Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the agreement for services between Orbis Assist Inc. (“Provider”) and the customer (“Customer”) (the “Agreement”).
This DPA incorporates by reference the Common Paper Data Processing Agreement Standard Terms Version 1.1, available at https://commonpaper.com/standards/data-processing-agreement/1.1 (the “Standard Terms”). In the event of any conflict between this DPA and the Standard Terms, this DPA shall control.
1. Key Terms
| Variable | Detail |
|---|---|
| Agreement | This DPA supplements the Cloud Service Agreement (CSA) or Master Service Agreement entered into between Provider and Customer. |
| Provider Security Contact | Email: support@orbisassist.co |
| Security Policy | The Provider’s Security Policy is available at: https://www.orbisassist.co/legal/security-and-compliance |
| Approved Sub-processors | The current list of Approved Sub-processors is available at: https://www.orbisassist.co/legal/approved-subprocessors |
| Governing Law & Courts | Governing Law: The laws of the Province of Manitoba, Canada. Chosen Courts: The courts located in Winnipeg, Manitoba, Canada. |
2. Changes to the Standard Terms
The parties agree to the following modifications to the Standard Terms:
- DPA Covered Claim: The Agreement includes an additional Provider Covered Claim for any action, proceeding, or claim arising out of or relating to (1) Provider’s breach or alleged breach of this DPA, or (2) Provider’s gross negligence or willful misconduct, in each case, that results in a Security Incident.
- DPA Liability Cap: The Agreement includes an additional Increased Claim for DPA Covered Claims, with a separate Increased Cap Amount of the greater of $200,000.00 CAD or 2 times the fees payable by Customer to Provider in the 12-month period immediately before the claim.
- Service Provider Relationship (CCPA): To the extent the California Consumer Privacy Act (CCPA) applies, Provider is acting as a “Service Provider.” Provider will not sell or share any Personal Data provided by Customer. Provider will not retain, use, or disclose Personal Data except as necessary to provide the Service or as permitted by Applicable Data Protection Laws.
3. Description of Processing (Annex I & II)
Annex I(A): List of Parties
- Data Exporter: The Customer (acting as Controller).
- Data Importer: Orbis Assist Inc. (acting as Processor).
Annex I(B): Description of Transfer and Processing
- The Service: AI voice receptionist services for dental practice call management, including inbound call handling, overflow support, and after-hours coverage.
- Frequency of Transfer: Continuous.
- Nature and Purpose:
- Receiving, recording, and storing data.
- Using data for AI analysis, automated decision-making (call routing), and transcription.
- Protecting data via encryption and security testing.
- Updating or erasing data upon instruction or retention expiry.
Categories of Personal Data
Provider processes the following categories of data on behalf of Customer:
- Patient Identity & Contact Information: Full Name, Date of Birth, Phone Number(s), Email Address.
- Appointment & Scheduling Data: Appointment dates/times, appointment types (e.g., “Recare”, “Emergency”), Assigned Provider, Clinic Location.
- Personal Health Information (PHI): Reason for visit (symptoms, pain levels), medical/dental history discussed during intake, treatment status, insurance details.
- Communication Data: Audio voice recordings of calls, text transcripts, and call metadata (timestamps, duration).
Annex II: Technical and Organizational Security Measures
Provider shall implement and maintain the security measures set forth in the Security Policy linked in Section 1 above.
Last Updated: January 26, 2026
This DPA is effective as of the date of acceptance by Customer and remains in effect for the duration of the Agreement. For questions regarding this DPA, please contact support@orbisassist.co.