Data Processing Addendum
Version 1.0 · Effective July 10, 2026
English · Español · Français · Português
This DPA forms part of the
Terms of Service between SmileMaxer LLC (the
"Processor") and the Practice (the "Controller") and applies whenever SmileMaxer processes personal data
on the Practice's behalf that is subject to the GDPR, UK GDPR, Swiss FADP, or similar laws. It is
automatically incorporated into the Terms for such Practices; no signature is required. Need a
countersigned copy? Email legal@readymaxer.com.
1. Scope and roles
For team data the Practice enters or generates (member names, departments,
rooms, devices, signals, activity logs, digital-line entries), the Practice is controller and SmileMaxer
is processor. For admin accounts, billing, and website data, SmileMaxer is an independent controller
under the
Privacy Policy, and this DPA does not apply.
2. Details of processing
Subject matter and duration: providing ReadyMaxer for the
subscription term. Nature and purpose: hosting, storing, transmitting, and displaying
team-signaling data; push notifications; sign-in and pairing; the Practice's activity log.
Data subjects: the Practice's staff and admins; visitors who join its digital line.
Personal data: first names or display names; department and shift status; device names,
models, and push tokens; signal records with timestamps and optional short notes; digital-line names.
No special categories: the service prohibits entering patient or health information, and
the Practice agrees not to submit any.
3. Processor obligations
SmileMaxer will: (1) process only on the Practice's documented
instructions (the Terms, this DPA, and the Practice's use of the service's controls), unless required by
law, informing the Practice unless the law forbids it; (2) bind authorized persons to confidentiality;
(3) implement the technical and organizational measures below; (4) respect the subprocessor conditions in
Section 4; (5) assist the Practice with data subject requests and, considering the information available,
with security, breach-notification, and impact-assessment obligations; (6) notify the Practice without
undue delay after becoming aware of a personal data breach affecting its data; (7) at the end of the
service, delete the Practice's personal data within 60 days except where law requires retention; and (8)
make available information reasonably necessary to demonstrate compliance and, at the Practice's cost and
at most annually, allow audits (satisfiable with documentation and third-party reports).
4. Subprocessors
The Practice generally authorizes the subprocessors listed at
readymaxer.com/subprocessors. We will update that page at least 15 days
before adding or replacing a subprocessor; the Practice may object on reasonable data-protection grounds
at legal@readymaxer.com and, failing resolution, cancel its subscription. We impose consistent data
protection obligations on subprocessors and remain responsible for their performance.
5. International transfers
The service is hosted in the United States. Where a transfer mechanism
is required, the parties incorporate the EU Standard Contractual Clauses (2021/914, Module Two,
controller to processor), Practice as exporter, SmileMaxer as importer, with: Clause 7 included; Clause
9(a) Option 2 with 15 days' notice; Clause 11 optional language omitted; Clause 17 Option 1 (Irish law);
Clause 18 (courts of Ireland). Annex I is Section 2 plus the parties' account details; Annex II is the
measures below; Annex III is the subprocessors page. UK transfers: the UK International Data Transfer
Addendum (B1.0) applies with tables completed by the foregoing; Swiss transfers: the Clauses as adapted
per the FDPIC.
6. Liability and precedence
Each party's liability under this DPA is subject to the limitations in
the Terms except where Data Protection Laws do not permit. This DPA controls over the Terms for data
protection matters; the Clauses control over this DPA.
Annex II: Technical and organizational measures
All transport encrypted (HTTPS/TLS). Passwords
hashed with argon2id; session, device, and QR tokens stored only as SHA-256 hashes; single-use short-expiry
pairing codes. Data minimization by design: no member phone numbers or emails; notes capped at 200
characters and labeled to exclude patient information; no analytics in the signed-in service. Tenant
isolation at the application layer; role-based access. Optional platform attestation on sensitive
endpoints. Hosting on Google Cloud with provider physical and network security; production access limited
to authorized personnel. IPs processed transiently in memory, not persisted. Automated retention
enforcement: finished signals and digital-line entries purged after 90 days, activity log after 12
months, removed members anonymized after 60 days (Privacy Policy §8). Practice-facing controls: device
revocation, member deactivation, data deletion, activity log.
Questions: legal@readymaxer.com · SmileMaxer LLC, 11 S Eutaw St, Apt 915, Baltimore, MD 21201, USA
← Back home