Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer identified in the order form (“Customer” or “Controller”) and Armenta & Marquez Dental Technologies (“MoldLean” or “Processor”) for the use of the MoldLean Service (the “Agreement”).

This DPA reflects the parties' agreement on the processing of Personal Data by MoldLean on behalf of the Customer in compliance with Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection (FADP) as applicable. In the event of conflict, this DPA prevails on data protection matters.

1. Definitions

Terms used but not defined have the meanings given in the GDPR. In particular: Customer Personal Data means Personal Data processed by MoldLean on behalf of the Customer; Standard Contractual Clauses (SCCs) means the European Commission's SCCs of 4 June 2021 (Decision 2021/914/EU); Sub-processor means any third party engaged by MoldLean.

2. Scope and roles

The Customer acts as Controller (or, where the Customer is itself a processor for an underlying controller, as Processor; in which case MoldLean acts as Sub-processor). MoldLean acts as Processor (or Sub-processor as described above). The Customer warrants it has a lawful basis to process the data, the right to authorize MoldLean to do so, and will not upload PHI under HIPAA without an active HIPAA tier and executed BAA.

3. Subject matter, duration, nature and purpose

See Annex I for the detailed description. In summary:

• Subject matter: processing of Customer Personal Data in connection with operation of the Service.
• Duration: for the term of the Agreement plus the post-termination retention period in section 11.
• Nature: hosting, storage, transmission, geometric processing, generation of derived files, audit logging, support.
• Purpose: to provide the Service per the Agreement.

4. Categories of data subjects and personal data

• Data subjects: Customer's authorized users; Customer's end-users / patients whose data may appear in Customer Content; billing contacts.
• Personal data: account data; authentication credentials (hashed); usage and audit logs; uploaded file metadata; uploaded file contents (3D scan geometry, possibly linkable to a natural person).
• Special categories: potentially health data if the Customer uploads dental scans attributable to identifiable patients. Such uploads are only permitted under the HIPAA tier with an executed BAA.

5. Processor obligations

MoldLean shall:

• Process Customer Personal Data only on documented instructions from the Customer (the Agreement, this DPA and in-app configuration constitute the complete documented instructions on signature).
• Ensure personnel authorized to process are bound by confidentiality.
• Implement appropriate technical and organizational measures appropriate to the risk (Art. 32; see Annex II).
• Engage Sub-processors only per section 7.
• Assist Customer in responding to data subject requests (we provide self-service export, deletion and audit log access).
• Assist Customer with Articles 32–36 obligations.
• Notify Customer of a Personal Data Breach without undue delay and in any event within 24 hours.
• Delete or return Customer Personal Data on termination (section 11).
• Maintain records of processing under Art. 30.
• Make information available for audits per section 9.

6. International transfers

Where Customer Personal Data is transferred from the EEA, UK or Switzerland to a non-adequate third country, the parties agree:

• The EU SCCs (2021/914/EU) are incorporated by reference. Module 2 (Controller → Processor); Module 3 where Customer acts as Processor.
• The UK International Data Transfer Addendum applies to UK transfers.
• The Swiss FDPIC adjustments apply to Swiss transfers.

The parties' SCC choices are recorded in Annex IV.

7. Sub-processors

The Customer grants general authorization. The current list is in Annex III and at /legal/sub-processors. MoldLean shall give the Customer at least 30 days prior notice before adding or replacing a Sub-processor. The Customer may object on reasonable data protection grounds within the notice period; if no resolution, the Customer may terminate the affected portion of the Service for a pro-rata refund. MoldLean remains liable for its Sub-processors.

8. Records

MoldLean maintains records of processing as required by Art. 30(2) and will make them available to a supervisory authority on request.

9. Audit

On reasonable written request (no more than once per year, except following a Breach or upon regulator's order), MoldLean will provide its most recent SOC 2 Type II report (once available), responses to a security questionnaire, and internal policies. On-site audits require 60 days notice, an independent auditor bound by confidentiality, at the Customer's expense. MoldLean reimburses reasonable audit costs if material non-compliance is found.

10. Liability

Each party's liability is governed by the limitation of liability in the Agreement and the SCCs (where applicable). Where the Agreement and the SCCs conflict, the SCCs prevail with respect to liability arising under the SCCs.

11. Term and termination

This DPA takes effect on the Effective Date of the Agreement and continues until the Agreement terminates. On termination, at the Customer's choice within 30 days, MoldLean will return Customer Personal Data in a structured, commonly used, machine-readable format, or delete it. If no choice is communicated, MoldLean will delete. Deletion completes within: 72 hours for live object storage; 30 days for primary database records; 30 days for backup purge. Audit-log and fiscal data may be retained where law requires. A written certificate of destruction is available on request.

12. Order of precedence

(1) SCCs (where applicable); (2) this DPA; (3) the Agreement.

13. Signature

Acceptance is effected by signing the Customer order form that incorporates this DPA by reference; by clicking “I accept the DPA” in organization settings (Admin role); or by mutual execution of a separate signature page.

Annex I — Description of processing

A. List of parties

Data Exporter (Controller): [Customer legal name], [address], contact: [Customer DPO/privacy contact]. Role: Controller (or Processor where applicable).

Data Importer (Processor): Armenta & Marquez Dental Technologies (MoldLean), Mexico (address TBD), contact: privacy@moldlean.com. Role: Processor.

B. Description of transfer

C. Competent supervisory authority

The authority indicated by the data exporter pursuant to Clause 13 of the SCCs.

Annex II — Technical and Organizational Measures

• Encryption: TLS 1.3 in transit; AES-256-GCM at rest; encrypted backups with separate key management.
• Access controls: RBAC with least privilege; mandatory 2FA for staff with production access; quarterly access reviews; passwords as PBKDF2-SHA256 with 200,000 iterations.
• Network and infrastructure: private VPCs; WAF and DDoS protection via Cloudflare; rate limiting per IP / token / organization.
• Application security: OWASP Top 10 review; dependency scanning; static analysis in CI; secrets vaulting.
• Audit and logging: immutable audit log; centralized retention.
• Backups and DR: encrypted daily backups; quarterly restore drills; documented RTO/RPO.
• Incident response: documented plan with severity levels; 24h Customer notification commitment.
• Personnel: NDAs; annual training; background checks where lawful.
• Sub-processor management: due diligence; annual review.
• Data minimization: 72h automatic deletion of uploaded files; truncated IPs for analytics.

Annex III — Sub-processors

Annex IV — SCC choices

The UK Addendum incorporates these clauses with mandatory UK adjustments.