DS Core Technical and Organizational Measures

This document identifies and describes the technical and organizational measures implemented in Dentsply Sirona's DS Core platform to protect personal data.  From a functional perspective, DS Core enables customers and designated users to upload, store, view, send, and receive patient data in the form of dental documentation (e.g., radiographs, optical images, reports).  DS Core can accept dental documentation from a wide range of devices and other sources and can provide output through a similarly broad range of options.  To protect sensitive patient information, the DS Core software platform employs a multi-layered approach to data security.

These Technical and Organizational Measures have been implemented in accordance with Article 32 of the General Data Protection Regulation (“GDPR”) and take into account requirements from the Health Insurance Portability and Accountability Act (HIPAA), the C5 Compliance Catalogue (C5), and other relevant data protection standards. 

In developing these measures, Dentsply Sirona has taken into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and on basis of company-wide regulations.  These measures ensure an appropriate level of security, as detailed below.

Personal data in the DS Core platform includes the health data of patients, which is collected and controlled by the dental practices and practitioners who are Dentsply Sirona’s customers.  In addition, the DS Core platform contains personal data of practitioners, employees, and other users.

1.1 Physical Access Control

The purpose of the physical access control in place is to prevent unauthorized access to facilities where personal data is processed.

DS Core uses Google Cloud Platform (“GCP”) for its data centers outside of China. These data centers are fully owned and managed by Google, adhering to security best practices and holding relevant certifications.  Access to Google data centers is fully managed and controlled by Google.  

• Physical security measures in place include:
• Clear establishment of property boundaries with signage and fencing surrounding the facility.
• Guards patrol the perimeter 24/7.
• Guards perform exterior and interior surveillance with closed circuit television (CCTV) and thermal cameras.
• Physical access requires authorization, either through personalized, electronic company ID card or registration at reception/plant security.  Access is further restricted to areas based on roles and responsibilities.
• Multiple security checkpoints are in place, using ID badges and iris scans to validate the identity of visitors.

1.2 Electronic Access Control

The purpose of the electronic access control is to prevent unauthorized access to systems that process personal data.

DS Core uses Google Cloud Platform (“GCP”) for its data centers outside of China. These data centers are fully owned and managed by Google, adhering to security best practices and holding relevant certifications.  Access to Google data centers is fully managed and controlled by Google.  

• DS Core uses a modern identity and access management system that supports modern authentication methods (MFA, OAuth 2.0, OIDC), external IdP integration, and SSO. 
• Users authenticate with email address and password.  No anonymous access is possible.
• Logon data is transmitted over an encrypted channel.  
• DS Core enforces password complexity checks, provides strong/weak password indication, and validates against leaked password databases. 
• Administration of the identity and access management system itself is secured with MFA and automated processes for configuration management.
• Connected equipment from Dentsply Sirona typically uses private CA-signed certificates for asset authentication and public CA-validated server certificates for every connection.

1.3  Internal Access Control

The purpose of internal access control is to ensure that persons who use systems where personal data is stored only have access to the parts of the system they need for the fulfillment of their duties.

The following security measures are in place:

• DS Core uses role-based access controls (“RBAC”).  Permissions are defined by role and cannot be further customized.
• On the Dentsply Sirona side, non-production environments have broader access permissions, while production access is highly restricted. Continuous Integration/ Continuous Delivery (CICD) pipelines adhere to similar access control measures.
• User activity logs include user identification, date and time of access, system components to which access was attempted, type of access right and DS scope and access authorization.  Logging mechanisms cannot be disabled or modified and will detect such modifications or disabling and send alerts with respect to the foregoing to the DS Core security team.

1.4  Isolation Control

The purpose of the isolation control is to ensure that data collected for different purposes can be processed separately.

The following security measures are in place:

• Logical separation of data between customers.
• Personal data is strictly separated between the Google Data Centers.  As an example, data from US customers is stored in US only.
• Production systems are separated from development and test systems.

1.5  Pseudonymisation and anonymization

The purpose of pseudonymisation is to protect the personal data by ensuring that it cannot be associated with a specific data subject without the assistance of additional information. 

Anonymization and pseudonymization options are available at the User’s discretion for shared patient media files.

2.1  Data Transfer Control

The purpose of the data transfer control is to ensure that personal data cannot be read, copied, changed or deleted in an unauthorized way during an electronic transfer, physical transportation or storage on a data storage medium.

The following security measures are in place:     

• Encryption in transit: All data in transit is encrypted with TLS 1.2.
• Encryption at rest: All data at rest is encrypted with the Advanced Encryption Standard AES-256 or greater. 

2.2 Data Entry Control

The purpose of the data entry control is to verify retroactively whether and by whom personal data was entered, changed, or deleted from a data processing system.

The following security measures are in place:

• DS Core logs user activities providing details about user actions on patient files and the equipment. These logs can be provided by our technical support or directly accessed by Enterprise customers.  

3.1 Availability Control

The purpose of the availability control is to ensure that personal data is protected against accidental destruction or loss. 

The following security measures are in place, using functionality available from our cloud hosting provider for DS Core:

• DS Core uses high availability configurations with synchronous replication across zones. 
• Daily backups are retained.
• Deletion protection is active for all databases.
• Scheduled automated backups and platform automation scripts are employed.
• Customer controls retention of their data.
• Our cloud service provider provides state-of-the-art virus protection and firewalls.
• Our cloud service provider provides protection against fire, overheating, water damage, overvoltage and power failure in their data centers.
• A Cloud Operations Team monitors the health status of cloud services.
• Redundancy is deployed for all critical infrastructure.
• Backup power is available 24/7.

3.2 Rapid Recovery 

The purpose of the rapid recovery control is to ensure that in case of disruption, the stored data will be made available again as soon as possible. 

The following security measures are implemented by the DS Core team, some of which use functionality available from Google Cloud Platform, the cloud hosting provider for DS Core:

• DS Core facilitates the recovery of patient data from redundant storage (different Google data centers).
• DS employs redundancy with an SLA of 99.99%.
• Regional storage service includes other data protection techniques such as data encryption and redundancy across multiple data centers.
• Controlled escalation path exists within the DS Core and Dentsply Sirona team, defining responsibilities and actions to be taken.
• Backup/restore processes are documented. 

4.1  Data Protection Management

The purpose of data protection management is to ensure that appropriate technical and organizational measures have been identified and implemented.

The following organizational measures are in place:

• Dentsply Sirona has a centralized data protection organization which defines goals, duties, competencies and responsibilities regarding data privacy.
• Dentsply Sirona has global Data Protection Policies and Guidelines, defining company standards.
• Dentsply Sirona employees working with DS Core undergo regular security training as part of their standard training curriculum.  

The following technical measures are in place at the platform level:

• DS Core infrastructure is managed under a Super Admin account with restricted access for authorized Dentsply Sirona personnel (protected by Multi-Factor Authentication (“MFA”) and requiring Dentsply Sirona hardware).
• DS Core implements system protection measures, including regular deployment of critical patches, anti-virus clients, additional security agents (vulnerability scanner, Incident Response (IR) agent), network vulnerability scans, and segregated network operation. A firewall protects the production system. Separate development, test, and production environments with consistent security controls are maintained.
• Network segmentation is achieved using Virtual Private Clouds (“VPCs”).  Firewalls control traffic flow between network segments.
• Denstply Sirona uses tools to mitigate external attacks, leveraging advanced DDoS protection and a web application firewall (“WAF”) to defend against volumetric and application-layer attacks respectively, and monitor for potential threats.
• Cloud infrastructure projects are created using an application that enforces organizational policies.
• Dentsply Sirona teams manage access to DS Core GCP environments.  Access requests are handled via a ticketing system. Continuous Integration/ Continuous Delivery (“CICD”) pipelines adhere to similar access control measures.
• Connection to the DS Core Platform by DS personnel and vendors via mobile devices is limited in accordance with the levels of security and sensitive of the Customer Personal Data and the risks associated with the connectivity to mobile devices and corresponding requirements for protection such as encryption methods.
• DS Core platform development follows a continuous deployment strategy.  Minor changes including security fixes are implemented daily with no required user interaction.  Major updates are released at least quarterly.  
• Continuous vulnerability scans, risk assessments, and penetration tests are conducted to ensure platform security.  These assessments follow industry best practices and are performed by both internal security teams and external cybersecurity experts.
• Identified vulnerabilities are assessed based on their severity and addressed through a structured remediation process. Security updates and patches are deployed as stated above.

The following technical measures are in place at the customer account level:

• DS Core customers own and control the patient data within their account.  Dentsply Sirona acts as a processor. 
• Google does not have access to this data. 
• Third-party labs access data only when explicitly shared by the customer during an order. 
• Unless otherwise legally required, customer data will be stored as long as the customer keeps the practice account active (including payment of subscription). Customer data can be deleted at any time by the registered users, provided that this does not conflict with legal retention obligations. 

4.2  Incident Response Management

The purpose of incident response management is to ensure that cybersecurity incidents are identified and responded to appropriately.

The following security measures are in place:

• Dedicated Cloud and Security Operations team;
• Automated anomaly detection and alerting;
• Regular reviews of cybersecurity logs and systems and regular testing;
• Formal incident response process which includes investigation, containment, eradication, and restoration, 
• Incident management policy and process

4.3 Data Protection by Design and Default

The purpose of this section is to ensure that the security of personal data is considered and is the default configuration when developing new products and services.

The following security measures are in place:

• DS policy requires a Privacy by Design Assessment of projects and products which process personal data.
• Security is one aspect of the Privacy by Design assessment in which DS ensures that personal data processed by the product or service is protected appropriately.

4.4 Engaging Third Parties

The purpose of this section is to ensure that personal data, which is processed by third parties, will not be processed without clear and unambiguous contractual arrangements.

The following security measures are in place:

• Dentsply Sirona follows established procurement procedures and criteria, including security assessments, when selecting and onboarding new sub-processors. Partner services and systems must meet minimum security requirements if supporting the DS Core Platform. 
• Dentsply Sirona has an appropriate contract with each sub-processor.