EndoData SAS (Simplified Joint Stock Company / Société par actions simplifiée) registered at the RCS of Paris under the number 820 212 397 whose registered office is located at 50 rue Richer, 75009, Paris – France (hereinafter « EndoData »)
Version of January 2026

Keys Terms

These general terms and conditions (« GTC ») cover the terms and conditions of use and license of EndoData’s cloud-hosted software solution designed for dental clinical practice, including AI-based features (« OralData »). Access and use of OralData is subject to (i) these GTC, and its Appendixes including the Data Protection Appendix (« Appendix 1« ), and the Health Data Hosting Appendix (« Appendix 2« ), along with (ii) the conditions contained in the order related thereto which are preliminarily provided and discussed with the client, and (ii) to their acceptance by the client, along with the undertaking that its end-users comply with the GTC. In case of conflict or inconsistency between the GTC and the order, the GTC shall prevail. These GTC shall take precedence over all contrary stipulations appearing on the order or on any other document coming from the client.

Subscriptions, Changes and Termination

The client may request a monthly or yearly subscription to OralData (a « Subscription »), by sending an order by email at admin@oraldata.ai. The client must indicate the following elements in the order: (i) the desired number of right to access and use of OralData (i.e. number of end-users), (ii) the desired date for opening access to OralData, and (ii) the invoicing address. Once the order is received, EndoData shall accept or deny the order of the client by email within a reasonable time. Any order accepted may only be changed or modified by a signed, written agreement both by the client and by EndoData indicating the details of the modification to be made as well as the impact, where appropriate, of these modifications on the price and delay in installation. A Subscription may be terminated by the client, without penalty and without having to bring the case before the competent court, by notifying EndoData of the termination by email to admin@oraldata.ai, at least seven (7) calendar days before the end of each month. EndoData will expressly acknowledge receipt of this termination in writing and if applicable, shall inform the client of any outstanding amount owed by the client. In any case, there shall be no reimbursement of sums already paid by the client. Upon termination, all then-existing license(s) to use OralData and its documentation will terminate and the client shall promptly, with or without EndoData’s assistance, uninstall, destroy or return to EndoData all copies of OralData and its documentation, and certify in writing that all copies, including any backup copies, have been uninstalled, destroyed or returned to EndoData.

Claims

OralData is considered to be delivered when the client is provided with the credentials for accessing OralData. Immediately after first access to OralData, the client shall notify EndoData, in writing, of any claim in the case of defaults or defects observed. The client shall indicate in the claim the order number as well as all justifications regarding the reality of the defects or defaults observed. The client’s claim is only deemed received by EndoData if EndoData acknowledges receipt in writing. If the client does not file any claim within a period of five (5) days following first access to OralData, OralData shall be definitively deemed to comply with the order placed and have been irrevocably accepted by the client.

Training

At the beginning of the first Subscription of OralData, EndoData will deliver training on the use of OralData. This training will be delivered for a maximum period of two (2) hours to the client’s personnel who have the necessary technical knowledge to use OralData. Notwithstanding any training that may be provided free of charge by EndoData at its own discretion, any training delivered beyond a duration of two (2) hours may be subject to a separate quotation. The client acknowledges that EndoData does not commit itself to any guarantee of result with respect to the training provided to the client.

Support

As part of the Subscription, EndoData shall provide help desk assistance to client for difficulties met by the client’s personnel in the operation or use of OralData, as well as corrective maintenance of OralData. Requests for assistance must be sent to support@oraldata.ai.

Right to Use OralData

In consideration for the payment as provided in Article « Payment » below, EndoData shall grant the client a limited, personal, revocable, non-exclusive, non-transferable, non-sublicensable license to use OralData solely for dentistry purposes, for the duration of these GTC. Client is fully responsible and liable to EndoData for all use of OralData in breach of these GTC.

Intellectual Property Rights

EndoData owns all rights, title and interest in all intellectual property rights found on, provided by or embodied in OralData, and all intellectual property developed, acquired or otherwise obtained by EndoData, including any documentation or deliverables provided to client and any derivative works thereof. The content of OralData is protected by copyright, trademark, and other intellectual property and related laws. The client shall not distribute, modify, copy, sublicense, assign, transfer or otherwise make available OralData or any features or functionality thereof, to any third party, and shall not copy or use the content of OralData, whether in whole or in part, contrary to EndoData’s interests. EndoData does not guarantee that client’s utilization of OralData does not contravene the intellectual property rights of a third party. Any feedback, bug report or suggestion from the client or its end-users concerning OralData does not entitle the client or the end-users to any intellectual property rights on any new version or modification of any nature of OralData.

Payment

Payment will be made by monthly direct debit, and in any case, shall be made within thirty (30) days from the date of the invoice. The client receives the initial invoice once credentials are provided for first access to OralData, as set out in Article « Claims ». A possible claim does not excuse the client from settling the invoice on the due date. In the event of late payment, the interest rate is equal to the rate of interest applied by the European Central Bank increased by ten (10) percentage points. A fixed collection fee of forty euros (40€) shall equally be automatically due by the client.

Price and Taxes

The prices indicated on the order are in Euros and calculated with taxes. Any tax, duty, or charge to be paid in application of French or foreign law are borne by the client. The prices are those appearing as the rate in effect on the day of the order and reflected on the order confirmation. Prices are subject to change, higher or lower, at any time and without notice at the complete discretion of EndoData until the client has sent its order and it is confirmed by EndoData. In the course of a Subscription, prices may be changed by EndoData, subject to a three month notice to the client.

Breach

In the event of default of the client relating to the payment of the price, or any other breach such as, in particular, the failure to use OralData in accordance with the GTC, EndoData, at its discretion and without prejudice to any other legal remedy may (i) suspend the use rights provided in Article « Intellectual Property Rights » and/or (ii) cancel the order without reimbursement of the sums already paid by the client. The client agrees to pay all of the costs incurred by EndoData, including attorney fees and any other collection costs resulting from a breach of the client of these GTC.

No Guarantees

EndoData makes no warranties or guarantees, whether express or implied. Consequently, EndoData neither accepts nor assumes responsibility regarding the adequacy of OralData for the client’s requirements or the achievement of any intended results. The client acknowledges that because of the risks inherent to generative AI, any outputs generated by OralData AI-based features may be inaccurate, incomplete, or may contain errors or hallucinations. The client remains solely responsible for the review, validation, and use of all outputs, and for any resulting decisions or actions. To the fullest extent permitted by law, EndoData total liability for any and all claims, losses, costs or damages, resulting from or in any way related to these GTC shall not exceed an amount up to twice the fees paid by the client during the 12 previous months. EndoData shall not be liable in any event for indirect damages of any nature (including operating losses, data loss, commercial prejudice, commercial disturbances, lost profits, damage to image, this listing being non-exclusive) resulting from any use of OralData, including from any failure of the client towards a third party due to this use.

Client’s/User’s Use of OralData

OralData is solely intended to be used by health professionals in connection with clinical dentistry practice, specifically for improving data entry, follow-up and visualization within patient medical records as well as conducting studies on patient data. OralData may not be used for any other purpose. The client undertakes to respect these intended uses. The client has the responsibility to control the risks resulting from the use of OralData and to perform all additional research necessary to evaluate the risks induced by the use of OralData. The client agrees to obey the possible instructions given by EndoData relating to the use of OralData and not to misuse OralData in any manner.

Non-Intended Uses and Restrictions of Use

OralData is not a medical device according to EU laws and as such does not provide advice on diagnostic or drug prescription or dosage mentioned in OralData. The advanced research results and statistics generated by OralData are not intended to represent the reality of the practice. Importation of radiographs shall not be used for diagnostics purposes. OralData is not a tool for electronically signing prescriptions. OralData AI-based features do not retain any patient data. OralData does not ensure data backups. OralData shall not be used in any way that would infringe applicable laws and regulations, or any third party’s rights, specifically with regard to health data and medical data confidentiality and security.

Declarations and Guarantees of the Client

The client declares and guarantees that it, as well as its end-users, is a dental surgeon, qualified or student, licensed to practice and more generally has all the skills, experience, qualities and capacities required to use OralData and that no use of OralData shall contravene applicable laws and regulations, specifically with regard to any illegal practice as a dentist within an industrial company. Notwithstanding the foregoing, any member of the dental surgeon’s staff may also be authorized to use OralData, subject to the dental surgeon’s approval. The client declares and guarantees that it, as well as its end-users is aware of and will comply with the rules applicable to data processed through OralData, that can qualify as a medical records, in terms of deontology, data protection, professional secrecy, security and integrity (specifically regarding data access, data encryption and data exchanges with other healthcare professionals, with reference to the PGSSI-S). The client shall indemnify, defend and hold EndoData harmless against all claims, actions, suits and proceedings, and all resulting losses, liabilities demands, debts, costs and expenses (including attorneys’ fees and accounting costs) that EndoData might suffer or incur due to (i) violation of applicable law by client or any of its end users, or (ii) any claim or allegation against EndoData based on fault, breach of guarantee, damage caused, a contract or any other action of contractual or tort liability, as a result of the client or as a result of a third party, originating directly or indirectly from the use of OralData or due to a failure of the client to perform the obligations contained in these GTC.

Confidentiality

The client shall keep strictly confidential the existence, the nature and the contents of these GTC and all information which were and/or will be brought to its knowledge in connection with the negotiations of these GTC or prior thereto (hereinafter the « Confidential Information »). The client shall prevent the disclosure of the Confidential Information, except to members of its personnel who have a need to know for purposes of the GTC and who are bound by confidentiality obligations at least as strict as those stipulated in the GTC. These confidentiality obligations shall remain in effect during the entire term of the GTC and as long as the Confidential Information has not fallen into the public domain otherwise than through fault of the client and notwithstanding the expiration or termination of the GTC. All the Confidential Information received by the client in connection with the GTC shall be returned to EndoData or destroyed immediately on EndoData’s request.

Protection of Client Data

Client’s data entered, processed, stored or generated by OralData pursuant to these GTC, including, for the avoidance of doubt, patient’s data, shall remain client’s data, under all circumstances, and is strictly confidential. The client acknowledges and agrees that EndoData reserves the right to further process client data for the purpose of enhancing its own products and services, under the conditions set forth in Article « Personal Data Protection ».

Personal Data Protection

The client and EndoData acknowledge having full and complete knowledge of the obligations in application of European Regulation No 2016/679 dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the « GDPR »), French Data Privacy Act, No 78-17 dated 6 January, 1978, as amended, and any other relevant applicable legislations (hereinafter collectively referred to as the « Personal Data Regulation ») which apply to them in their respective quality of (a) data controller for both parties, in order to manage their reciprocal commercial relationship (processing of business contacts personal data and OralData use); (b) data controller for the client, for the purpose of managing the patient records, in the course of its own activity (processing of patients’ personal data); (c) data processor for EndoData when it ensures, on behalf of the client and under its instructions, the implementation of the processing of personal data necessary for providing OralData, as well as helpdesk, support and maintenance; (d) data controller for the further processing of client data for the purposes of establishing analytics and statistics, conducting researches and studies, as well as developing or enhancing EndoData’s products, services and algorithms.

To the extent EndoData is required to access, manage or even, more generally, process personal data on behalf of the client as set forth in this Article « Personal Data Protection », (c), and as described in Appendix 1, EndoData undertakes to (i) act only upon documented instructions and not use personal data for purposes other than those provided for in the GTC, (ii) guarantee the security of EndoData’s premises, information systems and any processing automated or not, so as to prevent a breach of personal data which EndoData processes on behalf of the client (iii) make available to the client any information or documents it has expressly requested to enable the latter to demonstrate compliance with its obligations under the Personal Data Regulation, in particular by specifying as soon as possible to EndoData any instruction it has given to EndoData is likely to constitute a violation of the Personal Data Regulation, and by collaborating with the client in carrying out any impact assessment related to the processing of personal data by EndoData and, where appropriate, any prior consultation with the relevant domestic data protection authority; (iv) notify the client of any breach of personal data without undue delay after becoming aware of it and to attach this notification with any useful documentation in accordance with Personal Data Regulation; (v) reasonably assist the client in answering to requests from data subjects concerning their rights of access, rectification, erasure, if any limitation, opposition or portability of their personal data, and to correct or delete them; (vi) ensure that any transfer of personal data to a recipient located in a country outside the European Union has obtained the client’s prior and express approval and that such transfer is subject to a decision of adequacy by the European Commission or, if not, to appropriate safeguards pursuant to the Personal Data Regulation (e.g., standard contractual clauses or binding corporate rules); (vii) at the cancelation of all existing orders, delete or return all the personal data to the client, and delete existing copies or no longer using them for any reason whatsoever unless Union or Member State law requires storage of the personal data; (viii) ensure that all of EndoData’s obligations under this section are respected by any subcontractor, regardless of its rank or method of intervention, by expressly providing for these same obligations in the contract binding EndoData to the said company or the subcontractor to any further subcontractor.

Disclaimer

The client understands that despite EndoData’s utmost care and diligence in the development and maintenance of OralData, typographical errors or technical inaccuracies still may be present. EndoData reserves the right to rectify through new versions of OralData such errors as it becomes aware of them.

Change of Circumstances

Each party intends to assume the risks connected with any unforeseeable change of circumstances at the time of the conclusion of the GTC, which could make their performance unduly burdensome. Consequently, each party irrevocably waives reliance on the provisions of Article 1195 of the French Civil Code under the GTC.

Force Majeure

If the performance of the GTC is delayed or prevented as a result of an unforeseeable, unstoppable event over which EndoData has no control, such as, for example: war, strike, fire, pandemic, the deadline shall be consequently modified, subject to EndoData so notifying the client in order that all necessary measures to minimize the consequences of it can be taken.

Miscellaneous

The failure of EndoData to carry out in a strict manner all the conditions derived from the GTC or to exercise any right created from the GTC does not constitute a waiver by EndoData of its right to strictly apply these conditions or exercise this right thereafter. All rights and remedies pursuant to the GTC and these orders are cumulative and are added to, unless expressly stipulated in these GTC, all other rights and remedies that EndoData may have according to French law. Any waiver by EndoData to invoke a default under the GTC shall be made in writing and shall not constitute a waiver to invoke any other default or the same default under the GTC. If a stipulation of the GTC is considered void, illegal or inapplicable, the validity, legality and applicability of the remaining stipulations shall not be affected or diminished by this fact. The titles of the paragraphs of the GTC only have an indicative value: they are not part of the conditions and do not influence their interpretation.

Governing Law and Jurisdiction

These GTC, and all resulting disputes and claims shall be interpreted and governed by French law excluding the rules of the conflict of laws. All disputes occurring between the parties concerning or resulting from the existence, validity, interpretation, performance and the termination of these GTC (or one particular stipulation thereof) that the parties do not reach an amicable resolution in a period of thirty (30) days from the notification of the dispute by one of the parties shall be submitted to the exclusive jurisdiction of the competent courts of Paris, France or of its president acting in summary proceedings notwithstanding the plurality of defendants or the activation of guarantees.

Appendix 1 – Personal Data Processing

As data processor under Article « Personal Data Protection » (c) of the GTC, EndoData is required to access, manage, store or even, more generally, process personal data on behalf of client, as follows:

The security measures implemented by EndoData are as follows:

Appendix 2 – Health Data Hosting

1. Definitions – For the purposes of this Appendix, (i) « Health data » means the health data as defined by Article L. 1111-8 of the FHPC, i.e. health personal data collected in the course of prevention, diagnostic, care or social or medical/social activities, and; (ii) « Hosting service » means the temporary storage of the client Health data on EndoData’s servers, for the sole purpose of processing of such data by OralData in accordance with the GTC.
2. Health data hosting certification – EndoData is relying on the service of a certified health data hosting service provider certification, required by Article L. 1111-8 of the French Public Health Code (FPHC), for all of the activities listed in Article R. 1111-9 of the FPHC: https://esante.gouv.fr/offres-services/hds/liste-des-herbergeurs-certifies. Client personal data processing by EndoData is covered by Article 17 of the GTC, and completed by this Appendix regarding the Health data Hosting service, in order to provide the client with the required information under Article R. 1111-11 of the FPHC.
3. Scope of the Hosting service and Allocation of responsibilities – OralData is provided to the client and its end-users, in accordance with the GTC. The service levels regarding quality and performance are set out in the SLA. As part of OralData, the Hosting service, as defined in Article 1 of this Appendix, is strictly limited to a temporary storage and does not include any backup or archival service. In this context, EndoData hosts Health data in accordance with the documented instructions of the client and shall not use Health data for purposes other than those provided for in the GTC. To the strict extent of the Hosting service, EndoData shall comply with the requirements of Article L. 1111-8 of the FPHC, as described in this Appendix.
4. Professional secrecy – In the context of the Hosting service and in accordance with Article L. 1111-8, V, of the FPHC, EndoData shall be bound by professional secrecy. Notwithstanding compliance with such secrecy, the client acknowledges that governmental or judicial authorities may request access to data, in accordance with applicable law. EndoData shall inform the client of such request, unless prohibited to do so by applicable law.
5. Duty to advise – EndoData shall make its best efforts to inform the client of its obligations as controller of the Health data stored on the Hosting service, including any change in the Personal Data Regulation that may have an effective impact on the Hosting service by EndoData.
6. Data location – OralData, as well as any Health data that are stored by EndoData, are hosted in the European Union. Any transfer of Health data to a recipient located in a country outside the European Union shall obtain the client’s prior and express approval and such transfer shall be subject to a decision of adequacy by the European Commission or, if not, to appropriate safeguards pursuant to the Personal Data Regulation (e.g., standard contractual clauses or binding corporate rules).
7. Data subjects rights – The client shall be responsible for ensuring compliance with the requirements under Article L.1111-8 of the FHPC regarding data subjects prior information and right to object. Specifically, the client is responsible for answering data subjects requests. EndoData shall assist the client in answering to requests from data subjects concerning their rights under Personal Data Regulation (as applicable, right of access, rectification, erasure, limitation, opposition or portability of their personal data, and to correct or delete them), as well as under Article L. 1111-7 and L. 1111-8 of the FPHC (right of access to health records and related data and right to object to the outsourced health data hosting). Audit procedures are implemented by EndoData in order to ensure the effectiveness of such assistance and management of data subjects requests.
8. Data security – EndoData guarantees the security of EndoData’s premises, information systems and any processing automated or not, so as to prevent a breach of Health data which EndoData processes on behalf of the client. Within its scope of responsibility, the client acknowledges that it has to comply with the security framework referred to in Article L. 1470-5 of the FPHC, and specifically to the General Health Information Systems Security Policy (« PGSSI-S »), published by the French Digital Health Agency (« Agence du Numérique en Santé »). EndoData shall notify the client of any breach of Health data without undue delay after becoming aware of it and to attach this notification with any useful documentation in accordance with Personal Data Regulation. In this context, the client must provide the identity and contact details of the contact person that EndoData must notify in the event of such a data breach.
9. Data access – The client is responsible for authorizing and monitoring end-users access to Health data. Specifically, the client undertakes (i) to formalize, implement and regularly audit an identity and access control procedure; (ii) to comply with the rules applicable to health data confidentiality and professional secrecy, specifically the requirements applicable to health data exchange and sharing, as set forth by Article L. 1110-4 of the FPHC; (iii) to complies with the requirements set out by the security framework referred to in Article L. 1470-5 of the FPHC, specifically regarding identification and authentication requirements.
10. Subcontractors – EndoData shall ensure that all of its obligations under this Appendix are respected by any subcontractor, regardless of its rank or method of intervention, by expressly providing for equivalent obligations in the contract binding EndoData to the said company or the subcontractor to any further subcontractor.
11. Changes – EndoData shall have the right to modify or withdraw and/or to make other changes to the Hosting service, provided that EndoData provides notice to the client of any material change. In the event of material changes to the SLA, to the scope of the services of OralData or to the guarantee under Article 12 of this Appendix, the client will be asked to provide its approval, which shall not be unreasonably withheld. In the event of the client not approving the changes, the client shall be entitled to terminate the Subscription, under the conditions set forth in Article « Subscriptions, Changes and Termination » to the GTC.
12. Insurance – EndoData undertakes to maintain a professional liability insurance, for the entire duration of the order(s).
13. Termination of the Hosting service – At the cancellation of all existing orders, EndoData undertakes to delete or return any Health data stored on the Hosting service, and to delete existing copies or to no longer use them for any reason whatsoever within a timeframe of one (1) month unless Union or Member State law requires storage of the Health data, except where EndoData is a data controller as set forth in the GTC. The data shall be provided as a collection of JSON files for text data and a compressed archive (ZIP) containing the client’s binary files. Upon written request by the client, EndoData shall provide the client with the reasonable assistance in order for the client to complete the transition of Health data stored on the Hosting service, if any, to the client’s information systems.

Appendix 3 – Service Level Agreement (SLA) and Security Measures

Service Provider: OralData
Effective Date: 01/01/2026

1. Service Availability Commitment

1.1. Uptime Guarantee

OralData guarantees that the Service will be available 99.0% of the time during any monthly billing cycle (the « Uptime Commitment »).

1.2. Exclusions

The Uptime Commitment excludes downtime caused by:

• Scheduled maintenance (communicated at least 48 hours in advance).
• Force Majeure events (e.g., natural disasters, acts of government, general internet outages).
• Issues resulting from the Client’s hardware, software, or network connection.

2. Technical Support Services

2.1. Support Hours

Support is available Monday through Friday, 09:00 to 17:00 (Paris time), excluding French public holidays.

2.2. Response Time Objectives

OralData categorizes support requests based on severity and commits to the following initial response times:

3. Disaster Recovery & Continuity

3.1. Architecture & Resilience

• High Availability: The platform utilizes a serverless architecture with automatic scalability and built-in protections against Distributed Denial of Service (DDoS) attacks.
• Deployment Safety: Automated rollback capabilities protect against deployment errors.

3.2. Recovery Time Objective (RTO)

In the event of a catastrophic failure (e.g., region-wide data center loss), OralData guarantees a Recovery Time Objective (RTO) of 48 hours to restore the Service and data availability.

3.3. Backup Policy

4. Security & Data Protection

4.1. Encryption Standards

• At Rest: All databases and file buckets are encrypted using AES-256 via Google Cloud Platform.
• In Transit: Data transmission is secured via TLS 1.2 or higher (HTTPS).
• Endpoints: OralData internal workstations utilize full-disk encryption (FileVault) and auto-lock policies.

4.2. Access Control

• Authentication: Access is secured via Google Firebase Authentication with mandatory Multi-Factor Authentication (MFA).
• Internal Hygiene: OralData enforces a strict separation of duties. « Sysadmin » accounts are isolated from daily operations, and credentials are managed via an enterprise password manager (1Password). Strong security measures to prevent unauthorized data access (including database level RLS, and logical level filtering).

5. Service Credits (Remedies)

If OralData fails to meet the Uptime Commitment (Section 1.1) in a given month, the Client is eligible for a Service Credit calculated as a percentage of that month’s subscription fee:

Note: To receive a credit, the Client must submit a claim within 30 days of the incident.

6. Compliance & Infrastructure

6.1. Health Data Hosting (HDS)

In compliance with Article L.1111-8 of the French Public Health Code, all personal health data is hosted on infrastructure holding HDS (Hébergeur de Données de Santé) certification.

6.2. Authorized Subprocessors

OralData utilizes the following subprocessors:

• Google Cloud Platform (France/Belgium): Hosting, Database, Logs.
• Lettermint (EU): Transactional Email.
• AttachmentAV (EU): Malware scanning for uploaded files.

EndoData SAS
50 rue Richer, 75009 Paris, France
Email: admin@oraldata.ai
Support: support@oraldata.ai