This Data Processing Agreement ("DPA") supplements the Terms of Service between the customer ("Controller") and AppLab Software LLC ("CBCTHub" or "Processor") and governs the processing of personal data carried out by CBCTHub on behalf of the Controller, in accordance with GDPR Art. 28(4), HIPAA Business Associate provisions where applicable, LGPD Art. 39, Chile Law 21.719, Colombia Law 1581, Argentina Law 25.326, Mexico's data protection laws, and equivalent applicable frameworks.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed by CBCTHub on behalf of the Controller.
"Sensitive Health Data" means data concerning health status, diagnoses, DICOM medical images and clinical metadata of the patient.
"Sub-processor" means any third party engaged by CBCTHub to process Personal Data on behalf of the Controller.
2. Subject matter and duration
CBCTHub processes Personal Data solely to provide the dental radiography SaaS platform contracted by the Controller for visualization, storage and sharing.
Processing lasts as long as the Controller's subscription is active. Upon termination, CBCTHub will delete Personal Data within 30 calendar days, except as required by law.
3. Nature and purpose of processing
CBCTHub performs the following operations on Personal Data:
- Reception and encrypted storage of DICOM files (AES-256 at-rest)
- Web and mobile application visualization (DICOM processing happens 100% in the end user's browser; pixels are not transmitted to the server)
- PDF report generation upon user request
- Sharing via public or private link with third parties designated by the Controller
- Activity logging (audit log) for security and compliance purposes
4. Categories of personal data and data subjects
Categories of data subjects: patients of the Controller, healthcare professionals associated with the Controller, referring practitioners and third parties designated by the Controller.
Categories of data: patient name, patient identifier, date of birth, study reason, DICOM images and associated metadata, professional contact information.
5. Processor obligations
CBCTHub commits to:
- Process Personal Data only in accordance with the Controller's documented instructions.
- Ensure confidentiality through agreements with all personnel having access to Personal Data.
- Implement appropriate technical and organizational measures (see Section 8).
- Assist the Controller in fulfilling data subject rights (access, rectification, objection, portability, erasure).
- Notify any relevant security breach without undue delay (see Section 9).
- Cooperate with supervisory authorities as legally required.
6. Authorized sub-processors
The Controller authorizes CBCTHub to engage the following sub-processors for service delivery:
- Supabase Inc. (United States) — Authentication and database
- Cloudflare Inc. (global) — DICOM file storage (R2)
- Vercel Inc. (United States) — Web application hosting
- Stripe Inc. (United States) — Payment processing (does not receive Sensitive Health Data)
- Resend Inc. (United States) — Transactional email delivery
7. International transfers
Some sub-processors process data in jurisdictions outside the Controller's country (including the United States). Such transfers are covered by: (a) Standard Contractual Clauses (SCC) approved by the European Commission where GDPR applies; (b) equivalent regional clauses for LGPD, Chile Law 21.719 and others. Listed providers maintain SOC 2 Type II or ISO 27001 certifications.
8. Technical and organizational measures
CBCTHub implements the following measures:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
- Row-level access control (RLS) at the database level
- Cryptographic password hashing (bcrypt via Supabase Auth)
- Audit logging of critical operations with timestamp and user_id
- Client-side DICOM processing — pixels never reach CBCTHub servers
- Encrypted backups with 30-day retention
- Periodic security testing and dependency review
9. Personal data breach notification
CBCTHub will notify the Controller without undue delay and, in any case, within 72 hours of becoming aware of a security breach affecting the Controller's Personal Data. Notification will be sent to the Controller's registered email and include: nature of the incident, approximate categories and quantities affected, measures taken and contact for more information.
Incident contact: security@cbcthub.com
10. Audit
CBCTHub makes available to the Controller the information necessary to demonstrate compliance with this DPA. The Controller may request an audit once a year with reasonable 30-day notice, or when required by a supervisory authority.
11. Return and deletion
At the Controller's choice and upon termination of service, CBCTHub will return or delete all Personal Data within a maximum of 30 days, unless applicable law requires longer retention.
12. Limitation of liability
Liability under this DPA is governed by the Terms of Service between the Controller and CBCTHub.
13. Governing law and jurisdiction
This DPA shall be interpreted in accordance with the laws of the State of Wyoming, United States, without prejudice to mandatory data protection rules applicable to the Controller in its home jurisdiction.
14. Final provisions
For a digitally signed version with the Controller's specific legal details, contact legal@cbcthub.com indicating: legal name, tax ID (RUT/CNPJ/EIN), address and authorized signatory name.