All client systems monitored 24/7
Sheffield, UK  //  Est. 2006
01433 377 977

DentalPing Data Processing Agreement

This agreement sets out how Dental IT Ltd processes personal data on behalf of dental practices using DentalPing. Read it together with the DentalPing Terms of Service and Privacy Policy.

Last updated: 4 July 2026

1. Parties and roles

This data processing agreement (the "DPA") is made between the dental practice or dental group that uses DentalPing (the "customer", acting as data controller) and Dental IT Ltd, a company registered in England and Wales (company number 05785120), with its registered office at 3A Abbeydale Road South, Sheffield, S7 2QL, United Kingdom (acting as data processor).

This DPA forms part of, and is governed by, the DentalPing Terms of Service. It applies wherever Dental IT Ltd processes personal data on the customer's behalf in the course of providing DentalPing. Questions about this DPA can be sent to support@dentalit.ltd.uk.

2. Definitions

In this DPA, "controller", "processor", "data subject", "personal data", "processing" and "personal data breach" have the meanings given to them in the UK GDPR and the Data Protection Act 2018. "UK GDPR" means the retained EU Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland.

3. Subject matter and duration

The subject matter of the processing is the personal data described in section 5, processed to provide the DentalPing service described in section 4. Processing continues for the term of the customer's use of DentalPing and for the deletion period described in section 13, after which processing ceases.

4. Nature and purpose of processing

Dental IT Ltd processes personal data on the customer's behalf to:

  • send appointment reminders and recall invitations to the customer's patients over WhatsApp;
  • provide two-way WhatsApp messaging between the customer and its patients, relaying patient replies into a shared inbox handled by the customer's staff or, where enabled, an automated assistant;
  • update appointment status and confirmations in the customer's Dentally practice management system.

5. Types of personal data

The personal data processed comprises:

  • patient name and mobile phone number;
  • appointment and recall details, including date, time, practitioner and appointment status;
  • the content of WhatsApp messages exchanged with patients;
  • practice staff account details, being name and work email address.

The personal data processed may include special category data concerning health within the meaning of Article 9 of the UK GDPR, in particular the fact that a data subject is a patient of the practice and information relating to their dental appointments and recalls.

6. Categories of data subjects

The data subjects are the customer's patients and the customer's staff users of DentalPing.

7. Processor obligations

Dental IT Ltd will:

  • process personal data only on the customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law, in which case it will inform the customer before processing unless the law prevents this;
  • ensure that all persons it authorises to process the personal data are bound by obligations of confidentiality;
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in section 11;
  • comply with the conditions in this DPA for engaging sub-processors;
  • taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures in fulfilling the customer's obligation to respond to requests from data subjects exercising their rights;
  • assist the customer in ensuring compliance with its obligations regarding security of processing, notification of personal data breaches, and data protection impact assessments and prior consultation, taking into account the nature of the processing and the information available to Dental IT Ltd;
  • at the customer's choice, delete or return all personal data at the end of the provision of the service, as described in section 13;
  • make available to the customer all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits, including inspections, conducted by the customer or an auditor mandated by the customer, on reasonable notice and no more than once in any 12 month period unless required by a supervisory authority.

Dental IT Ltd will inform the customer immediately if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law.

Where the processing involves special category data concerning health, the customer, as controller, is responsible for ensuring that an appropriate condition for processing under Article 9 of the UK GDPR applies, in particular the provision of health or social care under Article 9(2)(h), and for maintaining any appropriate policy document required under the Data Protection Act 2018. Both parties acknowledge that special category data may be processed under this agreement and will treat it with corresponding care.

8. Sub-processors

The customer gives general written authorisation for Dental IT Ltd to engage the following sub-processors to deliver the service:

  • Meta Platforms, for WhatsApp message delivery through the WhatsApp Business Platform;
  • Fly.io, for application hosting in the United Kingdom (London region);
  • Cloudflare, for object storage and backups;
  • a third party SMS provider, where the customer enables SMS fallback.

Dental IT Ltd will give the customer notice of any intended addition or replacement of sub-processors, giving the customer the opportunity to object before the change takes effect. Each sub-processor is bound by a written agreement imposing data protection obligations equivalent to those in this DPA, and Dental IT Ltd remains fully liable to the customer for the performance of each sub-processor's obligations.

9. Personal data breach

Dental IT Ltd will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's personal data, providing sufficient information to allow the customer to meet its own obligations to notify the Information Commissioner's Office and affected data subjects. Dental IT Ltd will cooperate with the customer and take reasonable steps to investigate, mitigate and remediate the breach.

10. International transfers

Processing under this DPA takes place in the United Kingdom and the EU. Any transfer of personal data outside the United Kingdom or the EU will rely on an appropriate safeguard, such as UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses. WhatsApp message delivery is carried out by Meta and is subject to Meta's own terms and transfer mechanisms.

11. Security measures

Dental IT Ltd applies technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit;
  • access controls and authentication for all access to the service and its infrastructure;
  • segregation of each customer's data within the multi-tenant environment, so that each practice can access only its own data;
  • regular backups, held with the storage sub-processor listed in section 8;
  • logging and monitoring of access to production systems.

12. Data subject rights

Where Dental IT Ltd receives a request directly from a patient or other data subject relating to the customer's data, it will refer the data subject to the customer, as controller, and will not respond substantively except on the customer's instructions or where legally required. Dental IT Ltd will assist the customer in responding to such requests as described in section 7.

13. Deletion and return

On termination or expiry of the customer's use of DentalPing, Dental IT Ltd will, at the customer's choice, delete or return the personal data processed on the customer's behalf within 30 days, and delete existing copies, unless retention is required by law, in which case the data will be isolated and protected until deletion is possible.

14. Liability

Liability under this DPA is subject to the limitations and exclusions of liability set out in the DentalPing Terms of Service.

15. Governing law

This DPA, and any dispute arising from it, is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Book your free IT health check.

We'll examine your network, tell you exactly where you stand, and what we'd fix. No commitment, no sales patter.

WhatsApp us any time on 01433 377 977or text 07488 890826