Data Processing Addendum
HEY PRESTO LTD – UK GDPR DATA PROCESSING ADDENDUM (DPA)
Last updated: 2026-05-17
This Data Processing Addendum (“DPA”) forms part of the agreement between HEY PRESTO LTD (“Processor”) and the Customer (“Controller”) relating to use of the Presto platform.
1. PURPOSE
This DPA applies where Presto processes personal data on behalf of a Customer in connection with the Platform.
This DPA applies only to Customer data that the Customer uploads to, stores within, or instructs Presto to process through the Platform.
2. ROLE OF THE PARTIES
The Customer acts as data controller.
Presto acts as data processor where processing Customer personal data solely on behalf of the Customer.
Nothing in this DPA prevents Presto acting as an independent controller for:
billing;
account administration;
fraud prevention;
legal compliance;
analytics;
and operational management.
3. PROCESSING DETAILS
Subject Matter
Provision of the Presto platform and related workflow/payment facilitation services.
Duration
For the duration of the Customer relationship and any applicable retention period.
Nature and Purpose
Hosting, processing, organisation, storage, communication, workflow facilitation, and payment-related administration.
Categories of Data Subjects
May include:
dental professionals;
laboratory personnel;
practice staff;
and patients.
Categories of Personal Data
May include:
names;
contact details;
workflow information;
transaction references;
appliance/workflow details;
and limited patient-related administrative information.
Presto is not intended to store comprehensive medical records or extensive clinical histories.
4. PROCESSING OBLIGATIONS
Presto shall:
process personal data only on documented instructions from the Customer;
ensure persons authorised to process data are subject to confidentiality obligations;
implement reasonable technical and organisational security measures;
and comply with applicable data protection laws relating to processors.
5. CUSTOMER RESPONSIBILITIES
The Customer warrants that it:
has a lawful basis for processing personal data;
has provided required notices;
has obtained required consents where applicable;
and may lawfully submit personal data to the Platform.
The Customer shall not submit unnecessary or excessive personal data.
6. SUBPROCESSORS
The Customer authorises Presto to use subprocessors including:
Stripe
Airtable
Fillout
MiniExtensions
Twilio
hosting providers
analytics providers
Presto may update subprocessors from time to time.
Presto shall maintain appropriate contractual protections with subprocessors where required by law.
7. INTERNATIONAL TRANSFERS
Where personal data is transferred outside the United Kingdom, Presto shall implement appropriate safeguards in accordance with applicable data protection laws.
8. SECURITY
Presto shall implement reasonable technical and organisational measures appropriate to:
the nature of the processing;
the sensitivity of the data;
and the risks involved.
9. DATA SUBJECT RIGHTS
Where reasonably possible and appropriate, Presto shall assist the Customer in responding to requests relating to:
access;
correction;
deletion;
restriction;
portability;
and objections.
10. PERSONAL DATA BREACHES
Presto shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data where notification is legally required.
11. RETURN AND DELETION
Upon termination of services, Presto may delete or return Customer personal data in accordance with:
applicable law;
operational requirements;
retention obligations;
and backup/security procedures.
Presto may retain:
securely archived backups;
legal compliance records;
and anonymised or aggregated data where lawful.
12. AUDITS AND INFORMATION
Presto shall provide reasonable information necessary to demonstrate compliance with this DPA, subject to:
confidentiality obligations;
security requirements;
proportionality;
and protection of other customers.
13. GOVERNING LAW
This DPA is governed by the laws of England and Wales.