Skip to main content
Stellar Dental Notes Logo STELLAR DENTAL NOTES

Data Processing Agreement

Stellar AI Ltd – Data Processing Agreement

Last Updated: 3 March 2026

Data Processing Agreement between Stellar AI Ltd and the Customer, governing the processing of personal data pursuant to Article 28 UK GDPR.

This Data Processing Agreement ("DPA") is entered into between Stellar AI Ltd, a company incorporated in England and Wales with registered number 16052397 ("Processor"); and the Customer as defined in the Subscription Agreement ("Controller"). This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation and supplements the Subscription Agreement. In the event of conflict, this DPA shall prevail in matters relating to data protection.

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Subscription Agreement. In this DPA: "Controller" means the Customer; "Processor" means Stellar AI Ltd; "Personal Data" means any information relating to an identified or identifiable natural person processed under the Subscription Agreement; "UK GDPR" means the retained EU law version of Regulation (EU) 2016/679 as it forms part of domestic law of the United Kingdom; "DPA 2018" means the Data Protection Act 2018; "Processing" has the meaning given in the UK GDPR; "Sub-processor" means any third party engaged by the Processor to process Personal Data.

2. Subject Matter, Duration, Nature and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller in connection with the provision of the Stellar Dental Notes Service as described in the Subscription Agreement.

2.2 Duration

Processing shall continue for the duration of the Subscription Term and, thereafter, for such period as is necessary to fulfil the Processor's post-termination obligations under this DPA or applicable law.

2.3 Nature and Purpose

The Processor processes Personal Data for the following purposes:

  • provision and operation of the Service;
  • AI-assisted transcription and clinical note generation;
  • secure storage and retrieval of clinical notes and transcripts;
  • user account management and authentication;
  • maintenance, troubleshooting and security of the Service;
  • compliance with legal obligations.

2.4 Types of Personal Data

The Personal Data processed may include:

  • clinician and practice staff identifiers (names, email addresses, user account information);
  • patient identifiers as included by the clinician in spoken or typed input (name, date of birth, NHS number or equivalent as applicable);
  • clinical information included in speech or input data (treatment history, clinical findings, diagnoses, treatment plans);
  • generated AI transcripts and clinical note drafts.

The data includes Special Categories of Personal Data, namely health data concerning patients. The Controller is responsible for ensuring that the processing of Special Categories of Personal Data is supported by an appropriate lawful basis and condition under Schedule 1 of the DPA 2018 or Article 9 UK GDPR.

2.5 Categories of Data Subjects

Data subjects whose personal data may be processed include:

  • dental patients of the Controller;
  • Authorised Users (clinicians and practice staff).

3. Controller's Obligations

The Controller shall, in accordance with UK GDPR, ensure that: (a) it has a valid legal basis for all Processing instructed under this DPA; (b) appropriate privacy notices are provided to data subjects; (c) where required, valid patient consent or other lawful grounds are in place for the use of AI-assisted documentation; (d) Authorised Users are made aware of applicable data protection obligations; (e) it does not instruct the Processor to process Personal Data in a manner that would cause the Processor to breach applicable data protection law.

4. Processor's Obligations

4.1 Processing in Accordance with Instructions

The Processor shall process Personal Data only in accordance with the Controller's documented instructions, which shall be comprised of: (a) this DPA; (b) the Subscription Agreement; (c) such additional written instructions as the Controller may provide from time to time. If the Processor is required by applicable law to process Personal Data other than in accordance with such instructions, it shall inform the Controller as soon as practicable unless prohibited by law.

4.2 Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data are subject to appropriate obligations of confidentiality.

4.3 Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data, including:

  • encryption of data in transit and at rest;
  • role-based access controls;
  • secure authentication mechanisms;
  • regular security testing and vulnerability management;
  • audit logging for access to Personal Data.

Security measures will be reviewed and updated in line with evolving threats and good industry practice.

4.4 Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors. The Processor shall: (a) maintain and make available to the Controller a list of Sub-processors; (b) provide not less than fourteen (14) days' prior notice of proposed changes to Sub-processor arrangements; (c) impose data protection obligations on Sub-processors substantially equivalent to those in this DPA; (d) remain liable for the acts and omissions of its Sub-processors.

4.5 Data Subject Rights

The Processor shall, taking into account the nature of the processing, provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under the UK GDPR. The Controller remains responsible for determining the lawful response to data subject requests. The Processor shall promptly notify the Controller of any data subject request received directly by the Processor.

4.6 Data Protection Impact Assessments

The Processor shall provide such reasonable information and assistance as the Controller may require to carry out data protection impact assessments or consult with the Information Commissioner's Office as required by the UK GDPR, including in relation to high-risk processing.

4.7 Deletion and Return of Data

Upon termination or expiry of the Subscription Agreement: (a) the Controller may within thirty (30) days request a copy of Customer Data in a commonly used machine-readable format; (b) following expiry of that period, the Processor shall securely delete Personal Data from active systems; (c) backup copies shall be overwritten within seven (7) days following expiry of the thirty (30) day period; (d) the Processor shall, upon request, certify deletion in writing. The Processor may retain Personal Data where required to do so by applicable law, subject to continued application of the obligations in this DPA.

5. Personal Data Breach Notification

The Processor shall, without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller, notify the Controller. The notification shall include, to the extent then known: (a) a description of the nature of the breach; (b) the likely categories and approximate number of data subjects affected; (c) the likely categories and approximate number of personal data records affected; (d) the name and contact details of the data protection officer or other point of contact; (e) the likely consequences of the breach; (f) the measures taken or proposed to address the breach.

If all required information cannot be provided within seventy-two (72) hours, the Processor shall provide available information promptly and supplement the notification as additional information becomes available. The Controller is responsible for determining whether notification to the Information Commissioner's Office or affected data subjects is required.

6. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom except where an appropriate transfer mechanism is in place in accordance with UK GDPR Chapter V and/or the International Data Transfer Agreement (IDTA) or approved addendum. Where cloud infrastructure or Sub-processor services involve processing in non-adequate countries, the Processor shall implement and document appropriate safeguards and make relevant transfer documentation available to the Controller upon request.

7. Audit and Compliance

The Processor shall, upon reasonable written notice of no less than fourteen (14) days, provide to the Controller (or a third party auditor bound by confidentiality obligations): (a) information reasonably necessary to demonstrate compliance with this DPA; (b) assistance with compliance audits as required by the UK GDPR and DPA 2018, subject to protections for proprietary information and the security of other customers. The Processor may satisfy its obligations in this clause through the provision of relevant certifications, third-party audit reports and/or written attestations.

8. Data Retention

The Processor shall retain Personal Data only for the period set out in the Retention Schedule below and for no longer than is necessary for the purposes for which it is processed:

  • Clinical notes and transcripts: duration of active subscription, plus 30 days post-termination
  • Account and authentication data: duration of subscription, plus 30 days post-termination
  • Audit logs: 12 months from date of creation
  • Security event logs: 12 months from date of creation
  • Backup data: overwritten within 7 days following expiry of the 30-day post-termination period

Retention periods may be extended where required by applicable law or regulatory obligation, in which case the Processor shall inform the Controller.

9. Healthcare-Specific Obligations

The Parties acknowledge that the processing of Special Categories of Personal Data (health data) requires heightened standards of care. The Processor shall maintain processing records pursuant to Article 30 UK GDPR. The Controller is responsible for satisfying itself that the Processor's technical and organisational measures are sufficient for its NHS or private practice regulatory obligations.

Raw audio input processed by the Service is not retained following transcription. Transcripts are stored as Customer Data and may contain patient health information. The Controller remains solely responsible for ensuring the accuracy of generated clinical notes before they are relied upon for patient care.

10. Liability and Indemnity

Each Party shall be liable for its own breach of this DPA and the applicable data protection legislation. The Controller shall indemnify the Processor against losses attributable to unlawful processing instructions given by the Controller or the Controller's own breach of applicable data protection law. The Processor shall indemnify the Controller against losses attributable to processing performed by the Processor in breach of this DPA or applicable data protection law. Total liability of the Processor under this DPA shall be subject to the liability cap set out in the Subscription Agreement.

11. Termination and Survival

This DPA shall terminate upon expiry or termination of the Subscription Agreement. The obligations in Sections 4.7 (deletion), 5 (breach notification as applicable post-termination), 7 (audit), and 10 (liability) shall survive termination of this DPA to the extent required by applicable data protection law.

12. Governing Law

This DPA shall be governed by the laws of England and Wales. Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Entire Agreement

This DPA, together with the Subscription Agreement (including all Schedules), constitutes the entire agreement between the Parties with respect to data processing. This DPA supersedes all prior written or oral representations, agreements or understandings between the Parties relating to data processing. Any amendment to this DPA must be in writing and signed by authorised representatives of both Parties.

Contact

For data protection queries, contact Stellar AI Ltd at: info@stellarai.co.uk