Dental Software
PRACTICE MANAGEMENT SOFTWARE
Features
Explore the features that can simplify your work and life.
FAQs
Find helpful answers & useful info about our software & service.
Onboarding
Start here to learn the process and find helpful resources.
Support
Learn more about our award-winning customer support.
PRACTICE GROWTH SOLUTIONS
AI Phone System
Increase new patient conversion with the power of AI.
AI Dental CRM
Learn more about Dental CRM.
Who We Serve
Sectors we serve
Single Site Dental Practices
Improve patient satisfaction and staff productivity at your office.
Multi-Site Dental Practices
Efficiently grow and scale your multi-location dental group.
Squat Dental Practices
The complete software kit to quickly start and scale your new practice.
Why CareStack
Learn how CareStack® takes dental practices to the next level!
Why CareStack
Innovative software to meet the diverse needs of dental specialists.
Get Help
Contact us
Onboarding
Company
Company overview
Leadership Team
Meet the talented innovators changing the dental industry.
Press
Browse our recent media coverage & download our press kit.
Contact
Contact CareStack®, View our office locations, phone & email.
Investors
See the companies and firms who believe in the CareStack® vision.
Partners
Trusted partners from across the dental & healthcare industries.
Events
View our schedule of upcoming events and register to attend.
Get Help
Contact us
Inner Circle 2025
Attend the most high octane event in dentistry to future proof your dental enterprise.

Inner Circle 2025 Login

+44 113 512 6098

Data Processing Agreement – United Kingdom

EFFECTIVE DATE: 01ST JANUARY, 2024

This Data Processing Agreement (the “DPA”) apply to the use of Services (as defined below) offered by Good Methods Global Inc, USA a company established under the laws of Delaware, USA; and Good Methods UK Limited, a company established in England and Wales.

Good Methods Global Inc together with Good Methods UK Limited shall each be referred to by their individual names, and together shall be referred to as “CareStack” and the “Data Processor”.

Customer is identified on the applicable Order Form between CareStack and Customer that references this DPA. Customer shall be referred to as “Data Controller”.

This DPA forms a contract between Data Processor and Data Controller both of whom hereby agree as follows:

1. Subject matter of this Data Processing Agreement

1.1 This Data Processing Agreement applies to the processing of personal data subject to Applicable Data Protection Law as defined in the Order Form (“Services”) (hereinafter to be referred to as: the “Service Agreement”).

1.2 The term Applicable Data Protection Law shall mean the United Kingdom’s Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3 Any capitalised terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Service Agreement. Except as modified below, the terms of the Service Agreement shall remain in full force and effect. Other terms used in this Data Processing Agreement that have meanings ascribed to them in the Applicable Data Protection Law, including but not limited to “Processing,” “Personal Data,” “Data Controller” and “Processor,” shall carry the meanings set forth under Applicable Data Protection Law. “Sub-processor” shall mean any third-party data processor engaged by Data Processor who has or will have access to or process Personal Data.

1.4 Insofar as the Data Processor will be processing Personal Data subject to Applicable Data Protection Law on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller, the terms of this Data Processing Agreement shall apply. In the event of a conflict between any provisions of the Service Agreement and the provisions of this Data Processing Agreement, the provisions of this Data Processing Agreement shall govern and control. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Annex 2.

2. The Data Controller and the Data Processor

2.1 Data Processor shall process the Personal Data solely as necessary to perform its obligations to the Data Controller or in accordance with Data Controller’s documented instructions for the following purposes: (i) Processing in accordance with the Service Agreement, this DPA, Applicable Data Protection Laws, the Privacy Policy (to the extent applicable), any other agreement or addendum executed by the Parties; (ii) Processing as required for compliance with applicable law; (iii) Processing initiated by or on behalf of the Data Controller in their use of the Services; and (iv) Processing to comply with other documented reasonable instructions provided by Data Controller where such instructions are consistent with the terms of the Service Agreement. Data Processor shall notify Data Controller in writing if, in Data Processor’s opinion, an instruction infringes Applicable Data Protection Laws. Data Processor shall not be liable for any liabilities, losses, fines, costs, penalties and/or damages, arising from or in connection with any processing in accordance with Data Controller’s instructions following the notification by Data Processor in accordance with the foregoing sentence. Such a notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.

2.2 The Parties have entered into a Service Agreement in order to benefit from the capabilities of the Data Processor in securing and processing the Personal Data for the purposes set out in Annex 2. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Data Controller’s written instructions.

2.3 The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Applicable Data Protection Law support the lawfulness of the Processing. To the extent required by Applicable Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in Applicable Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.

3. Confidentiality

3.1 Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/ or Sub Processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the Parties in Annex 3.

4.2 Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Article 4 and shall allow the Data Controller to audit and test such measures. Unless otherwise required by a Supervisory Authority of competent jurisdiction, the Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor to carry out or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data.

4.3 The Data Processor shall provide the Data Controller with access to any personal data processed on its behalf with access and access will be limited to customer’s personal data only.

4.4 The Data Processor’s adherence to an approved certification mechanism recognised under Applicable Data Protection Law may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Article 4.1, provided that the requirements contained in Annex 3 are also addressed by such code of conduct or certification mechanism.

5. Improvements to Security

5.1 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Data Protection Law or by data protection authorities of competent jurisdiction.

5.2 Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in Applicable Data Protection Law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.

6. Data Transfers

6.1 The Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its authorisation upon the conclusion of this Data Processing Agreement. Data Processor represents and warrants that it has entered into a written agreement with each Sub-Processor’s mentioned in Annex 4. These agreements impose data protection obligations on the Sub-Processor that are no less protective than those established by the Data Protection Laws in the United Kingdom.

6.2 To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalise international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

7. Information Obligations and Incident Management

7.1 When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of the Services Agreement and if required by the Applicable Data Protection Law, Data Processor shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

7.2 The term “incident” used in Article 7.1 shall be understood to mean in any case:

(a.) a complaint or a request with respect to the exercise of a data subject’s rights under Applicable Data Protection Law.
(b.) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent.
(c.) any unauthorised or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data.
(d.) any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
(e.) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.

7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under Applicable Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident.

7.4 Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1, as updated periodically, of this Data Processing Agreement and, in order to assist the Data Controller in fulfilling its obligations under Applicable Data Protection Law, should contain:

(a.) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned.
(b.) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained.
(c.) a description of the likely consequences of the incident.
(d.) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

8. Contracting with Sub processors

8.1 The Data Controller hereby grant a general authorization to Data Processor to (a) appoint other the affiliates of Data Processor (“Group Companies”) as Sub-Processors, and (b) appoint any other third party as Sub-Processors to support the performance of the Services.

8.2 The list of all Sub-Processors including the Group Companies are listed in Annex 4 as updated periodically. The Data Controller authorises the Data Processor to engage the Sub Processors listed in Annex 4 as updated periodically. Data Processor shall provide notice to the Data Controller of any addition or replacement of such Sub-Processor giving the Data Controller an opportunity to object to such changes. If Data Controller has a reasonable objection to any new or replacement Sub-Processor, Data Controller shall notify Data Processor of such objections in writing within ten (10) days from change in the list and the Parties will seek to resolve the matter in good faith. If Data Controller does not provide a timely objection to any new or replacement Sub-Processor in accordance with this section, the Data Controller will be deemed to have consented to the Sub-Processor and waived its right to object. Data Processor shall take all commercially reasonable steps to ensure that it has in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA.

9. Assistance to Data Controller

9.1 The Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Applicable Data Protection Law.

9.2 Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 4 (Security), as well as other Data Controller obligations under Applicable Data Protection Law that are relevant to the Data Processing described in Annex 2, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.

9.3 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

10. Liability and Indemnity

10.1 The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller arising out of a breach of this Data Processing Agreement and/or the Applicable Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor arising out of a breach of this Data Processing Agreement and/or the EU Data Law by the Data Controller.

11. Duration and Termination

11.1 This Data Processing Agreement shall come into effect on the effective date of the Service Agreement.

11.2 Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.

11.3 The Data Processor shall process Personal Data until the date of expiration or termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.

11.4 Following termination of the Agreement between Data Controller and Data Processor, Data Processor will retain the Personal Data forming part of the Services for one hundred twenty (120) days from such date of termination (“Data Retention Period”). Upon the expiration of the Data Retention Period, Data Processor will no longer have an obligation to maintain or provide any access to the Personal Data provided by the Data Controller. Thereafter, unless required for compliance with applicable laws and regulations, or as necessary by the Data Processor to protect, defend or establish Data Processor’s rights, or defend against potential claims, Data Processor reserves the right to destroy all Personal Data in Data Processor’s possession. Notwithstanding the Data Retention Period, upon the written request following the termination of the Agreement and the DPA, Data Processor will take all commercially and technically reasonable steps to destroy all Personal Data.

12. Miscellaneous

12.1 In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.

12.2 This Data Processing Agreement is governed by the laws of the United Kingdom. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of England.

Annex 1: CONTACT INFORMATION OF THE DATA PROTECTION OFFICER

Contact information of the data protection office for the data processor. Email: dpo@carestack.com

Annex 2: TYPES OF PERSONAL DATA THAT WILL BE PROCESSED

Types of Personal Data that will be processed in the scope of the Services Agreement shall include but not be limited to:

NHS number,
First name,
Surname,
Gender,
Date of birth Address,
Telephone number landline and mobile,
Date referral received,
Referring GP or service inc. GP Code
Treating clinician (if treatment started),
Clinic location name (if treatment started).

Annex 3: SECURITY MEASURES

Data Processor shall:

1. Ensure that the Personal Data can be accessed only by authorised personnel for the purposes set forth in Annex 2 of this Data Processing Agreement.
2. Take all reasonable measures to prevent unauthorised access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
3. Build in system and audit trails.
4. Use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
5.Account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of Personal Data;
6. Ensure pseudonymisation and/or encryption of Personal Data, where appropriate;
7. Maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
8. Maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
9. Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;
10. Monitor compliance on an ongoing basis;
11. Implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller;
12. Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.

Annex 4: SUB-PROCESSORS INCLUDING THE GROUP COMPANIES

Transfers to countries outside the European Economic Area without a suitable level of protection for which the Data Controller has granted its authorisation.

SUB-PROCESSOR DETAILS

I. Group Companies:

The following are Group Companies as defined in the DPA.
These entities function as sub-processors as well with one or more entities providing support and maintenance.

SL NO	GROUP COMPANY	LOCATION
1.	Good Methods UK Limited	United Kingdom
2.	Good Methods Software Solutions Private Limited	India

II. Good Methods Global Inc, along with its Group Companies, employs the use of sub-processors to aid in the provision of Services, as outlined in the Terms of Service. These sub-processors are third-party entities and include, but not be limited to:

SUB-PROCESSOR	SUBJECT MATTER	PURPOSE/NATURE OF PROCESSING	DATA CENTER
1. ADYEN	Payment Platform	Adyen is a payment company with the status of an acquiring bank that allows businesses to accept e-commerce, mobile, and point-of-sale payments.	EU, the US, India, Singapore and Australia.
2. ATLASSIAN	JIRA ticketing tool.	JIRA is a software development tool used by CareStack team.	US & INDIA
3. AWS	Cloud hosting service.	CareStack web applications and database are hosted on AWS.	US & UK
4. CHARGEBEE	Subscription management platform	Chargebee empowers subscription businesses to streamline billing, drive growth, and deliver a seamless customer experience.	US
5. GOOGLE CLOUD	Cloud hosting	For CS Conversations IQ	UK
6. INSPECTOR.DEV	Code Execution Monitoring	For CS Conversations IQ	EUROPE (FRANKFURT)
7. MICROSOFT AZURE	Cloud hosting service.	CareStack web applications and database are hosted on Microsoft Azure.	US & UK
8. SENDGRID	Email service provider.	SendGrid provides cloud-based services	US
9. SENTRY.IO	Application performance monitoring	For CS Conversations IQ	US
10. STRIPE	Payment Gateway.	Stripe provides CareStack with a payment gateway and API’s for payment processing.	US
11. TWILLIO	Web call service provider.	Twillio provides CareStack with communication services such as making and receiving phone calls, sending and receiving text messages, and performing other communication functions using web service API’s	US
12. WHATFIX	Product analytics and Product information.	Whatfix is a software that helps customer learn new applications easily, right within the application itself.	US
13. ZENDUTY	Incident management platform.	Proactively alerts and swiftly mobilizes teams during critical situations, guaranteeing rapid incident resolution and minimizing potential downtime.	US
14. ZENDESK	Ticketing tool for support team.	Streams customer support for smooth interactions, organizes tickets, and empowers agents to resolve issues quickly.	US