Data Processing Agreement
Dentifier · Version 1.0 · Effective: Beta Version
Background
When you use the Dentifier Service to store and process personal data about your customers, Dentifier acts as your data processor. You remain the data controller for your customers’ data and are responsible for ensuring you have a lawful basis for processing it.
This DPA sets out the obligations of each party in relation to that processing. The details of the processing are in Schedule 1. Authorised sub-processors are in Schedule 2. Security measures are in Schedule 3.
1. Definitions
2. Processor Obligations
The Processor shall process Personal Data only on documented instructions from the Controller. For the purposes of this DPA, the Controller’s instructions are to process Personal Data as necessary to provide the Service in accordance with the Terms and Conditions. The Processor will inform the Controller if it believes any instruction infringes UK GDPR.
The Processor shall ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and appropriate data protection training.
The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures are described in Schedule 3.
The Processor shall not engage Sub-Processors other than those listed in Schedule 2 or as notified in accordance with clause 3.
The Processor shall provide reasonable assistance to the Controller in responding to Data Subject rights requests. Where the Processor receives a request directly from a Data Subject, it will promptly notify the Controller and will not respond directly unless instructed to do so or required by law.
The Processor shall assist the Controller in ensuring compliance with obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and information available.
On termination of the Service, or on written request from the Controller, the Processor shall either securely delete or return all Personal Data within thirty (30) days, unless applicable law requires longer retention.
The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA and shall permit audits by the Controller or its appointed auditor, on no less than thirty (30) days’ written notice, no more than once per calendar year.
3. Sub-Processors
The Controller grants general authorisation to engage the Sub-Processors listed in Schedule 2 for the purposes described therein.
The Processor shall give at least thirty (30) days’ prior written notice of any intended changes to the Sub-Processor list.
The Controller may object to a new Sub-Processor within fourteen (14) days of receiving notice, setting out reasonable grounds. If the Processor cannot accommodate the objection, either party may terminate the relevant part of the Service on thirty (30) days’ written notice.
The Processor shall impose data protection obligations on all Sub-Processors equivalent to those in this DPA and shall remain liable for their performance.
4. International Data Transfers
The Processor and its Sub-Processors are based in the United States. Transfers of Personal Data from the United Kingdom to the United States are made under appropriate safeguards in compliance with Chapter V UK GDPR.
The Processor shall ensure that any transfer of Personal Data to a third country is subject to appropriate safeguards and shall not transfer Personal Data without such safeguards in place.
The Processor shall, on request, provide the Controller with information about the transfer safeguards applicable to the Sub-Processors in Schedule 2. Contact: hello@dentifierpro.com.
5. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and within seventy-two (72) hours where feasible, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
Notification shall include, to the extent known: the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address it.
The Processor’s notification does not constitute an admission of fault. The Controller remains responsible for assessing whether it must notify the ICO or affected Data Subjects.
6. Duration and Termination
This DPA takes effect when the Controller accepts the Terms and Conditions and continues for as long as the Processor processes Personal Data on behalf of the Controller. It terminates automatically on termination of the Terms and Conditions, subject to any obligations that survive (including deletion of Personal Data under clause 2.7).
7. Governing Law
This DPA is governed by the laws of England and Wales. Each party submits to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1 — Details of Processing
| Subject matter | Processing of personal data in connection with the provision of the Dentifier quoting and invoicing Service. |
| Duration | For the term of the Subscription Agreement between the Controller and Processor. |
| Nature of processing | Storage, retrieval, display, and AI-assisted analysis of Personal Data for the purpose of enabling the Controller to create vehicle damage assessments, repair quotes, and invoices. |
| Purpose | To enable the Controller (PDR technician) to use the Dentifier Service to generate professional quotes and invoices for their customers. |
| Types of personal data | Customer names; email addresses; telephone numbers; vehicle registration numbers; DVLA vehicle data (make, model, year, MOT status); damage photographs; quote and invoice content. |
| Categories of data subjects | The Controller’s customers and potential customers — end consumers of PDR (paintless dent repair) services. |
| Controller’s obligations | The Controller warrants that it has a lawful basis under UK GDPR for processing each category of Personal Data and has provided appropriate privacy notices to Data Subjects. |
Schedule 2 — Authorised Sub-Processors
The following Sub-Processors are authorised to process Personal Data under this DPA. The Processor will provide at least 30 days’ notice before adding or replacing any Sub-Processor.
| Sub-Processor | Location | Processing Activity | Further Info |
|---|---|---|---|
| Base44, Inc. | United States | Platform infrastructure, hosting, and application runtime. All Personal Data is stored on Base44’s servers. | base44.com/dpa |
| Anthropic, Inc. | United States | AI language model processing. Damage photographs and text may be processed by Anthropic’s AI models to generate damage assessments. | anthropic.com |
| OpenAI, Inc. | United States | AI language model processing. Damage photographs and text may be processed by OpenAI’s AI models to generate damage assessments. | openai.com |
| Stripe, Inc. | United States | Payment processing and subscription management. Customer Data is not shared with Stripe. | stripe.com |
Schedule 3 — Technical and Organisational Security Measures
As the Service is hosted on Base44’s infrastructure, the primary technical security measures are implemented by Base44, Inc. Dentifier’s obligations in this Schedule are fulfilled in part through Base44’s security programme.
Encryption
Personal Data is encrypted in transit using TLS 1.2 or higher. Personal Data is encrypted at rest using industry-standard encryption.
Access Controls
Access to Personal Data is restricted to personnel who require it to perform their role, controlled through role-based permissions. Administrative access to production systems is restricted and logged.
Authentication
The Service requires account authentication to access Personal Data. Multi-factor authentication is applied to administrative access where technically practicable.
Security Monitoring
The Processor conducts periodic reviews of its security practices and those of its Sub-Processors. Application and access logs are retained to support security monitoring and incident investigation.
Incident Response
The Processor maintains an incident response procedure for identifying, containing, investigating, and reporting Personal Data Breaches, in accordance with clause 5 of this DPA.
Sub-Processor Security
The Processor requires all Sub-Processors to maintain technical and organisational measures at least equivalent to those described in this Schedule. Sub-processor security commitments are reviewed as part of the onboarding process.
Data Minimisation and Retention
The Processor collects and retains only the Personal Data necessary for the purposes described in Schedule 1. Personal Data is deleted in accordance with clause 2.7 of this DPA and the retention schedule in the Privacy Policy.