Data Processing Agreement
Last updated: 26 December 2024
This Data Processing Agreement ("DPA") forms part of the agreement between your clinic ("Data Controller", "you", or "your clinic") and AES-CRM Ltd ("Data Processor", "we", "us", or "AES-CRM") for the provision of AES-CRM services.
This DPA ensures compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services.
- "Data Controller" means your clinic, which determines the purposes and means of processing Personal Data.
- "Data Processor" means AES-CRM Ltd, which processes Personal Data on behalf of the Data Controller.
- "Sub-processor" means any third party engaged by AES-CRM to process Personal Data on behalf of the Data Controller.
- "Data Subject" means the individual to whom Personal Data relates (e.g., patients, staff).
2. Roles and Responsibilities
Your Clinic (Data Controller)
- Determines the purpose and means of processing
- Ensures lawful basis for processing
- Handles Data Subject rights requests
- Provides processing instructions to AES-CRM
AES-CRM (Data Processor)
- Processes data only on documented instructions
- Implements appropriate security measures
- Assists with Data Subject rights requests
- Notifies of breaches and audits
3. Details of Processing
| Subject Matter | Provision of AES-CRM SaaS platform services |
| Duration | For the term of the service agreement |
| Nature of Processing | Collection, storage, organisation, retrieval, use, and erasure |
| Purpose | Patient enquiry management, marketing attribution, appointment scheduling, and communications |
| Data Categories | Contact details, enquiry data, appointment information, communication history, marketing attribution |
| Data Subjects | Patients, prospective patients, clinic staff |
4. Sub-processors
You authorise AES-CRM to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database infrastructure | EU (Frankfurt) |
| Stripe, Inc. | Payment processing | UK/EU |
| Twilio Inc. | SMS and voice | UK/EU |
| Wildbit LLC (Postmark) | Email delivery | US (SCCs) |
| Vercel Inc. | Application hosting | Global (EU primary) |
| Google LLC | Ads conversion tracking | Global (Adequacy) |
We will notify you of any intended changes to sub-processors, giving you an opportunity to object within 30 days.
5. Security Measures
AES-CRM implements appropriate technical and organisational measures including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.3)
- Role-based access controls with least-privilege principle
- Multi-factor authentication for administrative access
- Regular security assessments and vulnerability scanning
- Comprehensive audit logging of all data access
- Encrypted, geographically redundant backups
- Incident response procedures
6. Data Breach Notification
In the event of a Personal Data breach, AES-CRM will:
- 1Notify you without undue delay and within 72 hours of becoming aware
- 2Provide details of the breach including categories and volume of data affected
- 3Describe measures taken or proposed to address and mitigate the breach
- 4Cooperate with your investigation and regulatory notifications
7. Assistance with Data Subject Rights
AES-CRM will assist you in responding to Data Subject requests including access, rectification, erasure, restriction, portability, and objection rights. We will respond to your assistance requests within 10 business days.
8. Data Deletion on Termination
Upon termination of the service agreement:
- You may request a data export within 30 days of termination
- We will delete your Personal Data within 90 days of termination, unless required by law to retain it
- Backup copies will be deleted within 180 days following our standard backup rotation
- We will provide written confirmation of deletion upon request
9. Audit Rights
AES-CRM will make available information necessary to demonstrate compliance with this DPA and allow for audits by you or an independent auditor. Audits must be conducted with reasonable notice (at least 30 days), during business hours, and in a manner that does not disrupt our operations.
Contact
For DPA-related enquiries or to report a data incident:
Email: dpo@aescrm.com
Address: AES-CRM Ltd, 123 Dental Street, London, UK, SW1A 1AA