Data Processing Agreement (DPA)
Last updated: June 2026
This Data Processing Agreement (“DPA”) forms Schedule 1 to the Terms of Serviceand is entered into between the dental clinic (“Controller”) and Review Your Doctor, operated by ShiftDeploy (“Processor”). It governs the processing of personal data under UK GDPR Article 28 and is accepted by the clinic on sign-up, before go-live.
1. Parties
The clinic is the data controller; Review Your Doctor / ShiftDeploy is the data processor. The Controller determines the purposes and means of processing; the Processor acts only on the Controller’s documented instructions.
2. Subject matter
Patient feedback collection and operation of the clinic dashboard, including the QR feedback form, ratings, private negative-feedback capture, manager alerts, and analytics display.
3. Duration
The subscription term, plus the agreed retention/deletion period (negative-feedback personal data is retained for up to 12 months, then deleted), subject to backup cycles and legal obligations.
4. Nature and purpose of processing
Collecting, storing, displaying, and notifying clinic staff about patient feedback, so the Controller can monitor service quality and follow up privately with dissatisfied patients.
5. Categories of data subjects
Patients of the clinic, or representatives, who submit feedback.
6. Categories of personal data
Optional name, email, and phone number; free-text feedback (reason); star rating; timestamp; clinic identifier; and technical metadata where necessary for security and service delivery. For 4-5 star submissions, only an anonymous rating is recorded.
7. Special category data
No medical or treatment data is requested. If a patient voluntarily includes health information in free-text feedback, the Controller remains responsible for handling it appropriately, and the Processor will process it only as part of providing the service.
8. Subprocessors and prior authorisation
The Controller authorises the subprocessors listed in our Privacy Policy (currently Supabase, Vercel, the email/SMTP provider, Google Places, and a payment provider). The Processor will give prior notice of any intended addition or replacement of a subprocessor, allowing the Controller a reasonable opportunity to object on reasonable data-protection grounds.
9. Security measures
- Encryption in transit (TLS) and at rest where available.
- Access controls and least-privilege access; row-level security so a clinic only ever sees its own data.
- Managed backups and activity logging.
- Confidentiality obligations on authorised personnel.
- Breach notification: the Processor will notify the Controller without undue delay after becoming aware of a personal data breach and assist with the Controller’s notification obligations.
10. Deletion / return
On cancellation or upon a verified request, the Processor will delete (or return) the Controller’s personal data, subject to backup cycles and any legal retention obligations.
11. Assistance
The Processor will assist the Controller, taking into account the nature of processing, with data-subject requests for access, rectification, erasure, restriction, and portability, and will cooperate with audits and information requests necessary to demonstrate Article 28 compliance.
12. International transfers
Patient data is stored in the UK/EU. Where data is processed outside the UK/EU by a subprocessor, appropriate safeguards apply (UK IDTA/Addendum or Standard Contractual Clauses). See the Privacy Policy for details.
13. Governing law
This DPA is governed by the laws of England and Wales and forms part of the Terms of Service.
Acceptance: by ticking the consent box at sign-up (or by signing the offline version on onboarding), the Controller accepts this DPA. Data queries: contact@shiftdeploy.com.
