MDConnect Data Processing Agreement
MDBUDDY UK LTD
Effective date: 1 January 2026
Last reviewed: 4 April 2026
Next review due: 4 April 2027
This Data Processing Agreement ("DPA") forms part of the MDConnect Terms and Conditions (the "Agreement") between MDBUDDY UK LTD and the Customer. It sets out the terms on which personal data is processed through the MDConnect platform, the responsibilities of each party, and the safeguards in place to protect personal data.
This DPA is incorporated into the Agreement by reference. In the event of any conflict between this DPA and the Agreement on matters relating to data protection, this DPA shall prevail.
Between:
(1) MDBUDDY UK LTD, a company registered in England and Wales, with its registered address at 427 Kings Road, Stretford, Manchester, M32 8LN, ICO registration number ZB894415 ("MDBUDDY"); and
(2) The Customer identified in the Subscription Confirmation ("the Customer").
1. Definitions
1.1 In this DPA, the following terms have the meanings set out below. Terms defined in the MDConnect Terms and Conditions have the same meaning when used in this DPA.
Applicable Data Protection Laws: The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any guidance, codes of practice, or regulatory standards issued by the ICO, as amended or replaced from time to time.
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed through MDConnect.
Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined by Article 4(7) of the UK GDPR.
Data Subject: An identified or identifiable natural person whose personal data is processed through MDConnect, including Admin Users, Setting Users, and individuals identified in free-text fields such as contact logs and incident reports.
ICO: The Information Commissioner's Office, the UK's independent authority for data protection.
Personal Data: Any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the UK GDPR.
Processing: Any operation or set of operations performed on personal data, as defined by Article 4(2) of the UK GDPR, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation, as defined by Article 9(1) of the UK GDPR. For the purposes of this DPA, data relating to children's safeguarding that is entered into MDConnect through the incident reporting feature is treated with equivalent protections.
Sub-processor: A third-party service provider engaged by MDBUDDY to process personal data on its behalf in connection with the provision of MDConnect.
2. Data Controller Status and Responsibilities
2.1 MDBUDDY is the Data Controller for all personal data collected, processed, and stored through MDConnect. MDBUDDY determines the purposes and means of processing, including the technical infrastructure, security measures, data retention periods, and the use of anonymised data for the purposes described in section 11 of this DPA.
2.2 The Customer acknowledges and agrees that all data processed through MDConnect is owned by MDBUDDY, as set out in section 10 of the MDConnect Terms and Conditions. The Customer is granted access to data relevant to its programme deployment through the Platform for the duration of the Subscription Term.
2.3 The Customer has independent Data Controller responsibilities under Applicable Data Protection Laws for its own decisions about what data to enter into MDConnect, which Settings to enrol, which staff to register as Authorised Users, and how to use exported data. The Customer processes data within MDConnect under its own public health mandate and must ensure that it has appropriate lawful bases for its processing activities.
2.4 Each party is independently responsible for its own compliance with Applicable Data Protection Laws. This DPA sets out the agreed arrangements between the parties for the processing of personal data through MDConnect, including the safeguards that MDBUDDY has put in place to protect personal data.
2.5 The data compliance lead for MDBUDDY is Dr Ramzan Mohammed, who can be contacted at mdconnect@mydentalbuddy.com. The Customer should direct all data protection queries, data subject requests, and breach notifications relating to MDConnect to this address.
3. Scope of Processing
3.1 This DPA applies to all personal data processed through MDConnect for the duration of the Agreement and for such further period as personal data is retained in accordance with section 9 of this DPA.
3.2 The categories of personal data, categories of data subjects, and purposes of processing are set out in Schedule 1 to this DPA.
4. Customer Obligations
4.1 The Customer shall ensure that it has a valid lawful basis under Article 6 of the UK GDPR (and, where applicable, a condition under Article 9) for all personal data that it enters into MDConnect or instructs its Authorised Users to enter.
4.2 The Customer shall ensure that all Data Subjects whose personal data is entered into MDConnect have been provided with appropriate privacy information in accordance with Articles 13 and 14 of the UK GDPR, including information about MDBUDDY's role as Data Controller and the processing activities described in the MDConnect Privacy Policy.
4.3 The Customer shall not enter any Special Category Data into MDConnect except through the incident reporting feature where a safeguarding concern necessitates it. Where Special Category Data is entered, the Customer must ensure that the processing is permitted under a condition in Article 9(2) of the UK GDPR and Schedule 1 of the Data Protection Act 2018.
4.4 The Customer is responsible for the accuracy, completeness, and appropriateness of all data entered into MDConnect by its Authorised Users. MDBUDDY is not responsible for verifying the accuracy of data entered by the Customer.
4.5 The Customer shall ensure that its Authorised Users receive adequate data protection training relevant to their use of MDConnect and the data they handle through the Platform.
5. MDBUDDY Obligations
5.1 MDBUDDY shall process personal data through MDConnect in accordance with Applicable Data Protection Laws, the MDConnect Privacy Policy, and this DPA.
5.2 MDBUDDY shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, as described in section 6 of this DPA and in the MDConnect Data Security Overview.
5.3 MDBUDDY shall ensure that all personnel who have access to personal data processed through MDConnect are subject to appropriate confidentiality obligations, whether by contract or statutory duty.
5.4 MDBUDDY shall maintain records of processing activities carried out through MDConnect in accordance with Article 30 of the UK GDPR.
5.5 MDBUDDY shall co-operate with the ICO in the performance of its tasks where required by Applicable Data Protection Laws.
6. Technical and Organisational Security Measures
6.1 MDBUDDY has implemented the following technical and organisational measures to protect personal data processed through MDConnect. A detailed description is provided in the MDConnect Data Security Overview, available on request.
6.2 Encryption
All data stored within MDConnect is encrypted at rest using AES-256 encryption. All data transmitted to and from MDConnect is encrypted in transit using TLS 1.3. End-to-end encryption is maintained throughout the platform's systems.
6.3 Access Controls
MDConnect operates role-based access controls following the principle of least privilege. Admin Users can only access data within their own programme. Setting Users can only access data relating to their own Setting. MDBUDDY's internal access is restricted to authorised personnel for technical support and maintenance purposes only. A limited number of engineers hold privileged access, and all access is logged.
6.4 Multi-tenancy and Data Isolation
MDConnect is a multi-tenant platform. Each Customer's data is logically isolated. Admin Users from one Customer cannot access another Customer's data. MDBUDDY Admin (super-admin) can access all tenants for support and maintenance.
6.5 Hosting and Data Residency
MDConnect is hosted on Amazon Web Services (AWS) Europe (Ireland and London regions) and Firebase Google Cloud Europe. All personal data is processed and stored within the United Kingdom and European Economic Area. There is an absolute prohibition on processing personal data outside UK and EU jurisdictions.
6.6 Personnel Security
All MDBUDDY staff with access to data that includes information about children hold enhanced DBS clearances. Professional registration is verified for clinical staff. All staff receive comprehensive data protection training on induction and on an ongoing basis. Staff are subject to contractual confidentiality obligations.
6.7 Monitoring and Testing
MDBUDDY maintains security monitoring on the MDConnect platform and monitors for threats on a continuous basis. Security testing, including penetration testing, is conducted in accordance with the MDConnect Data Security Overview.
6.8 Backup and Disaster Recovery
MDConnect data is backed up regularly. Backup data is stored encrypted within the same UK/EEA jurisdictions as the primary data. Disaster recovery procedures are maintained and tested to ensure service continuity.
7. Sub-processors
7.1 MDBUDDY engages the following Sub-processors in connection with the provision of MDConnect. Each Sub-processor processes personal data under a binding agreement that imposes data protection obligations consistent with this DPA.
Sub-processorPurposeData ProcessedData LocationAmazon Web Services (AWS)Cloud hosting and data storageAll platform dataEurope (Ireland and London regions)Firebase (Google Cloud)Cloud services and infrastructurePlatform operational dataEurope
7.2 MDBUDDY shall not engage any new Sub-processor without updating this list. Where a new Sub-processor is engaged that processes personal data in a materially different way from the existing Sub-processors, MDBUDDY shall notify the Customer in advance and provide the Customer with sufficient information to assess the impact on data protection.
7.3 If the Customer has reasonable grounds to object to a new Sub-processor on data protection grounds, the Customer shall notify MDBUDDY in writing within 14 days of receiving notice of the change. The parties shall discuss the Customer's concerns in good faith. If the objection cannot be resolved, the Customer may terminate the Agreement by giving 30 days' written notice.
7.4 MDBUDDY shall ensure that each Sub-processor is bound by written obligations that provide a level of protection for personal data that is no less protective than the obligations in this DPA. MDBUDDY remains responsible for the acts and omissions of its Sub-processors as if they were its own.
8. Data Breach Notification
8.1 In the event of a Data Breach affecting personal data processed through MDConnect, MDBUDDY shall notify the Customer without undue delay and in any event within 24 hours of becoming aware of the breach.
8.2 The notification shall include, to the extent known at the time of notification: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken to address the breach and mitigate its effects; and (d) the name and contact details of the point of contact at MDBUDDY for further information.
8.3 MDBUDDY shall co-operate with the Customer in investigating and responding to the breach and shall provide the Customer with such further information as becomes available.
8.4 Where the Data Breach is likely to result in a risk to the rights and freedoms of Data Subjects, MDBUDDY shall notify the ICO within 72 hours in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to Data Subjects, MDBUDDY shall notify affected individuals directly in accordance with Article 34 of the UK GDPR.
8.5 Enhanced breach procedures apply where the Data Breach involves children's data or safeguarding information. In such cases, MDBUDDY shall treat the breach as high priority and escalate internally to the data compliance lead within 2 hours of becoming aware of the breach.
8.6 The Customer shall notify MDBUDDY promptly if it becomes aware of any Data Breach, suspected breach, or security incident affecting its Authorised User accounts or data within MDConnect.
9. Data Retention and Deletion
9.1 MDBUDDY retains personal data processed through MDConnect in accordance with the retention periods set out in the MDConnect Privacy Policy (section 12). The applicable retention periods are summarised below.
Data CategoryRetention PeriodAdmin and Setting User account dataDuration of Subscription Term plus 12 monthsProgramme operational data (sessions, stock, contact logs)Duration of Subscription Term plus 3 yearsIncident and safeguarding reportsDuration of Subscription Term plus 6 yearsAudit and quality assurance recordsDuration of Subscription Term plus 3 yearsConsent documentation6 yearsTraining and certification recordsDuration of Subscription Term plus 3 yearsAggregated and anonymised dataRetained indefinitely (not personal data)
9.2 On termination or expiry of the Agreement, the Customer may request an export of its data within 30 days of the termination date. MDBUDDY shall provide the data in a structured, commonly used, machine-readable format (such as CSV or Excel). After the 30-day export window, data shall be retained in accordance with the retention periods above and thereafter securely deleted.
9.3 Secure deletion means that personal data is permanently destroyed using methods that prevent recovery, including overwriting, cryptographic erasure, or physical destruction of storage media as appropriate.
9.4 Aggregated, anonymised, and de-identified data derived from the Customer's programme prior to termination shall be retained by MDBUDDY indefinitely in accordance with section 11 of this DPA.
10. Data Subject Requests
10.1 As Data Controller, MDBUDDY is responsible for responding to Data Subject requests exercising rights under the UK GDPR (including access, rectification, erasure, restriction, portability, and objection). Data Subject requests should be directed to mdconnect@mydentalbuddy.com.
10.2 Where a Data Subject contacts the Customer with a request relating to personal data processed through MDConnect, the Customer shall direct the Data Subject to MDBUDDY or forward the request to mdconnect@mydentalbuddy.com. MDBUDDY shall respond to the request within one month in accordance with the UK GDPR.
10.3 MDBUDDY shall co-operate with the Customer and provide reasonable assistance in relation to Data Subject requests that affect the Customer's programme data, including verifying the identity of the Data Subject and assessing the scope of the request.
10.4 Because MDConnect holds only aggregate, non-identifiable data about children (counts, not individual records), it is generally not possible to identify or extract data relating to a specific child. Data Subject requests from parents or guardians relating to their child's data will be handled in accordance with section 14 of the MDConnect Privacy Policy. The exception is safeguarding incident reports that may contain identifiable information, which will be addressed on a case-by-case basis.
11. Anonymised and Aggregated Data
11.1 All data collected, processed, and stored by MDConnect is owned by MDBUDDY UK LTD. The Customer is granted access to data relevant to its programme deployment. The Customer does not own the data.
11.2 MDBUDDY reserves the right to produce and share aggregated, anonymised, and de-identified data derived from MDConnect for the following purposes:
(a) Academic and clinical research into children's oral health outcomes and programme delivery effectiveness.
(b) Public health analysis to support local, regional, and national understanding of oral health programme impact.
(c) Health intervention and targeted intervention programmes, including informing the design and commissioning of future preventive services.
(d) Policy development and service commissioning by government bodies, NHS organisations, and public health agencies.
11.3 Data shared under clause 11.2 is fully anonymised and cannot be linked back to any individual child, staff member, or institution. MDBUDDY applies robust anonymisation techniques, verified against the ICO's anonymisation code of practice, to ensure that re-identification is not reasonably likely by any means.
11.4 Because anonymised data is not personal data under UK GDPR, its production and sharing does not require individual consent and is not subject to data subject rights. This provision is consistent with section 9 of the MDConnect Privacy Policy and section 10 of the MDConnect Terms and Conditions.
12. International Data Transfers
12.1 MDBUDDY does not transfer personal data processed through MDConnect outside the United Kingdom or the European Economic Area. All hosting, storage, and processing takes place within UK and EEA jurisdictions.
12.2 If an international transfer becomes necessary in the future (for example, due to a change in Sub-processor), MDBUDDY shall ensure that appropriate safeguards are in place before the transfer occurs, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. MDBUDDY shall notify the Customer before any such transfer takes place and update this DPA accordingly.
13. Audit and Compliance
13.1 MDBUDDY shall make available to the Customer, on reasonable request, such information as is necessary to demonstrate compliance with this DPA and with Applicable Data Protection Laws.
13.2 MDBUDDY shall permit and contribute to audits and inspections conducted by the Customer or a qualified third-party auditor appointed by the Customer, subject to the following conditions: (a) the Customer shall give at least 30 days' written notice of any audit request; (b) audits shall be conducted during normal business hours and shall not unreasonably disrupt MDBUDDY's operations; (c) the auditor shall be bound by appropriate confidentiality obligations; and (d) the Customer shall bear its own costs of the audit.
13.3 Where MDBUDDY holds current certifications relevant to data security and information governance (such as Cyber Essentials, NHS Data Security and Protection Toolkit, or ISO 27001), MDBUDDY may provide copies of these certifications to the Customer in satisfaction of the audit right in clause 13.2, unless the Customer has specific and reasonable grounds requiring an on-site audit.
13.4 MDBUDDY currently holds Cyber Essentials certification. Details of current certifications and compliance status are set out in the MDConnect DPIA and Due Diligence Information Pack.
14. Data Protection Impact Assessments
14.1 MDBUDDY has conducted a Data Protection Impact Assessment in relation to the processing of personal data through MDConnect. A summary is available in the MDConnect DPIA and Due Diligence Information Pack.
14.2 Where the Customer is required to conduct its own DPIA in relation to its use of MDConnect (for example, as part of a local authority information governance review), MDBUDDY shall provide reasonable assistance and information to support the Customer's assessment.
15. Children's Data
15.1 MDConnect processes aggregate, non-identifiable data about children (counts of children at Settings, counts present at brushing sessions, participation rates). No individually identifiable data about children is collected or stored in MDConnect under normal operational use.
15.2 The exception is the incident reporting feature, through which Setting Users may report safeguarding concerns. Free-text descriptions submitted as safeguarding reports may contain individually identifiable information about children, which may constitute Special Category Data. This data is processed under the substantial public interest condition (Article 9(2)(g) UK GDPR, read with Schedule 1 Part 2 paragraph 18 of the Data Protection Act 2018, covering the safeguarding of children and individuals at risk).
15.3 MDBUDDY applies enhanced protections to safeguarding data, including restricted access within the platform, immediate escalation to the data compliance lead, and enhanced breach notification procedures as described in section 8.5.
15.4 MDBUDDY has regard to the ICO's Age Appropriate Design Code in the design and operation of MDConnect, although the platform is not accessed by children directly.
16. Liability
16.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the MDConnect Terms and Conditions (section 13), except that neither party's liability for a breach of Applicable Data Protection Laws shall be limited to the extent that such limitation would be unlawful.
16.2 Each party shall be liable for any damage caused by its processing of personal data in breach of Applicable Data Protection Laws, in accordance with Article 82 of the UK GDPR.
17. Term and Termination
17.1 This DPA shall come into effect on the date of the Agreement and shall continue for the duration of the Agreement. It shall automatically terminate when the Agreement terminates or expires, subject to MDBUDDY's obligations to retain and securely delete data in accordance with section 9 of this DPA.
17.2 Sections 8, 9, 10, 11, 15, and 16 of this DPA shall survive termination of the Agreement.
18. General Provisions
18.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.
18.2 The parties agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
18.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
18.4 This DPA may be amended by MDBUDDY from time to time. Material changes shall be notified to the Customer in accordance with section 18.7 of the MDConnect Terms and Conditions.
SCHEDULE 1: PROCESSING DETAILS
S1.1 Categories of Data Subjects
CategoryDescriptionAdmin UsersStaff employed by or acting on behalf of Customers (Local Authorities and Programme Providers) who manage supervised toothbrushing programmes through MDConnect.Setting UsersStaff at schools, nurseries, early years providers, and care settings who use MDConnect to log brushing sessions, request stock, report incidents, access resources, and complete training.Setting contactsNamed individuals at Settings whose contact details are recorded in Setting profiles or contact log entries.Children (aggregate only)Children aged 3 to 5 (and in some cases older) whose participation is recorded as aggregate counts at the Setting level. No individually identifiable children's data is held except in safeguarding incident reports.Individuals identified in safeguarding reportsChildren, staff, or other individuals whose names or details may appear in free-text safeguarding incident reports submitted through the incident reporting feature.
S1.2 Categories of Personal Data
CategoryData ElementsUser account dataName, email address, role/position, login credentials, login timestamps, audit trail of actions performed.Setting institutional dataSetting name, address, email, phone, contact name, contact role, website, type, category, IMD score, SEND status, ownership, region, pipeline status.Session dataDate, time, duration, children present (count), staff member name, class identifier, Setting identifier.Stock request dataItems, quantities, notes, dates, submitting user, status history, assigned admin, internal comments, delivery dates.Contact log dataContact method, free-text notes, date/time, logging admin user, Setting identifier.Incident and safeguarding dataIssue type, free-text description, date, reporting user, status history, admin notes, resolution notes, assigned admin. May contain Special Category Data.Audit and QA dataDate, type, observations, follow-up notes, evidence files, submitting admin.Training dataName, module completion status, completion dates, certification status, certificate records.
S1.3 Purposes of Processing
PurposeLawful BasisProviding and operating MDConnectPerformance of a contract (Article 6(1)(b))User account management and platform securityPerformance of a contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f))Programme reporting including OHID quarterly returnsPerformance of a contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f))Recording and resolving safeguarding incidentsSubstantial public interest (Article 6(1)(e) and Article 9(2)(g), Schedule 1 Part 2 para 18 DPA 2018)Audit trails and quality assuranceLegitimate interests (Article 6(1)(f))Platform improvement and technical supportLegitimate interests (Article 6(1)(f))Anonymised data for research, public health, and policyLegitimate interests (Article 6(1)(f)) for anonymisation process; anonymised output is not personal dataCompliance with legal obligationsLegal obligation (Article 6(1)(c))
S1.4 Data Residency
All personal data is stored and processed within the United Kingdom and the European Economic Area. Hosting is provided by AWS Europe (Ireland and London regions) and Firebase Google Cloud Europe. No personal data is transferred outside these jurisdictions.
© MDBUDDY UK LTD 2026. All rights reserved.