Skip to content
Wilma AI
Back to home
Legal

Data Processing Agreement

Our standard DPA covers HIPAA Business Associate terms, GDPR processor obligations, and CPRA service-provider obligations in one document.

Last updated

Every Wilma customer who processes PHI signs a Business Associate Agreement (BAA) before going live. This page summarizes the DPA. The signed copy lives in your account dashboard.

1. Purpose

This DPA governs Wilma's processing of personal data — including PHI — on behalf of Customer in connection with the Wilma platform. It incorporates the Standard Contractual Clauses where required and the HIPAA Business Associate terms required by 45 CFR § 164.504(e).

2. Roles

Customer is the Controller of personal data and the Covered Entity under HIPAA. Wilma is the Processor and Business Associate.

3. Scope of processing

  • Subject matter: answering patient phone calls and text messages, scheduling, insurance verification, recall outreach, intake.
  • Duration: the term of the underlying subscription, plus any limited period required for export and deletion.
  • Nature & purpose: operating the front desk of the dental practice on its behalf.
  • Data subjects: patients of the practice, practice staff, authorized callers.
  • Categories of data: contact information, appointment history, insurance and benefits, clinical notes shared by the practice, call audio, transcripts.

4. Wilma's obligations

  • Process personal data only on documented instructions from Customer.
  • Ensure that personnel are bound by confidentiality.
  • Implement the security measures described in our Security page.
  • Assist Customer in responding to data subject requests.
  • Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
  • Make available all information necessary to demonstrate compliance.

5. Subprocessors

Customer authorizes Wilma to engage subprocessors as listed on our Subprocessors page. Wilma imposes terms on each subprocessor that are no less protective than this DPA. We'll give Customer at least 30 days' notice of any change to subprocessors handling PHI.

6. International transfers

We process personal data in U.S. regions. Where Customer is located in the EEA, UK, or Switzerland, the Standard Contractual Clauses (SCCs) apply by reference.

7. Audits

Customer may, no more than once per calendar year and with reasonable notice, audit Wilma's compliance. We'll generally satisfy this requirement by providing our SOC 2 Type II report, penetration test summary, and HIPAA security rule assessment.

8. Return or deletion

At the end of the term, Wilma will (at Customer's choice) return or delete all personal data within 60 days, subject to legal-hold obligations.

9. Get the signed DPA

If you're evaluating Wilma and need the executable DPA for legal review,email our legal team or ask your sales contact. Existing customers can find their signed copy in the dashboard under Settings → Legal.