Retention and Deletion
The Processor shall retain personal data only for as long as necessary to provide the contracted Services or as required by applicable law. Upon termination of the contractual relationship, all personal data shall be securely deleted or returned to the Controller, unless otherwise legally mandated.
11. International Data Transfers
The Processor will not transfer personal data outside the European Economic Area (“EEA”) without prior written consent of the Controller and without implementing adequate safeguards as required under GDPR.
12. Audit and Compliance
Upon reasonable notice, the Controller may conduct or request an independent audit of the Processor’s data protection practices. The Processor shall make available all necessary information to demonstrate compliance with its obligations under Article 28 of the GDPR.
13. Liability
Each party shall be liable for the damages resulting from its own breach of this Addendum or applicable data protection law. The Processor’s liability shall be limited to direct damages proven to result from its non-compliance with documented instructions or GDPR obligations
14. Term and Termination
This Addendum remains in force for as long as the Processor processes personal data on behalf of the Controller. Upon termination of the Controller’s use of the Services, the Processor shall delete or return all personal data as specified in Section 10.
15. Governing Law and Jurisdiction
This Addendum is governed by and construed in accordance with the laws of Romania. Any disputes arising from or related to this Addendum shall be subject to the exclusive jurisdiction of the courts of Cluj-Napoca, Romania.
Annex I – Categories of Personal Data and Data Subjects
Categories of personal data processed:
- Patient identification data (e.g., name, date of birth, contact details)
- Intraoral scans and 3D digital dental models
- Facial and intraoral photographs
- Orthodontic treatment plans, including diagnostic and planning files
- Professional account data of orthodontists and associated staff
Categories of data subjects:
- Patients undergoing orthodontic treatment
- Dental professionals (Controllers and their authorized staff)
- Technical support personnel (where applicable).