Back to home

Data Processing Addendum

Last updated: May 27, 2026

DRAFT — pending legal review. This template was generated to give clinics a working DPA. Divan Group's legal counsel is reviewing it; the executed version will be available for download as a signed PDF on this page. Do not rely on this document for regulatory compliance without confirming with your own counsel.

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller", "you") and ClinicPro, operated by Divan Group ("Processor", "we"), for the provision of the ClinicPro service (the "Service"). It applies when, in the course of providing the Service, we process Personal Data on your behalf in the European Economic Area, the United Kingdom, or Switzerland.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "UK GDPR" means the UK General Data Protection Regulation. "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR. "Subprocessor" means any third-party processor engaged by us to process Personal Data on your behalf.

2. Roles

For Personal Data processed via the Service, you are the Controller and we are the Processor. You determine the purposes and means of processing; we process only on your documented instructions.

3. Scope of processing

Subject matter: provision of the Service.
Duration: for the term of your subscription, plus any retention period set out in the Terms or required by law.
Nature and purpose: hosting, transmitting, displaying, and analyzing clinic operational data so that you can manage your practice.
Types of Personal Data: identification data, contact data, appointment data, payment metadata (not raw card numbers), clinical notes, photographs, signatures, and message content that you choose to store.
Categories of Data Subjects: your clinic staff and your clients (patients).

4. Our obligations

  • Process Personal Data only on your documented instructions.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures, including those described in our Security page.
  • Assist you, taking into account the nature of the processing, in responding to Data Subject requests.
  • Assist you in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation).
  • Notify you without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data Breach.
  • On termination, delete or return Personal Data unless retention is required by law.

5. Subprocessors

You provide a general authorization for us to engage Subprocessors. We will notify you of intended changes to our Subprocessor list with at least 30 days' notice and give you the opportunity to object on reasonable grounds. Our current Subprocessors are:

  • Supabase Inc. (USA) — database, authentication, and object storage hosting.
  • Cloudflare, Inc. (USA) — content delivery, DDoS mitigation, and edge runtime.
  • Paddle.com Market Limited (UK) — payment processing and Merchant of Record.
  • Anthropic, PBC (USA) — AI insights (Claude). Only aggregated, de-identified metrics are sent.
  • Resend Inc. / Lovable Email — transactional email delivery.
  • Twilio Inc. (USA) — SMS, WhatsApp, and voice (when enabled).
  • Functional Software, Inc. (Sentry) (USA) — error monitoring (PII fields stripped client-side).

6. International transfers

Where Personal Data is transferred outside the EEA / UK to a country not deemed adequate by the European Commission or the UK ICO, the transfer is governed by the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for UK data, the UK International Data Transfer Addendum, both of which are incorporated into this DPA by reference.

7. Audits

We will make available to you all information necessary to demonstrate compliance with this DPA, including third-party audit reports (SOC 2 Type II, when available). You may conduct an on-site audit no more than once per calendar year, on at least 30 days' written notice, at your own expense, subject to reasonable confidentiality requirements.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in our Terms of Service.

9. Term and termination

This DPA takes effect on the date you accept the Terms of Service and remains in effect for the duration of the Service. It will terminate automatically on termination of the Service.

10. Governing law

This DPA is governed by the laws of the Province of Ontario, Canada, without regard to its conflict-of-laws principles. The parties submit to the exclusive jurisdiction of the courts of Toronto, Ontario.

11. Contact

Privacy and DPA questions: privacy@clinicpro.io.