Data Processing Addendum
How we process personal data, sub-processor list, GDPR compliance, and data breach notification.
1. Introduction
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service between QuantumCampus LLC ("Company," "we," "us," or "our") and the user or customer ("Customer," "you," or "your"). This DPA describes how the Company processes personal data on behalf of users and defines the responsibilities of the Company as a Data Controller and third-party service providers as Data Processors under applicable data protection laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), and other applicable privacy regulations.
2. Data Processing Roles and Responsibilities
2.1 Company as Data Controller
QuantumCampus LLC operates as the Data Controller regarding personal data collected through the DentistJourney.com platform. The Company determines the purposes and means of processing personal data in accordance with applicable law.
2.2 Third-Party Processors
The Company engages third-party service providers ("Data Processors" or "Sub-processors") to provide essential services that support platform operations. All Sub-processors are contractually bound to process personal data only in accordance with the Company's instructions and applicable data protection laws.
2.3 Processor Obligations (GDPR Article 28(3))
Each Sub-processor engaged by the Company is contractually required to:
- Process only on documented instructions: Process personal data only on the Company's documented instructions, unless required to do so by applicable law (in which case, the processor shall inform the Company before processing, unless prohibited by law)
- Confidentiality: Ensure that all personnel authorized to process personal data have committed to confidentiality obligations or are under statutory confidentiality obligations
- Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (per GDPR Article 32)
- Sub-processor controls: Not engage another sub-processor without prior specific or general written authorization from the Company; where general authorization is given, the processor must inform the Company of any intended changes and provide an opportunity to object
- Data subject rights assistance: Assist the Company in responding to data subject requests under GDPR Chapter III
- Security and breach assistance: Assist the Company in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIAs, and prior consultation)
- Deletion or return: At the Company's choice, delete or return all personal data upon termination of the processing relationship, and delete existing copies unless applicable law requires storage
- Audit cooperation: Make available to the Company all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits and inspections
3. Processing Purposes and Scope
3.1 Permitted Processing Purposes
Personal data is processed solely for the following purposes:
- Delivery of platform services including AI-powered personal statement generation, mock interviews, school directory services, and acceptance chance calculations
- User authentication and account management
- Payment processing and package purchase management
- Customer support and technical support
- Analytics and platform improvement
- Compliance with legal obligations
- Communication regarding service updates and account activity
- Personalization of user experience
3.2 Categories of Data Subjects
Personal data is processed for the following categories of data subjects:
- Students/Users: Pre-dental students, dental students, residency applicants, and other registered Platform users
- Advisors: Credentialed dental professionals providing advisory services through the Platform
- Affiliate Marketers: Individuals or entities participating in the affiliate marketing program
- Website Visitors: Individuals who browse the Platform without creating an account
3.3 Types of Personal Data Processed
The following categories of personal data may be processed:
- Identifiers: Name, email address, phone number, IP address, device identifiers
- Educational Data: GPA, test scores, academic records, institutional affiliations
- Application Materials: Personal statements, essays, interview recordings, resumes
- Financial Data: Transaction records, billing information (no full card numbers stored)
- Professional Data: Licenses, certifications, work history (Advisors)
- Usage Data: Browsing activity, feature usage, session recordings, analytics data
- Communication Data: Support messages, feedback, in-platform communications
3.4 Scope Limitations
Processing is limited to what is necessary to achieve the above purposes. Personal data shall not be processed for any other purpose without obtaining prior explicit consent from the data subject.
4. Sub-Processor List and Data Locations
The Company works with the following Sub-processors to deliver platform services. Each processor has agreed to appropriate data protection safeguards:
4.1 Infrastructure and Storage
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| AWS (Amazon Web Services) | S3 storage, RDS PostgreSQL database, SES email, SNS notifications, App Runner hosting | United States | Data Processing Addendum |
| Stripe | Payment processing, package purchases, and Stripe Connect payouts to Advisors and Affiliates | United States | Data Processing Addendum |
4.2 Artificial Intelligence and Machine Learning
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| OpenAI | AI/LLM services for personal statement generation and interview feedback | United States | Data Processing Addendum |
| Anthropic | AI/LLM services for content generation and platform support | United States | Data Processing Addendum |
| Together AI | AI/LLM fallback services for interview feedback and content generation | United States | Data Processing Addendum |
4.3 Speech and Multimedia Processing
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| Deepgram | Speech-to-text and text-to-speech services | United States | Data Processing Addendum |
| Simli | Lip-synced avatar video generation | United States | Data Processing Addendum |
4.4 Content Detection and Authentication
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| GPTZero | AI content detection and academic integrity verification | United States | Data Processing Addendum |
| Originality.ai | AI content detection and plagiarism checking | United States / Canada | Data Processing Addendum |
4.5 Analytics and User Behavior
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| Google Analytics (GA4) | Platform analytics and usage metrics | United States | Data Processing Addendum |
| Google Tag Manager | Event tracking and analytics implementation | United States | Data Processing Addendum |
| Microsoft Clarity | User behavior analytics and heatmapping | United States | Data Processing Addendum |
| Hotjar | User behavior analytics and session recording | European Union | Data Processing Addendum |
4.6 Authentication and API Services
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| Google OAuth | User authentication and account linking | United States | Data Processing Addendum |
| Meta Platforms | Instagram/Facebook Graph API for social media integration | United States | Data Processing Addendum |
| X Corp | Twitter/X API for social media integration | United States | Data Processing Addendum |
4.7 Data Collection and Web Services
| Sub-Processor | Purpose | Data Residence | Agreement Type |
|---|---|---|---|
| ScrapingBee | Web data collection proxy for school program information | European Union | Data Processing Addendum |
5. International Data Transfers
5.1 Transfer Mechanisms
For users located in the European Union, United Kingdom, or other jurisdictions that restrict personal data transfers to the United States, the Company implements the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): The Company has executed Standard Contractual Clauses approved by the European Commission with all Sub-processors that receive personal data from EU/UK users.
- Adequacy Decisions: Where applicable, data transfers are made to jurisdictions with which the EU/UK has issued adequacy decisions.
- Derogations: Limited transfers may be made under specific derogations to SCCs as permitted under Article 49 of the GDPR.
5.2 Transfer Documentation
Customers and data subjects may request copies of the Standard Contractual Clauses and supplementary transfer instruments by contacting privacy@dentistjourney.com.
6. Data Retention and Deletion
6.1 Retention Periods
Personal data is retained for the duration necessary to provide platform services and fulfill the purposes described in Section 3.1. Retention periods vary by data type:
- Account Data: Retained for the duration of the user's active account and ninety (90) days following account closure, after which it is deleted or anonymized
- Transaction Data: Retained in accordance with legal and financial compliance obligations
- Analytics Data: Retained for up to thirteen (13) months in accordance with analytics provider policies
- Communication Records: Retained for up to two (2) years to support customer service and dispute resolution
6.2 Data Deletion Upon Account Termination
Upon termination of a user's account, personal data is deleted or anonymized within thirty (30) days, subject to the following exceptions:
- Data retained to comply with legal obligations (tax records, financial transaction history)
- Data retained for dispute resolution, fraud prevention, or security purposes
- Anonymized or aggregated data that cannot identify the data subject
- Backup data deleted in accordance with normal backup deletion cycles
Users may request immediate deletion of their personal data by contacting support@dentistjourney.com.
7. Data Security Measures
7.1 Technical Security Controls
The Company implements the following technical security measures to protect personal data:
- Encryption in Transit: All personal data transmitted between users and the platform is encrypted using TLS 1.2 or higher
- Encryption at Rest: Sensitive personal data stored on the platform is encrypted using AES-256 encryption
- Database Security: Production databases are secured with role-based access controls, firewall restrictions, and multi-factor authentication
- Application Security: The platform is developed in accordance with OWASP Top 10 security standards and undergoes regular security testing
7.2 Organizational Security Controls
- Access Controls: Personal data access is restricted to authorized employees and contractors who require such access to perform their job functions
- Confidentiality Agreements: All employees and contractors sign confidentiality agreements binding them to protect personal data
- Security Training: All personnel with access to personal data receive annual security awareness training
- Incident Response: The Company maintains a documented incident response plan to address potential data security incidents
7.3 Sub-Processor Security
The Company requires all Sub-processors to maintain comparable security standards and undergo regular security assessments and audits.
8. Audit Rights and Compliance Verification
8.1 Audit Rights
Customers have the right to audit the Company's personal data processing practices, including:
- Verification of data processing instructions and compliance
- Review of security measures and controls
- Inspection of Sub-processor agreements and data handling procedures
- Confirmation of data retention and deletion compliance
8.2 Audit Procedures
- Standard Audits: Audit requests must be submitted in writing to legal@dentistjourney.com and shall be completed within thirty (30) days
- Independent Audits: The Company conducts periodic independent security audits and provides audit summaries upon request
- Cooperation: The Company shall cooperate in good faith with customer audits, including responding to written questionnaires, providing certifications, and facilitating necessary information access
8.3 Confidentiality
Audit results and sensitive security information shall be subject to appropriate confidentiality restrictions to protect the Company's legitimate business interests.
9. Data Subject Rights
9.1 Individual Rights
The Company facilitates the following rights for individuals (data subjects) in accordance with applicable privacy laws:
- Right of Access: Individuals may request access to their personal data
- Right to Rectification: Individuals may request correction of inaccurate personal data
- Right to Erasure: Individuals may request deletion of their personal data, subject to legal exceptions
- Right to Restrict Processing: Individuals may request restriction of personal data processing
- Right to Data Portability: Individuals may request their personal data in a portable, machine-readable format
- Right to Object: Individuals may object to certain types of processing
9.2 Rights Requests
Individuals and customers may submit data subject rights requests by contacting privacy@dentistjourney.com. The Company will respond to substantive requests within forty-five (45) days, in accordance with applicable law.
10. Data Protection Compliance
10.1 CCPA/CPRA Compliance
The Company complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
- Consumer Rights: Respect for consumer rights regarding access, deletion, opt-out, and non-discrimination
- Notice Requirements: Provision of privacy notices at or before data collection
- Opt-Out Mechanisms: Clear mechanisms for consumers to opt out of the sale or sharing of personal information
- Service Provider Restrictions: Limitation of service provider use of personal data to the purposes for which it was disclosed
10.2 GDPR Compliance
For users in the European Union, the Company processes personal data in accordance with the General Data Protection Regulation (GDPR), including:
- Lawful Basis: Processing is based on necessary contract performance, legal compliance, or legitimate interests
- Data Protection Impact Assessment: The Company conducts Data Protection Impact Assessments (DPIA) for high-risk processing activities
- Data Protection Officer: Users may contact privacy@dentistjourney.com for data protection inquiries
10.3 Other Applicable Laws
The Company shall comply with all other applicable data protection laws in jurisdictions where users are located.
11. Data Breach Notification
11.1 Notification Timeline
In the event of a personal data breach, the Company will notify the applicable supervisory authority without undue delay and in no case later than seventy-two (72) hours after becoming aware of the breach, in accordance with GDPR Article 33. The Company will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34). Sub-processors are contractually required to notify the Company of any personal data breach within twenty-four (24) hours of discovery, to enable the Company to meet its 72-hour regulatory notification obligation.
11.2 Notification Content
Breach notifications will include:
- Description of the breach and the data affected
- Likely consequences of the breach
- Measures taken or proposed to be taken to address the breach and mitigate harm
- Contact information for the Company's data protection contact
11.3 Regulatory Reporting
The Company shall report material breaches to applicable regulatory authorities in accordance with legal requirements.
12. Governing Law and Jurisdiction
This Data Processing Addendum shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Both parties consent to the exclusive jurisdiction of the courts located in Sacramento County, California.
13. Severability
If any provision of this Data Processing Addendum is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it enforceable while maintaining the intent of the parties.
14. Entire Agreement
This Data Processing Addendum, together with the Terms of Service and other documents incorporated by reference, constitutes the entire agreement between the parties regarding the processing of personal data and supersedes all prior negotiations, understandings, and agreements, whether written or oral.
15. Amendments and Updates
The Company may update this Data Processing Addendum from time to time to reflect changes in data protection laws, Sub-processor changes, or improvements in data security practices. Material amendments will be provided to customers with at least thirty (30) days' notice. Continued use of the platform after an amendment's effective date constitutes acceptance of the updated DPA.
16. Contact Information
For questions regarding this Data Processing Addendum or to exercise data protection rights:
Legal Department: QuantumCampus LLC 2108 N St, Suite N Sacramento, CA 95816, USA Email: legal@dentistjourney.com Phone: (650) 240-0799
Privacy Contact: Email: privacy@dentistjourney.com
Customer Support: Email: support@dentistjourney.com
End of Data Processing Addendum
Questions About This Document?
If you have any questions, please contact us: