← Recursos

Legal templates

Data Processing Agreement (DPA)

Public template compatible with GDPR, LGPD, HIPAA and equivalent frameworks

A Data Processing Agreement (DPA) is the contract that regulates the relationship between the Controller (the clinic or imaging center) and the Processor (a SaaS provider like CBCTHub) when the latter processes personal data on behalf of the former. It is mandatory under GDPR Art. 28(4), LGPD Art. 39, and applicable under HIPAA as a Business Associate Agreement.

What CBCTHub's DPA includes

The public template covers the points required by the main regulations:

  • Definitions of key terms (Controller, Processor, Personal Data, Sensitive Health Data, Sub-processor)
  • Subject matter, nature and duration of processing
  • Types of personal data and categories of data subjects (patients, professionals, referrers)
  • Obligations of the Processor (CBCTHub) and rights of the Controller (customer)
  • List of authorized sub-processors (Supabase, Cloudflare, Vercel, Stripe, Resend) and international transfer mechanisms
  • Technical and organizational measures (TLS, AES-256, RLS, backups, audit log)
  • Security breach notification procedure (72 hours)
  • Controller's right of audit
  • Data return and deletion procedure at the end of service
  • Governing law and jurisdiction

When you need a signed DPA

  • Regulatory audit: data protection authorities may require documentation of the agreements with your software providers.
  • Accreditation or certification: certifications such as ISO 27001 or HIPAA compliance processes require maintaining DPAs/BAAs with all processors.
  • Corporate customers: hospitals, clinic networks or insurers usually require a signed DPA before integrating your clinic as a provider.
  • International operations: if your clinic serves European patients or their data travels through jurisdictions with specific regulation (EU, Brazil, California), a DPA is mandatory.

Complete document

The full text of the DPA template is available in web format (also printable or exportable to PDF from the browser):

Open full DPA template →

Request a signed version

This template is the standard public version. If you need a customized version with the legal name, tax ID and address of your center, digitally signed by the CBCTHub legal team, write to legal@cbcthub.com indicating: legal name, RUT/CNPJ/EIN/VAT ID, address, and the name of the authorized signatory of your organization. We send the digitally signed document in 1–2 business days.

¿Te resultó útil este recurso?

Ver más recursosCrear cuenta gratis en CBCTHub

CBCTHub · cbcthub.com — Documento de referencia. No reemplaza el criterio profesional ni la normativa local vigente.