Practice Agreement Additional Terms & Conditions

US | Canada | UK | Spain | France

US Terms of Service

These Terms & Conditions (“Terms”) to the Practice Agreement (“Agreement”) are entered into by and between Dandy (“Dandy” or “we”) and you and your dental practice or office (“You”) and are effective as of the date the Practice Agreement is entered into (“Effective Date”). If you accept these Terms on behalf of an entity, partnership, corporation, or organization “you” includes you, that entity, and all entity users and you hereby represent that you have the authority to bind all such users. Dandy and you will each be referred to as a “Party” and together, the “Parties.”  For good and valuable consideration as set forth in the Agreement, the Parties agree to the following:

1. Amendment. These Terms and the Agreement cannot be changed unless we both agree in writing. If Dandy makes material changes to either the Terms or the Agreement, Dandy will notify you of such change. Any material change will become effective thirty (30) days after we notify you, unless you notify us in writing that you wish to terminate the Agreement. In that case, the change will not take effect and Dandy will honor the existing Agreement for 60 days or until you return the scanner and any other Dandy equipment that may be in your possession.
   
2. Entire Agreement. The Practice Agreement, these Terms, the Business Associates Agreement, and the IT Policy for Practice-Provided Equipment, if applicable, constitute our entire agreement. Anything communicated in any other method outside of these documents is not binding. This Agreement supersedes any other conflicting agreement we may have made in the past.
   
3. Non-assignability. Dandy is partnering with you, so you may not transfer or assign the Agreement and Terms to a third-party unless we both agree in writing.
   
4. Legal Compliance. Both Parties agree to comply with all applicable health laws and regulations in the United States, including HIPAA, among others.
   
5. Indemnity. You will indemnify, defend, and hold harmless Dandy against and from all claims, causes of actions, damages, debts, liabilities, losses, obligations, payments, costs, and expenses (including legal expenses), arising from or relating to: (a) your breach of any term of the Agreement, these Terms and/or the Business Associates Agreement; (b) your breach of any term of any agreement between you and any patient, or any negligent, reckless or willful acts or failures with respect to your care of a patient; (c) your provision of incorrect or incomplete information, scans, documents, or data to Dandy, or any failure to timely provide Dandy with any information it requests from you, your practice, or any of your Dentists; and (d) any and all dealings with federal, state or local administrative agencies, regulators, licensing, or professional bodies.
   
6. Arbitration. Dandy hopes that we never encounter any meaningful disagreements about our Agreement, these Terms, and the Business Associates Agreement, and Dandy very much prefers to resolve any disagreements in the most amicable way possible. Dandy’s goal is to work closely with you and Dandy’s mission is to support your practice. If something does arise that we are unable to resolve through amicable problem solving, we both commit to resolve the issue through arbitration with JAMS in the state of New York, under New York law.
7. Sales Tax. Dandy will charge sales tax, as applicable, on our products, equipment and services based on your geographical location. The amount of sales tax will be presented on your monthly invoice, and payment will be collected as described herein as well as in your Practice Agreement. If you are exempt from paying sales tax, you agree to provide Dandy with a valid exemption certificate acceptable to each taxing jurisdiction where exempt status is claimed.
   

Business Associate Agreement

This HIPAA BUSINESS ASSOCIATE AGREEMENT (“Addendum”), is effective as of the date the Practice Agreement is entered into (“Effective Date”), between the dental practice identified in the Practice Agreement (“Covered Entity”) and Dandy (“BA”).  This Addendum, which supersedes any previous business associate agreement between the parties, amends, supplements, and is made a part of the Practice Agreement, by and between Covered Entity and BA, as the same may be amended from time to time (the “Agreement”).

RECITALS

WHEREAS, Covered Entity is a “covered entity” as that term is defined at 45 C.F.R. § 160.103;

WHEREAS, BA may, on behalf of Covered Entity, create, receive, maintain, or transmit certain Protected Health Information (as defined below) in order to provide services to Covered Entity pursuant to the Agreement;

WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164 (collectively “Privacy and Security Regulations”);

WHEREAS, the Privacy and Security Regulations require Covered Entity to enter into a contract with BA in order to mandate certain protections for the privacy and security of Protected Health Information, and those Regulations prohibit the disclosure of Protected Health Information from Covered Entity to BA if such a contract is not in place;

WHEREAS, this Addendum shall be applicable only in the event that BA meets, with respect to Covered Entity, the definition of “business associate” set forth in 45 C.F.R. § 160.103.

In consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties agree as follows:

1. Definitions

1. “Breach” shall have the meaning given to the term “breach” at 45 C.F.R. § 164.402, as applied to the Unsecured PHI created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
2. “Electronic Protected Health Information” or “ePHI” means shall have the meaning given to the term “electronic protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
3. “Protected Health Information” or “PHI” shall have the meaning given to the term “protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.
4. “Reportable Event” means any (1) use or disclosure of PHI not provided for by this Addendum; (2) Security Incident; (3) Breach of Unsecured PHI; or (4) any data incident involving PHI for which data breach notification is required under applicable foreign, federal, or state law.
5. “Services” mean the services provided by BA to Covered Entity as set forth in the Agreement.
6. “Security Incident” shall have the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to the ePHI created, received, maintained, or transmitted by BA from or on behalf of Covered Entity.

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections 160.103 and 164.501. Any inconsistency in the definition of a term shall be resolved in favor of a meaning that permits compliance with HIPAA.

2. Permitted Uses and Disclosures of PHI

Except as otherwise limited in this Addendum or the Agreement, BA may do any or all of the following:

1. Use of Disclosure under the Agreement. Use or disclose PHI to perform functions, activities, or services for, or on behalf of Covered Entity, to the extent permitted in the Agreement, provided that such use or disclosure would not violate the Privacy Rule or any applicable state law if done by Covered Entity.  Notwithstanding the above, BA may use and disclose PHI for the purposes identified in paragraphs (2), (3), and (5) of this Section 2, even if Covered Entity could not do so under the Privacy Rule.
2. Use for Administration or Legal Responsibilities. Use PHI, but only to the minimum extent necessary, for the proper management and administration of BA, for debt collection practices of BA, or to carry out the legal responsibilities of BA.
3. Disclosure for Administration or Legal Responsibilities. Disclose PHI, but only to the minimum extent necessary, for the proper management and administration of BA or to carry out the legal responsibilities of BA, provided that:
   1. The disclosures are Required by Law; or
   2. BA obtains reasonable assurances from the third party to whom the PHI is disclosed that such information shall remain confidential and shall be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon BA pursuant to this Addendum), and such person agrees to promptly notify BA of any instance of which it is aware in which the confidentiality of the information has been breached.
4. Use for Reporting of Violations. Use PHI to report violations of law to appropriate federal, state, and local authorities, consistent with 45 C.F.R. § 164.502(j).
5. Use for Data Aggregation Services. Use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
6. De-Identified Information. Use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c).

3.  Obligations of Business Associate

1. Limited by Agreement and Law.  BA may not use or disclose PHI other than as permitted or required by this Addendum and the Agreement or as Required by Law.
2. Compliance with HIPAA. To the extent that BA is responsible for carrying out an obligation of Covered Entity under HIPAA pursuant to this Addendum or the Agreement, BA shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligation.
3. Appropriate Safeguards for PHI. BA shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by the Agreement and this Addendum. 

4. Reportable Events

1. Use of Subcontractors. If BA discloses PHI to a subcontractor or allows a subcontractor to create, receive, maintain, or transmit PHI on its behalf, BA shall require the subcontractor to execute a written agreement obligating the subcontractor to comply with all the terms of this Addendum. If BA becomes aware of a pattern of activity or practice of a subcontractor that would constitute a material breach or violation of the written agreement between BA and subcontractor, BA shall take reasonable steps to cure such breach or end the violation, as applicable, or terminate such written agreement with such subcontractor.
2. Availability of Internal Practices, Books and Records to Government Agencies. BA agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI that is received from, or created or received by BA on behalf of, Covered Entity available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA. No attorney-client, accountant-client, or other legal privilege shall be deemed to have been waived by BA by virtue of BA’s compliance with this provision.
3. Access to and Amendment of PHI. To the extent that BA maintains PHI in a Designated Record Set, BA shall: (a) make the PHI specified by Partner available to the individual(s) identified by Covered Entity as being entitled to access such PHI, and (b) make amendment(s) to such PHI in a Designated Record Set that as directed or agreed to by Covered Entity. BA shall provide such access and incorporate such amendments within the time and in the manner specified by Covered Entity that meets the requirements of 45 C.F.R. § 164.524, § 164.526, and applicable state law.
4. Accounting of Disclosures. Upon Covered Entity’s request, BA shall provide to Covered Entity an accounting of the disclosures of an Individual’s PHI in a time and manner that meets the requirements of 45 C.F.R. § 164.528 and, as of the applicable effective date, Section 13405(c) of HITECH and any regulations promulgated thereunder.
5. Minimum Necessary.  BA agrees that it shall comply with HIPAA’s minimum necessary requirements.
6. Communication with Other Business Associates.  In connection with the performance of its services, activities, and/or functions to or on behalf of Covered Entity, BA may disclose information, including PHI, to other business associates of Covered Entity.  Likewise, BA may use and disclose information, including PHI, received from other business associates of Covered Entity, as if this information was received from, or originated with, Covered Entity.  The parties agree that it is the responsibility of Covered Entity to secure and maintain business associate agreements with its other business associates.
7. BA shall report to Covered Entity any Reportable Event of which it becomes aware. All such reports shall be made without unreasonable delay and in no case later than fifteen (15) business days after BA’s discovery of a Reportable Event.
8. BA shall cooperate with Covered Entity in investigating a Reportable Event and assist Covered Entity in determining whether a Reportable Event constitutes a Breach of Unsecured PHI.
9. BA shall mitigate, to the extent practicable, any harmful effect that is known to BA of a Reportable Event.
10. The parties acknowledge and agree that this section constitutes notice by BA to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of, PHI, such as pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, or any combination thereof.

5.  Obligations of Covered Entity

1. Notice of Privacy Practices.  Covered Entity shall notify BA in writing of any limitations in its notice of privacy practices, to the extent that such limitations may affect BA’s use or disclosure of PHI.
2. Notification of Revocations.  Covered Entity shall notify BA in writing of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect BA’s use or disclosure of PHI.
3. Notification of Restrictions.  Covered Entity shall notify BA in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.
4. Permissible Requests.  Covered Entity shall not request that BA use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by Covered Entity.

6.  Term and Termination

1. Term. The term of this Addendum shall be the same as the term of the Agreement, but shall terminate as of the earliest occurrence of any of the following:
   1. The Agreement expires or is terminated with or without cause; 
   2. This Addendum is terminated for cause as described in Section 5.2 below; 
   3. The parties mutually agree to terminate this Addendum; or
   4. This Addendum is terminated under applicable federal, state, or local law. 
2. Termination for Cause.
   1. Upon Covered Entity’s determination of a breach of any material term of this Addendum by BA, Covered Entity shall provide BA written notice of that breach in sufficient detail to enable BA to understand the specific nature of that breach and afford BA an opportunity to cure the breach; provided, however, that if BA fails to cure the breach within thirty (30) days of receipt of such notice, Covered Entity may terminate this Addendum and the Agreement. 
   2. Upon BA’s determination of a breach of a material term of this Addendum by Covered Entity, BA shall provide Covered Entity written notice of that breach in sufficient detail to enable Covered Entity to understand the specific nature of that breach and afford Covered Entity an opportunity to cure the breach; provided, however, that if Covered Entity fails to cure the breach within thirty (30) days of receipt of such notice, BA may terminate this Addendum and the Agreement.
3. Effect of Termination
   1. Subject to Section 5.3(b) below, upon termination of this Addendum for any reason, BA shall return or destroy all PHI that BA still maintains in any form.  BA shall retain no copies of such PHI. 
   2. If return or destruction of any or all PHI is not feasible, BA shall:
      1. Retain only that PHI for which return or destruction is not feasible;
      2. Return to Covered Entity or destroy the remaining PHI that BA still maintains in any form;
      3. Extend the protections of this Addendum to any retained PHI, continue to use appropriate safeguards, and comply with the Security Rule with respect to ePHI, in order to prevent use or disclosure of the retained PHI other than as provided for in this Addendum for as long as BA retains the PHI;
      4. Not use or disclose the PHI retained by BA other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this Addendum that applied prior to termination; and
      5. Return to Covered Entity or destroy the PHI retained by BA if and when it becomes feasible to do so.
   3. These provisions shall apply to PHI that is in the possession of subcontractors or agents of BA.
   4. This Section 5.3 shall survive termination of this Addendum. 

7.  Miscellaneous

1. Regulatory References.  A reference in this Addendum to a section in HIPAA means the section as in effect or as amended at the time this Addendum is executed or amended.
2. Amendment; No Waiver.  Upon the effective date of any federal statute amending or expanding HIPAA, any guidance or temporary, interim final or final regulations promulgated under HIPAA, or under any federal statute amending or expanding HIPAA (collectively, the “HIPAA Regulations”) that are applicable to this Addendum or any amendments to the HIPAA Regulations, this Addendum shall be automatically amended, such that the obligations imposed on Covered Entity and BA shall remain in compliance with such requirements, unless the parties agree otherwise by mutual consent.  The parties shall take all necessary action to expressly reflect such automatic amendments to this Addendum from time to time.  Except as provided otherwise in this paragraph (B), no waiver, change, modification, or amendment of any provision of this Addendum shall be made unless it is in writing and is signed by the parties hereto.  The failure of either party at any time to insist upon strict performance of any condition, promise, agreement, or understanding set forth herein shall not be construed as a waiver or relinquishment of the right to insist upon strict performance of the same condition, promise, agreement, or understanding at a future time.
3. Interpretation.  Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits compliance with HIPAA. The titles and headings set forth at the beginning of each section hereof are inserted for convenience of reference only and shall in no way be construed as a part of this Addendum or as a limitation on the scope of the particular provision to which it refers.  In the event of an inconsistency between the provisions of this Addendum and the mandatory terms of HIPAA, as may be expressly amended from time-to-time by the Secretary, or as a result of interpretations by the Secretary, a court, or another regulatory agency with authority over the parties, the interpretation of the Secretary, such court, or regulatory agency shall prevail.
4. Relationship to Agreement Provisions. In the event that a provision of this Addendum is contrary to a provision of the Agreement, the provision of this Addendum shall control. Otherwise, this Addendum shall be construed under, and in accordance with, the terms of the Agreement.
5. Relationship of Parties.  The parties to this Addendum are independent contractors.  None of the provisions of this Addendum are intended to create, nor shall they be interpreted or construed to create, any relationship between Covered Entity and BA other than that of independent contractors.  Except as otherwise expressly set forth herein, neither party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other party.
6. No Third Party Beneficiaries.  This Addendum is between the parties hereto.  Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Covered Entity and BA and any respective successors and assigns.
7. Invalid or Unenforceable Provision.  The provisions of this Addendum shall be severable.  The invalidity or unenforceability of any particular provision or portion of such provision of this Addendum be construed, in all respects, as if such invalid or unenforceable provision or portion of such provision had been omitted, and shall not affect the validity and enforceability of the other provisions hereof or portions of that provision.
8. Assignment.  The parties’ rights and obligations with respect to assignment of this Addendum shall be subject to the assignment provision set forth in the Agreement. In the event that the Agreement does not contain an assignment provision, neither party may assign its rights, or delegate its duties or obligations, under this Addendum without the prior written consent of the other party, which consent shall not be unreasonably withheld.  This Addendum shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective successors.
9. Applicable Law.  This Addendum shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law.  In the event that the Agreement does not identify the governing law, this Addendum shall be construed, administered, and governed under the laws of the State of New York, except to the extent preempted by applicable federal law.
10. Notices.  All notices hereunder shall be in writing, and either delivered by hand, or sent by mail, or delivered in such other manner as the parties may agree upon, to the following:

To Covered Entity: Practice’s Email Address Identified in the Practice Agreement

To BA: Dandy

Attention: Legal Department

11 Park Place, Suite 502

New York, NY 10007

[email protected]

Each party reserves the right to change address for receiving notice during the term of this Addendum upon written notice to the other parties.

1. Counterparts.  This Addendum may be executed in separate counterparts, none of which need contain the signatures of both parties, and each of which, when so executed, shall be deemed to be an original, and such counterparts shall together constitute and be one and the same instrument.

IT Policy for Practice-Provided Equipment

This policy applies only to practices that use their own laptop and scanner as part of their relationship with Dandy.

Standard Systems Policy:

To ensure the quality and consistency of case submission to Dandy Labs, you agree to comply with the following requirements regarding your IT infrastructure:

1. You agree to use the 3Shape TRIOS 3, TRIOS 4, or TRIOS 5 intraoral scanner only.
2. You agree to provide a consistent Wi-Fi connection of at least 15 Mbps upload and 15 Mbps download in all locations where case submission occurs.
3. You agree to use a computer with the 3Shape intraoral scanner that meets the following system requirements:
4. PC Minimum:

• Processor: i7-10850H
• Memory:16 Gb DDR4
• Disk: 256 Gb
• Graphics card: Quadro T1000 (4GB)
• Operating system: Windows 11 Pro

PC Recommended:

• Processor: i7 12850HX
• Memory:32 GB DDR5
• Disk: 1 TB SSD
• Graphics card: NVIDIA® A3000
• Operating system: Windows 11 Pro
• Has an operational webcam

1. You agree to upgrade the Trios software to a minimum version of 1.7.19.1.
2. You agree to save and submit all case files to the local storage of the computer.
3. You agree to grant EasyAccess to Splashtop to Dandy’s customer service team with a mutually agreed-upon shared password that will exist for the duration of the relationship.
4. You agree to install the DandyUploader to a local user’s profile and you will use this local profile in connection with your use of the TRIOS software.
5. You agree to grant permission to the following file path if you are using antivirus software:

• C:\Users\Dandy\AppData\Roaming\DandyUploader
• C:\Users\Dandy\AppData\Roaming\@orthly
• C:\Program Files\Chairside
• C:\Program Files\DandyUploader
• C:\Program Files\UploaderMedit

6. Should your practice have a network firewall, either physical or web-based, please allow all traffic on the following domains:

• *.meetdandy.com
• orthly.com
• *.orthly.com
• dandyserv.net
• *.dandyserv.net
• *dandy.dental
• .api.splashtop.com
  • Port 443
  • Allow both HTTP over TLS and non-HTTP over TLS

Canadian Terms of Service, including Data Privacy Agreement

These Terms & Conditions (“Terms”) to the Practice Agreement (“Agreement”) are entered into by and between Zima Labs Canada, ULC d/b/a Dandy (“Dandy” or “we”) and you and your dental practice or office (“You”) and are effective as of the date the Practice Agreement is entered into (“Effective Date”). If you accept these Terms on behalf of an entity, partnership, corporation, or organization “you” includes you, that entity, and all entity users and you hereby represent that you have the authority to bind all such users. Dandy and you will each be referred to as a “Party” and together, the “Parties.”  For good and valuable consideration as set forth in the Agreement, the Parties agree to the following:

1. Amendment. These Terms and the Agreement cannot be changed unless we both agree in writing. If Dandy makes material changes to either the Terms or the Agreement, Dandy will notify you of such change. Any material change will become effective thirty (30) days after we notify you, unless you notify us in writing that you wish to terminate the Agreement. In that case, the change will not take effect and Dandy will honor the existing Agreement for 60 days or until you return the scanner and any other Dandy equipment that may be in your possession.
2. Entire Agreement. The Practice Agreement, these Terms, the Data Privacy Agreement, and the IT Policy for Practice-Provided Equipment, if applicable, constitute our entire agreement. Anything communicated in any other method outside of these documents is not binding. This Agreement supersedes any other conflicting agreement we may have made in the past.
3. Non-assignability. Dandy is partnering with you, so you may not transfer or assign the Agreement and Terms to a third-party unless we both agree in writing.
4. Legal Compliance. Both Parties agree to comply with all applicable health laws and regulations in Canada, including the applicable Federal and Provincial data privacy laws, among others.
5. Indemnity. You will indemnify, defend, and hold harmless Dandy against and from all claims, causes of actions, damages, debts, liabilities, losses, obligations, payments, costs, and expenses (including legal expenses), arising from or relating to: (a) your breach of any term of the Agreement, these Terms and/or the Data Privacy Agreement; (b) your breach of any term of any agreement between you and any patient, or any negligent, reckless or willful acts or failures with respect to your care of a patient; (c) your provision of incorrect or incomplete information, scans, documents, or data to Dandy, or any failure to timely provide Dandy with any information it requests from you, your practice, or any of your Dentists; and (d) any and all dealings with federal, state or local administrative agencies, regulators, licensing, or professional bodies.
6. Arbitration. Dandy hopes that we never encounter any meaningful disagreements about our Agreement, these Terms, and the Data Privacy Agreement, and Dandy very much prefers to resolve any disagreements in the most amicable way possible. Dandy’s goal is to work closely with you and Dandy’s mission is to support your practice. If something does arise that we are unable to resolve through amicable problem solving, we both commit to resolve the issue through arbitration with the Canadian Arbitration Association in the city of Toronto, under Ontario law.  The language of the arbitration shall be English.
7. Sales Tax. Dandy will charge sales tax, as applicable, on our products, equipment and services based on your geographical location. The amount of sales tax will be presented on your monthly invoice, and payment will be collected as described herein as well as in your Practice Agreement. If you are exempt from paying sales tax, you agree to provide Dandy with a valid exemption certificate acceptable to each taxing jurisdiction where exempt status is claimed.
8. The Parties acknowledge and agree that because Dandy will be receiving and processing Personal Health Information on behalf of the Counterparty, a Data Privacy Agreement (the “DPA”) is a mandatory and integral part of this Agreement. The DPA, attached hereto as Schedule A, sets out the Parties’ obligations with respect to the collection, use, disclosure, and protection of Personal Information and Personal Health Information. Counterparty acknowledges and agrees that it will not provide any Personal Health Information to Dandy unless and until the DPA is executed by both Parties.

Schedule A – Data Privacy Agreement

This Data Privacy Agreement (“DPA”) applies to the Practice (“Agreement”) between Dandy and you and your dental practice or office (“Counterparty”) and is incorporated by reference when the Applicable Laws (defined below) cover Counterparty’s use of the Services and the processing of Personal Data. This DPA ensures that Dandy’s processing of Personal Information complies with Applicable Laws. 

Capitalized Terms not defined herein shall have the definitions set forth in the Agreement.

1. Definitions

“Applicable Laws” means all laws, regulations, and regulatory guidance applicable to the processing of Personal Information under this DPA, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, specifically for Personal Health Information, the Ontario Personal Health Information Act, 2004 (PHIPA) and any other applicable provincial privacy laws.

“Data Breach” means any unauthorized access, use, or disclosure of Personal Health Information that is in the custody or control of Dandy, and which poses a real risk of significant harm to the individual, as defined by PHIPA. the actual loss, theft, unavailability or misuse of, or unlawful or unauthorized access to, use, disclosure or processing of Personal Information or any actual or suspected violation of the requirements of this Agreement or Applicable Laws

“Personal Information” means identifying information about an individual in oral or recorded form, as defined by PHIPA, that is collected, used, or disclosed in the course of providing health care, including but not limited to health card numbers, treatment information, and dental records.

means any information relating to an identified or identifiable individual, as defined under the applicable data protection laws in Canada, including the PIPEDA and any applicable provincial privacy laws.

2. Scope and Purpose

Dandy agrees to process Personal Information only on behalf of and under the documented instructions of the Counterparty, except where required by Applicable Laws.

Dandy shall not process Personal Information for any purpose other than to perform the Services described in the Agreement, or as otherwise expressly authorized by the Counterparty.

3. Obligations of Dandy

Dandy shall comply with all Applicable Laws concerning the processing of Personal Information. Dandy shall treat Personal Information as confidential and only disclose Personal Information to its employees or subcontractors who are subject to binding confidentiality obligations in respect of Personal Information (and whose use of that Personal Information relates to their job function), and ensure that those individuals only process the Personal Information on instructions from the Counterparty and in accordance with the Agreement (including this DPA).  Dandy shall ensure that all personnel authorized to process Personal Information are bound by confidentiality obligations and have received appropriate training on data protection.

If subcontractors are engaged, Dandy shall contract with such subcontractors to ensure they comply with this DPA and Applicable Laws. Dandy will remain to the Counterparty for any breach of the Agreement that is caused by an act, error or omission of the subcontractor to the same extend Dandy would be liable for its own acts, errors, or omissions.

Dandy shall not transfer Personal Information outside Canada and the United States without Counterparty’s prior written consent.

Dandy will provide the Counterparty with reasonably necessary assistance in order to assist with any requests by any individual to access, correct, amend or delete their Personal Information. Any such requests will be directed by Dandy to the Counterparty, as the custiodian of the Personal Health Information,, or relating to the processing of the individual’s Personal Information in any manner, will be directed by Dandy to the Counterparty and Dandy will not take action with respect to any such request absent instructions from the Counterparty except to the extent required by law; 

Dandy will provide the Counterparty with reasonable notice of any intended disclosure of the Personal Information that is required by law, unless the provision of such notice would violate applicable laws. Should a law enforcement agency send a request to Dandy or its subcontractors regarding Personal Information, Dandy will attempt to redirect the law enforcement agency’s request to the Counterparty.  

Dandy will notify the Counterparty of any notice, inquiry, investigation or the receipt of a complaint from any individual or regulatory authority which relates directly or indirectly to the processing of Personal Information, and reasonably cooperate with the Counterparty where required by the Counterparty  to meet its obligations under Applicable Laws.

4. Security

Dandy has implemented and will maintain commercially reasonable and appropriate technical and organizational measures to protect Personal Information against unauthorized access, loss, destruction, or alteration taking into account the sensitivity of the Personal Information. This includes measures relating to the physical security of facilities used to deliver Services, measures to control access rights to assets and relevant networks, and processes for testing these measures.

5. Data Breach

If Dandy becomes aware of adetects that a Data Breach, has occurred, Dandy shall:(i) take all reasonable steps necessary to investigate, contain, and mitigate the Data Breach; and (ii) notify the Counterparty without unreasonable delay after Dandy becomes aware of the breach. Dandy shall promptly provide the Counterparty with all relevant information gathered by Dandy in connection therewith to allow the Counterparty to fulfill its own legal notification obligations under PHIPA.of the Data Breach, and promptly provide the Counterparty with all relevant information gathered by Dandy in connection therewith

5. Compliance

Upon request by the Counterparty, Dandy will make available to Counterparty information demonstrating and verifying that Dandy uses the Personal Information in a manner consistent with its obligations under this DPA and Applicable Laws.

6. General

This DPA shall remain in force until the earlier of: (i) the termination or expiry of the Agreement or (ii) Dandy ceasing to process Personal Information. Upon termination, at Counterparty’s request Dandy will return Personal Information to Counterparty or delete Personal Information. 

If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other terms shall remain in force. Any invalid, unenforceable, or illegal term will be interpreted to give effect to the Parties’ commercial intention. If that is not possible, it will be severed but the rest shall remain in full force.

Except where this DPA conflicts with the Agreement, all other provisions of the Agreement remain unchanged. In the event of conflict between this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Counterparty Personal Information. This DPA together with the Agreement is the final, complete, and exclusive agreement of the Parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. No other representations or terms shall apply or form part of this DPA. 

Dandy’s total aggregate liability for any claims arising under or in connection with this DPA is subject to and limited by the limitations on liability contained in the Agreement.

This DPA and the Agreement shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of Applicable Laws. The Parties agree that this DPA shall be interpreted in favor of their intent to comply with Applicable Laws and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with Applicable Laws.

This DPA shall be governed by the governing law of the Province of Ontario.

United Kingdom Terms of Service, including Data Privacy Agreement

These Terms & Conditions (“Terms”) to the Practice Agreement (“Agreement”) are entered into by and between Zima Labs GB Ltd. d/b/a Dandy (“Dandy” or “we”) and you and your dental practice or office (“You”) and are effective as of the date the Practice Agreement is entered into (“Effective Date”). If you accept these Terms on behalf of an entity, partnership, corporation, or organization, “you” includes you, that entity, and all entity users and you hereby represent that you have the authority to bind all such users. Dandy and you will each be referred to as a “Party” and together, the “Parties.”  For good and valuable consideration as set forth in the Agreement, the Parties agree to the following:

1. Amendment. These Terms and the Agreement cannot be changed unless both Parties agree in writing. Dandy will notify You of any material changes. Changes become effective thirty (30) days after notification unless You terminate in writing. In such cases, Dandy will honor existing terms for 60 days or until the Hardware is returned.

2. Entire Agreement. The Practice Agreement, these Terms, the Data Privacy Agreement (Schedule A), and the IT Policy constitute the entire agreement. This Agreement supersedes all prior conflicting agreements.

3. Non-assignability. You may not transfer or assign this Agreement to a third party without Dandy’s prior written consent.

4. Legal Compliance. Both Parties agree to comply with all applicable health and data laws in the United Kingdom, including the UK GDPR, the Data Protection Act 2018,relevant NHS/GDC regulatory standards, and the Care Quality Commission (CQC).

5. Indemnity. You will indemnify, defend, and hold harmless Dandy from all claims or losses arising from: (a) Your breach of this Agreement or the DPA; (b) negligence or willful acts regarding patient care; (c) provision of incorrect clinical data; and (d) dealings with UK regulators (e.g., CQC, GDC, or the ICO).

6. Governing Law & Dispute Resolution. This Agreement is governed by the laws of England and Wales. Any disputes shall be resolved through arbitration under the Rules of the London Court of International Arbitration (LCIA). The seat of arbitration shall be London.

7. VAT & Tax. Dandy will charge Value Added Tax (VAT) at the prevailing rate, where applicable. If You are exempt, You must provide a valid VAT exemption certificate or evidence satisfactory to HMRC.

8. Data Privacy.  Because Dandy processes Special Category Data (Personal Health Data) on Your behalf, the Data Privacy Agreement (DPA) at Schedule A is a mandatory and integral part of this Agreement.

Data Protection Roles. The Parties acknowledge that:

• Dandy UK (Zima Labs GB Ltd.) acts as a Controller for the Personal Data of the Practice’s staff and business contacts, as detailed in its UK Privacy Policy.
• The Practice acts as the Controller for all Patient Personal Data.
• Dandy acts as a Processor when providing its platform and digital lab services to the Practice.

Data Protection Contact. Any privacy-related notices or requests under this Agreement should be directed to Dandy’s Data Protection Officer (DPO) Tony Riesen at [email protected].

---

Schedule A: Data Privacy Agreement

This DPA is incorporated into the Agreement where Dandy acts as a Processor on behalf of the Practice (Controller). The nature, purpose, and duration of the processing are set out in Appendix 1 (Data Processing Details).

1. Definitions

• “Applicable Laws” means the UK GDPR and the Data Protection Act 2018.
• “Personal Data Breach” has the meaning given in the UK GDPR.
• “Special Category Data” means Personal Data revealing health, biometric, or genetic data.
• “Personal Data” means personal data (as defined by UK GDPR) processed by Dandy on behalf of the Controller.
• “Data Subject” has the meaning given in the UK GDPR.

2. Subject Matter & Instructions

Dandy shall process Personal Data only on the documented instructions of the Controller (the Practice), including with regard to transfers of personal data to a third country, unless required to do so by UK law. If Dandy believes any instruction infringes Applicable Laws, it shall immediately inform the Controller.

The Controller shall ensure it has a lawful basis for all sharing of Personal Data and a lawful ground for processing all Special Category Data.

3. Obligations of Dandy (The Processor)

• Confidentiality: Dandy ensures that persons authorized to process the Personal Data have committed themselves to confidentiality.
• Sub-processors: Dandy remains fully liable for the performance of sub-processors. A list of Dandy’s authorized sub-processors is available upon request.
• Data Subject Rights: Dandy shall assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller’s obligation to respond to requests for exercising Data Subject rights (e.g., Subject Access Requests).
• Assistance: Dandy shall provide reasonable assistance as necessary for the Controller to comply with its obligations under Data Protection Laws, including in relation to the security of processing, notification of a Personal Data Breach to the relevant data protection authority or Data Subjects, data protection impact assessments, and prior consultation with the relevant data protection authority.
• Security: Dandy shall implement measures required pursuant to Article 32 UK GDPR, including encryption and pseudonymization where appropriate.
• Audit & Inspection: Dandy shall make available all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller (“On-site Audits“). Any On-site Audits shall be conducted upon 60 day’s prior written notice to Dandy, not more than once every calendar year. The parties shall use reasonable endeavors to ensure any On-Site Audits shall not unreasonably affect Dandy’s operations. The Controller shall bear the costs of any On-Site Audits.

4. International Transfers

Dandy shall not transfer Personal Data outside the UK or the EEA unless it ensures that the transfer is subject to “appropriate safeguards” (such as the UK International Data Transfer Agreement (IDTA) or an adequacy decision of the UK government).

5. Breach Notification

Dandy shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Personal Data, providing sufficient information to allow the Controller to meet any reporting obligations to the relevant data protection authority.

6. Deletion or Return

At the choice of the Controller, Dandy shall delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless UK law requires storage.

---

APPENDIX 1: DATA PROCESSING DETAILS

• Subject Matter, Nature and Purpose: The provision of the services to You under the Practice Agreement.
• Duration: The term of the Practice Agreement plus the period until all data is deleted.
• Categories of Data Subjects: Patients and Authorized end users of the customer.
• Types of Personal Data: Names, email addresses, business addresses, professional registration numbers, and (if applicable) patient clinical records/scans.

---

Términos de servicio, incluido el Acuerdo de privacidad de datos

Los presentes términos y condiciones (“Condiciones”) del Acuerdo de Colaboración se suscriben entre Dandy Labs Europe SAS (anteriormente denominada Dandy Labs France SAS) (“Dandy” o “Nosotros”) y usted y su consulta o clínica dental (“Usted” o la “Clínica Dental”) y surtirán efecto a partir de la fecha en que se formalice el Acuerdo de Colaboración (“Fecha de Entrada en Vigor”). Si Usted acepta estas Condiciones en nombre de una entidad, sociedad, corporación u organización, el término “Usted” le incluye a Usted, a dicha entidad y a todos los usuarios de la entidad, y Usted declara que tiene autoridad para vincular a todos y a cada uno de dichos usuarios. Dandy y Usted serán denominados individualmente como “Parte” y conjuntamente como las “Partes”. Teniendo presente la contraprestación, válida y suficiente, establecida en el Acuerdo de Colaboración, las Partes establecen lo siguiente:

1. Modificación. Estas Condiciones y el Acuerdo de Colaboración podrán ser modificados mediante acuerdo mutuo por escrito entre las Partes. Estas Condiciones y el Acuerdo de Colaboración podrán también ser modificados por Dandy, y se le notificará cualquier cambio sustancial. Dichos cambios sustanciales surtirán efecto treinta (30) días después de su notificación, salvo que Usted resuelva el contrato mediante notificación por escrito dentro de dicho plazo. En tales casos, Dandy respetará las Condiciones vigentes durante sesenta (60) días o hasta la devolución del Equipo.

2. Acuerdo íntegro: El Acuerdo de Colaboración, estas Condiciones, la Política de Privacidad de la UE, el Acuerdo de Tratamiento de Datos (“ATD”) (Anexo A) y la Política de TI conforman el “Contrato“. El presente Contrato sustituye a todos los acuerdos anteriores con disposiciones que entren en conflicto con el mismo.

3. Intransmisibilidad. Usted no podrá ceder ni transmitir el Acuerdo de Colaboración a un tercero sin el consentimiento previo y por escrito de Dandy.

4. Cumplimiento normativo. Ambas partes se comprometen a cumplir todas las leyes aplicables en materia de salud y protección de datos en la jurisdicción en la que tanto Usted como Dandy estén establecidos, las normas reglamentarias pertinentes dictadas por las autoridades europeas y nacionales, y las directrices establecidas por los organismos reguladores profesionales.

5. Exención de responsabilidad. Usted indemnizará, defenderá y eximirá de responsabilidad a Dandy frente a cualquier reclamación o pérdida que se derive de: (a) el incumplimiento por su parte del Acuerdo; (b) negligencia o actos deliberados en relación con la atención al paciente; (c) el suministro de datos clínicos incorrectos; y (d) las relaciones con los organismos reguladores de la UE o nacionales.

6. Ley Aplicable y Jurisdicción.

1. Ley Aplicable. Usted acepta que estas Condiciones se regirán e interpretarán de conformidad con la legislación de la jurisdicción en la que esté establecida la Clínica Dental.
2. Jurisdicción. Cualquier controversia que surja de o en relación con estas Condiciones se someterá a la jurisdicción exclusiva de los tribunales de la jurisdicción correspondiente donde esté establecida la Clínica Dental, conforme a la siguiente tabla:

País	Jurisdicción
Francia	Tribunal des Activités Économiques de Paris
España	Juzgados y Tribunales de Madrid

7. IVA e Impuestos. Dandy repercutirá el Impuesto sobre el Valor Añadido (“IVA”) al tipo impositivo aplicable, además de cualquier precio, cargo o cantidad adeudada en virtud del Contrato, y dicho IVA será a cargo de Usted, cuando proceda. Si Usted está exento, deberá aportar un certificado válido de exención de IVA o la documentación satisfactoria ante la administración tributaria correspondiente, cuando esté disponible, o justificar la base de la exención del IVA.

8. Protección de Datos. Teniendo en consideración que Dandy trata datos, incluidos datos de salud (“Datos Personales”), en nombre de Usted:

Funciones en materia de Protección de Datos: Las Partes reconocen que:

• Dandy Labs Europe SAS (anteriormente denominada Dandy Labs France SAS) actúa como responsable del tratamiento de los Datos Personales en virtud de estas Condiciones y en relación con el personal y los contactos comerciales de la Clínica Dental, según se detalla en su Política de Privacidad de la UE [ENLACE].
• Dandy Labs Europe SAS (anteriormente denominada Dandy Labs France SAS) actúa como encargado del tratamiento al prestarle su plataforma y sus servicios de laboratorio digital, tal y como se establece en el Anexo A, lo que incluye el tratamiento de todos los datos personales de los pacientes.

Contacto de Protección de Datos. Cualquier notificación o solicitud relativa a la privacidad en virtud de este Contrato deberá dirigirse al Delegado de Protección de Datos (“DPD”) de Dandy, Tony Riesen, a la dirección [email protected]

Anexo A: Acuerdo de Tratamiento de Datos (ATD)

     El presente ATD se incorpora al Contrato en los supuestos en que Dandy actúe como encargado del tratamiento en nombre de la Clínica Dental como responsable del tratamiento. La naturaleza, la finalidad y la duración del tratamiento se establecen en el Apéndice 1 (“Detalles del Tratamiento de Datos”).

1. Definiciones

• “Ley Aplicable” se refiere a toda la legislación aplicable que regula el tratamiento y la seguridad de los Datos Personales, así como la privacidad de las comunicaciones electrónicas, incluyendo, sin carácter limitativo: (i) el Reglamento (UE) 2016/679, de 27 de abril de 2016 (el RGPD); (ii) la Directiva 2002/58/CE, de 12 de julio de 2002 (la Directiva sobre privacidad electrónica); (iii) las leyes nacionales que transponen y complementan las leyes de la UE a las que se hace referencia en esta definición, y (iv) las disposiciones pertinentes de las leyes nacionales en materia de salud, cada una de las cuales (i) a (iv) según sean modificadas y/o complementadas en cada momento. 
• “Violación de Seguridad de los Datos Personales” tiene el significado que le atribuye el RGPD. 
• “Datos de Categoría Especial” se refiere a las categorías de datos personales a las que se refiere el artículo 9 del RGPD (incluidos, entre otros, los datos personales relativos a la salud, los datos biométricos o los datos utilizados con el fin de identificar de forma única a una persona física, así como los datos genéticos).
• “Datos Personales” se refiere a los datos personales (según la definición del RGPD) tratados por Dandy en nombre de la Clínica Dental.
• “Interesado” tiene el significado que le atribuye el RGPD. 

2. Objeto e Instrucciones

Dandy tratará los datos personales únicamente siguiendo las instrucciones documentadas de la Clínica Dental, incluso en lo que respecta a las transferencias de datos personales a un tercer país, salvo que así lo exijan las leyes aplicables. Si Dandy considerase que alguna instrucción infringe la Ley Aplicable, informará inmediatamente a la Clínica Dental. 

La Clínica Dental se asegurará de contar con una base legal, de conformidad con el artículo 6 del RGPD, para el tratamiento de datos personales, así como con una exención, de conformidad con el artículo 9 del RGPD, para el tratamiento de Datos de Categoría Especial, en el contexto contemplado en el presente ATD.

3. Obligaciones de Dandy (el “Encargado del Tratamiento”)

• Confidencialidad: Dandy garantiza que las personas autorizadas para tratar los Datos Personales se han comprometido a guardar confidencialidad. 
• Subencargados del tratamiento: La Clínica Dental otorga por la presente a Dandy una autorización general por escrito para contratar a subencargados del tratamiento. Se puede solicitar una lista de los subencargados del tratamiento actuales de Dandy. Dandy informará a la Clínica Dental de cualquier cambio previsto relativo a la incorporación o sustitución de otros subencargados del tratamiento, dando así a la Clínica Dental la oportunidad de oponerse a dichos cambios. Dandy seguirá siendo plenamente responsable del desempeño de sus subencargados del tratamiento.
• Derechos de los interesados: Dandy prestará asistencia a la Clínica Dental mediante las medidas técnicas y organizativas adecuadas para que ésta pueda cumplir con su obligación de responder a las solicitudes de ejercicio de los derechos de los interesados (por ejemplo, solicitudes de acceso).
• Asistencia: Dandy proporcionará la asistencia razonable que sea necesaria para que la Clínica Dental cumpla con sus obligaciones en virtud de la Ley Aplicable, incluyendo las relativas a la seguridad del tratamiento, la notificación de una Violación de Seguridad de los Datos Personales a la autoridad de control competente y/o a los interesados, la elaboración de evaluaciones relativas a la protección de datos y la consulta previa con la autoridad competente en materia de protección de datos.
• Seguridad: Dandy aplicará las medidas exigidas en virtud del artículo 32 del RGPD, tal y como se detalla en el Apéndice 2.
• Auditoría e inspección: Dandy facilitará toda la información necesaria para demostrar el cumplimiento del artículo 28 del RGPD, y permitirá y colaborará a las auditorías, incluidas las inspecciones, realizadas por la Clínica Dental (“Auditorías Presenciales”). Cualquier Auditoría Presencial se llevará a cabo previa notificación por escrito a Dandy con sesenta (60) días de antelación, y no más de una vez por año natural. Las Partes harán todo lo posible para garantizar que las Auditorías Presenciales no afecten de manera desproporcionada a las operaciones de Dandy. La Clínica Dental asumirá los costes de las Auditorías Presenciales.

4. Transferencias Internacionales

Dandy no transferirá datos personales fuera del EEE salvo que se garantice que la transferencia esté sujeta a “garantías adecuadas” (como una decisión de adecuación de la Comisión Europea).

5. Notificación de Violación de Seguridad de los Datos Personales

Dandy notificará a la Clínica Dental sin demora injustificada (y, en todo caso, en un plazo máximo de cuarenta y ocho (48) horas) tras tener conocimiento de una Violación de Seguridad de los Datos Personales que afecte a los Datos Personales, proporcionando información suficiente para que la Clínica Dental pueda cumplir con sus obligaciones de notificación ante la autoridad de control competente.

6. Supresión o devolución. 

A elección de la Clínica Dental, Dandy suprimirá o devolverá todos los Datos Personales a la Clínica Dental una vez finalizada la prestación de los servicios, y suprimirá las copias existentes, salvo que la Ley Aplicable exija su conservación.

Conditions Générales + ADP

Les présentes conditions générales (« Conditions Générales ») de l’Accord de Collaboration sont conclues entre Dandy Labs Europe SAS (anciennement Dandy Labs France SAS) (« Dandy » ou « Nous ») et vous, ainsi que votre cabinet ou clinique dentaire (« Vous » ou le « Cabinet »), et prennent effet à la date de la conclusion de l’Accord de Collaboration (la « Date d’Entrée en Vigueur »). Si Vous acceptez les présentes Conditions Générales pour le compte d’une entité, d’une société de personnes, d’une société ou d’une organisation, « Vous » désigne Vous, ladite entité et l’ensemble des utilisateurs de l’entité, et Vous déclarez disposer du pouvoir de lier l’ensemble de ces utilisateurs. Dandy et Vous seront chacun désignés comme une « Partie » et, ensemble, les « Parties ». En contrepartie des stipulations de l’Accord de Collaboration, les Parties conviennent de ce qui suit :

1. Amendement. Les présentes Conditions Générales et l’Accord de Collaboration peuvent être modifiés d’un commun accord écrit entre les Parties. Elles peuvent également être modifiées par Dandy, qui Vous informera de toute modification substantielle. Ces modifications substantielles prendront effet trente (30) jours après leur notification, sauf si Vous résiliez le contrat par notification écrite dans ce délai. Dans ce cas, Dandy continuera d’appliquer les Conditions Générales en vigueur pendant soixante (60) jours ou jusqu’à ce que l’Équipement soit restitué.

2. Intégralité du Contrat. L’Accord de Collaboration, les présentes Conditions Générales, la Politique de Confidentialité, l’Accord de Protection des Données (« APD ») (Annexe B) et les Politiques Informatiques constituent l’intégralité du contrat (le « Contrat »). Le présent Contrat remplace et annule tout accord antérieur incompatible.

3. Incessibilité. Vous ne pouvez pas transférer ni céder l’Accord de Collaboration à un tiers sans l’accord écrit préalable de Dandy.

4. Conformité légale. Les Parties conviennent de se conformer à l’ensemble des lois applicables en matière de santé et de données dans la juridiction où Vous et Dandy êtes tous deux établis, aux normes réglementaires pertinentes édictées par les autorités européennes et nationales, ainsi qu’aux orientations publiées par les organismes de réglementation professionnelle.

5. Indemnisation. Vous vous engagez à indemniser, défendre et dégager Dandy de toute responsabilité au titre de toute réclamation ou perte résultant : (a) de votre violation du Contrat ; (b) de toute négligence ou de tout acte intentionnel relatif aux soins prodigués aux patients ; (c) de la fourniture de données cliniques inexactes ; et (d) de vos relations avec des autorités de régulation de l’Union européenne ou nationales.

6. Droit applicable et Compétence juridictionnelle. 

1. Droit applicable. Vous acceptez que les présentes Conditions Générales soient régies par et interprétées conformément aux lois de la juridiction dans laquelle Vous êtes établi(e).

2. Compétence juridictionnelle. Tout litige découlant des présentes Conditions Générales ou en lien avec celles‑ci sera soumis à la compétence exclusive des tribunaux de la juridiction applicable dans laquelle Vous êtes établi(e), comme indiqué dans le tableau ci‑dessous.

Pays	Juridiction compétente
France	Tribunal des Activités Économiques de Paris
Espagne	Cours et tribunaux de Madrid

7. TVA & fiscalité. Dandy facturera la taxe sur la valeur ajoutée (« TVA ») au taux applicable, en sus de tout prix, frais, charge ou montant dû au titre du Contrat, et ladite TVA sera, le cas échéant, payable par Vous. Si Vous bénéficiez d’une exonération, Vous devrez fournir un certificat d’exonération de TVA valable ou tout justificatif jugé satisfaisant par l’administration fiscale compétente, lorsqu’un tel document est disponible, ou justifier le fondement de toute exonération de TVA.

8. Protection des données. Dans la mesure où Dandy traite, pour votre compte, des données à caractère personnel (« Données à Caractère Personnel »), y compris des données de santé, le contrat de sous-traitance en matière de protection des données figurant en Annexe B constitue une section obligatoire et fait partie intégrante du présent Contrat.

Rôles en matière de protection des données. Les Parties reconnaissent que :

• Dandy Labs Europe SAS (anciennement Dandy Labs France SAS) agit en qualité de responsable du traitement pour les Données à Caractère Personnel traitées au titre des présentes Conditions Générales concernant le personnel du Cabinet ainsi que ses contacts commerciaux (conformément à sa Politique de Confidentialité).
• Dandy Labs Europe SAS (anciennement Dandy Labs France SAS) agit en qualité de sous-traitant lorsqu’elle Vous fournit sa plateforme et ses services de laboratoire numérique, conformément à l’Annexe B, y compris pour le traitement de l’ensemble des Données à Caractère Personnel des patients.

Contact pour la protection des données. Toute notification ou demande relative à la protection des données au titre du présent Contrat doit être adressée au Délégué à la Protection des Données de Dandy (« DPD »), Tony Riesen, à l’adresse [email protected].

Annexe B : Contrat de sous-traitance en matière de protection des données 

Le présent contrat de sous-traitance en matière de protection des données (« DPA ») est incorporé au Contrat lorsque Dandy agit en qualité de sous-traitant pour le compte du Cabinet, agissant en qualité de responsable du traitement. La nature, la finalité et la durée du traitement sont précisées à l’Annexe B(1) (« Détails du Traitement de Données »).

1. Définitions

• « Lois Applicables » désigne l’ensemble des lois applicables régissant le traitement et la sécurité des Données à Caractère Personnel, ainsi que la confidentialité des communications électroniques, y compris, sans que cette liste soit limitative : (i) le règlement (UE) 2016/679 du 27 avril 2016 (le « RGPD »), (ii) la directive 2002/58/CE du 12 juillet 2002 (la « Directive ePrivacy »), (iii) les lois nationales mettant en œuvre et complétant les textes de l’UE visés dans la présente définition, et (iv) les dispositions pertinentes des législations nationales en matière de santé, chacun des points (i) à (iv) tel que modifié et/ou complété le cas échéant.

• « Violation de Données à Caractère Personnel » a le sens qui lui est donné par le RGPD.

• « Données à Caractère Personnel Sensibles » désigne les catégories de Données à Caractère Personnel visées à l’article 9 du RGPD (y compris, notamment, les Données à Caractère Personnel relatives à la santé, les données biométriques utilisées aux fins d’identifier une personne physique de manière unique, ainsi que les données génétiques).

• « Données à Caractère Personnel » désigne des données à caractère personnel (telles que définies par le RGPD) traitées par Dandy pour le compte du Cabinet.

• « Personne Concernée » a le sens qui lui est donné par le RGPD.

2. Objet & Instructions

Dandy ne traite les Données à Caractère Personnel que sur instructions documentées du Cabinet, y compris en ce qui concerne les transferts de Données à Caractère Personnel vers un pays tiers, et ce à moins que les Lois Applicables ne l’obligent à d’autres traitements. Si Dandy estime qu’une instruction du Cabinet enfreint les Lois Applicables, elle en informe immédiatement le Cabinet.

Le Cabinet veille à disposer d’une base légale au titre de l’article 6 du RGPD pour le traitement de toutes Données à Caractère Personnel, ainsi que d’une dérogation au titre de l’article 9 du RGPD pour le traitement de Données à Caractère Personnel Sensibles, dans le cadre de tout traitement envisagé par le présent DPA.

3. Obligations de Dandy (le « Sous-Traitant »)

• Confidentialité : Dandy veille à ce que les personnes autorisées à traiter les Données à Caractère Personnel se soient engagées à en respecter la confidentialité.
• Sous-Traitants Ultérieurs : Le Cabinet donne par les présentes à Dandy une autorisation écrite générale de faire appel à des sous-traitants ultérieurs. Une liste des sous-traitants ultérieurs actuels de Dandy est disponible sur demande. Dandy informera le Cabinet de tout changement envisagé concernant l’ajout ou le remplacement d’un sous-traitant ultérieur, donnant ainsi au Cabinet la possibilité de s’opposer à ces changements. Dandy demeure pleinement responsable des prestations de ses sous-traitants ultérieurs.

• Droits des Personnes Concernées : Dandy assiste le Cabinet, au moyen de mesures techniques et organisationnelles appropriées, afin de permettre au Cabinet de satisfaire à son obligation de répondre aux demandes d’exercice de leurs droits par les Personnes Concernées (par exemple, les demandes d’accès).
• Assistance : Dandy fournit une assistance raisonnable, selon les besoins, afin de permettre au Cabinet de respecter ses obligations au titre des Lois Applicables, notamment en ce qui concerne la sécurité du traitement, la notification d’une Violation de Données à Caractère Personnel à l’autorité de contrôle compétente et/ou aux Personnes Concernées, l’élaboration d’analyses d’impact relatives à la protection des données, ainsi que la consultation préalable de l’autorité de contrôle compétente.
• Sécurité : Dandy met en œuvre les mesures requises au titre de l’article 32 du RGPD, telles que décrites plus en détail à l’Annexe B(2).
• Audit et inspection : Dandy met à disposition toutes les informations nécessaires pour démontrer le respect de l’article 28 du RGPD et autorise et contribue aux audits, y compris les inspections, menés par le Cabinet (« Audits sur Site »). Tout Audit sur Site sera mené moyennant un préavis écrit de soixante (60) jours adressé à Dandy, et au maximum une (1) fois par année civile. Les Parties déploieront des efforts raisonnables afin que les Audits sur Site n’affectent pas de manière déraisonnable les opérations de Dandy. Le Cabinet supportera les coûts de tout Audit sur Site.

4. Transferts Internationaux

Dandy ne transférera pas de Données à Caractère Personnel en dehors de l’Espace Economique Européen (« EEE ») à moins qu’elle ne s’assure que le transfert est soumis à des « garanties appropriées » (telles qu’une décision d’adéquation de la Commission Européenne).

5. Notification d’une Violation de Données à Caractère Personnel

Dandy notifiera le Cabinet sans retard injustifié (et en tout état de cause dans un délai de quarante-huit (48) heures) après avoir eu connaissance d’une Violation de Données à Caractère Personnel affectant des Données à Caractère Personnel, en fournissant des informations suffisantes pour permettre au Cabinet de satisfaire à toute obligation de notification auprès de l’autorité de protection des données compétente.

6. Suppression ou restitution

Au choix du Cabinet, Dandy supprimera ou restituera au Cabinet l’ensemble des Données à Caractère Personnel à l’issue de la fourniture des services, et supprimera les copies existantes, sauf si les Lois Applicables exigent une conservation continue.

---

Annexe B(1): DÉTAILS DU TRAITEMENT DES DONNÉES

• Objet et finalité : la fourniture des services au Cabinet au titre de l’Accord de Collaboration.
• Nature : collecte, enregistrement, organisation, structuration, stockage et, le cas échéant, effacement de Données à Caractère Personnel.
• Durée : la durée de l’Accord de Collaboration, augmentée de la période nécessaire à la suppression de l’ensemble des données. 
• Catégories de Personnes Concernées : les patients et les utilisateurs finaux autorisés du Cabinet.
• Types de Données à Caractère Personnel : noms, adresses e-mail, adresses, numéros d’inscription professionnelle, et données de santé des patients (y compris, notamment, les données de rendez-vous, dossiers cliniques et scans dentaires).

---

Annexe B(2): MESURES DE SÉCURITÉ 

• Mesures de contrôle d’accès, y compris des restrictions d’accès fondées sur les rôles et des mécanismes d’authentification destinés à limiter l’accès aux Données à Caractère Personnel au seul personnel autorisé.
• Contrôles de sécurité du réseau et de l’infrastructure, y compris la protection périmétrique, ainsi que des mécanismes de surveillance et de journalisation.
• Protection des postes de travail (endpoints) et outils anti-malwares déployés sur les systèmes pertinents.
• Mesures de sécurité des données, y compris le chiffrement et/ou d’autres mesures de protection, selon ce qui est approprié compte tenu de la nature des données traitées.
• Processus de gestion des correctifs et des vulnérabilités visant à maintenir la sécurité des systèmes et à traiter les vulnérabilités identifiées.
• Politiques et procédures, y compris des politiques de sécurité de l’information et de réponse aux incidents.
• Mesures de sensibilisation du personnel, y compris des formations sur les obligations en matière de protection des données et de sécurité de l’information.
• Pratiques de développement logiciel sécurisées, notamment la révision du code, les tests de sécurité et les processus de déploiement contrôlés.
• Mesures de sécurité des données, notamment le chiffrement des données en transit et au repos, le cas échéant, ainsi que des pratiques sécurisées de gestion des secrets et des clés.