DPA

Data Processing Addendum

Effective: May 14, 2026 · Version 1.0

Not legal adviceThis is OraTek's standard Data Processing Addendum. It is offered as a template; an executed signature page (separately delivered) makes it binding between OraTek and a specific Customer. Customers who require their own form of DPA should contact privacy@oratekdx.com.

This Data Processing Addendum ("DPA") forms part of the agreement between OraTek Diagnostics, Inc. ("OraTek") and the customer entity that has executed an order form or otherwise subscribed to the OraTek CRM service ("Customer") (the "Agreement"). It governs OraTek's processing of Personal Data on behalf of Customer to the extent such processing is subject to the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended ("CCPA/CPRA"), or other comparable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by OraTek on behalf of Customer in connection with the Service.
"Customer Data" means all data Customer or its end users submit to the Service, including Personal Data.
"Data Subject", "Process / Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR.
"Sub-processor" means any third party engaged by OraTek to Process Customer Data, listed at /sub-processors.html.

2. Roles of the parties

For Customer Data subject to data protection laws, Customer is the Controller and OraTek is the Processor. OraTek will Process Customer Data only on documented instructions from Customer, including through the Agreement and the Service's configuration.

3. Scope and purpose of processing

Subject matter: provision of the OraTek CRM service.
Duration: for the term of the Agreement plus the deletion grace period described in Section 8.
Nature and purpose: hosting, transmitting, storing, and otherwise Processing Customer Data so that Customer's end users can use the Service.
Categories of Data Subjects: Customer's employees and end users; Customer's business contacts (sales prospects, recruiting candidates, vendors).
Categories of Personal Data: name, work email, business phone, business address, job title, employer, internal notes, communications metadata, IP address, user agent, audit log entries. Customer is responsible for not entering special-category data (health, biometric, etc.) without a separate written agreement.

4. Confidentiality

OraTek personnel with access to Customer Data are bound by written confidentiality obligations and trained on data protection. Access is granted on a need-to-know basis and revoked promptly upon role change or departure.

5. Security

OraTek will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful Processing and accidental loss, destruction, damage, or disclosure. A description of these measures is in OraTek's Security Overview, incorporated by reference. Measures include encryption in transit (TLS 1.2+), encryption at rest (AES-256), tenant isolation (PostgreSQL Row-Level Security), audit logging, and role-based access control.

6. Sub-processors

Customer authorizes OraTek to engage the Sub-processors listed at /sub-processors.html. OraTek will give Customer at least 30 days' prior notice by email to Customer's admin contact before engaging a new Sub-processor. Customer may object in writing within the notice period; if the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service for cause.

OraTek imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to Customer for any Sub-processor's failure to fulfill its data-protection obligations.

7. Data subject rights

The Service provides Customer with self-service tools to fulfill Data Subject requests: Customer admins can export their org's data via GET /data-rights/export and request deletion via POST /data-rights/delete-org. OraTek will, taking into account the nature of the Processing, reasonably assist Customer through additional measures where the self-service tools are insufficient.

8. Deletion and return of data

Upon termination of the Agreement or written request from Customer, OraTek will delete or return all Customer Data within 30 days, except where retention is required by applicable law. A request to delete via the Service's delete-org endpoint triggers immediate soft-delete with a 30-day undo window; after 30 days the data is hard-deleted via cascade. Backups containing Customer Data are deleted according to OraTek's standard backup retention schedule (currently 7-day rolling).

9. Personal data breach notification

OraTek will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Customer Data. Notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate.

10. International transfers

Customer Data may be processed in the United States. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties incorporate by reference the European Commission's Standard Contractual Clauses ("SCCs") (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), with OraTek as data importer and Customer as data exporter. The optional clauses are included where applicable. The UK International Data Transfer Addendum is incorporated for UK transfers.

11. Audits

OraTek will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including its most recent SOC 2 report (once available), penetration test summary, and Sub-processor list. On reasonable prior written notice, and no more than once per twelve-month period, Customer may engage an independent qualified auditor (subject to confidentiality obligations) to verify OraTek's compliance. The parties will agree in advance on scope, timing, and any reasonable fees.

12. Liability

The aggregate liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement.

13. Order of precedence

In the event of conflict, this DPA controls over the Agreement with respect to Processing of Personal Data, and the SCCs (where applicable) control over this DPA.

14. Contact

OraTek's data protection contact: privacy@oratekdx.com.