Saltar al contenido principal
Hoomina

Data Processing Agreement

Última actualización: 2026-04-25

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Hoomina S.L. ("Processor") and the Customer ("Controller") and reflects the parties' agreement on the processing of personal data under Article 28 GDPR.

1. Subject matter and duration

The Processor will process Customer Personal Data only to provide the Service. This DPA remains in effect for the duration of the Service agreement and any wind-down period.

2. Nature and purpose of processing

Hosting, transmission, storage, indexing, AI-assisted classification, and display of patient interactions in support of the clinic's daily operations.

3. Types of personal data

  • Patient identifiers, contact details, language preference.
  • Intraoral photos and other clinical images.
  • Free-text messages between patients and clinic staff.
  • Treatment plans, appointments, payment status.
  • Health-related data (special category, Art. 9 GDPR).

4. Categories of data subjects

  • Patients of the Controller's clinic.
  • Clinic staff (employees, contractors, dentists).
  • Prospective patients who contact the clinic via Hoomina.

5. Sub-processors

The Controller authorises the following sub-processors. The list is kept current; we will notify the Controller before adding or replacing a sub-processor and the Controller may object on reasonable grounds.

  • [Cloud hosting] — infrastructure (EU region).
  • Anthropic — large-language-model inference.
  • Stripe — billing and payments.
  • [Email provider] — transactional email.
  • [Customer support tooling] — support tickets.

6. Security measures

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access control with least-privilege.
  • Multi-factor authentication for engineer access.
  • Audit logging of administrative actions.
  • Regular backup with point-in-time recovery.
  • Annual third-party penetration testing.
  • Documented incident-response runbook.

7. Confidentiality and personnel

Personnel authorised to process Customer Personal Data are bound by written confidentiality obligations and have received data-protection training.

8. Breach notification

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing sufficient information for the Controller to meet its obligations under Articles 33 and 34 GDPR.

9. International transfers

Where Customer Personal Data is transferred outside the EEA, the Processor relies on Standard Contractual Clauses and applicable supplementary measures.

10. Audit rights

The Processor will make available all information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. To minimise disruption, the Controller will give 30 days' notice and bear its own costs.

11. Deletion or return

On termination of the Service, the Processor will, at the Controller's choice, delete or return all Customer Personal Data within 30 days, except where retention is required by law.

12. Liability

The parties' liability under this DPA is subject to the limitations set out in the Terms of Service.

13. Contact

DPO: dpo@hoomina.com.