Data processing
Data Processing Agreement
A plain-language summary of the DPA we sign with every pharmacy — the Article 28 terms that govern how we process your customers' personal data on your behalf. This page orients; the signed DPA governs.
Last updated 2 July 2026
Summary, not the signed text
At a glance
- You're the controller; Farmacy OS is your processor.
- We process only on your documented instructions.
- EU (Ireland) hosting, tenant isolation, encryption, audit logs.
- Sub-processors are authorised with notice + an objection window.
- Breach notice without undue delay; SCCs for any transfer.
- Return or deletion of data at the end of the service.
On this page
Section 1
Roles of the parties
For your pharmacy’s customer, order and clienteling data, you are the controller and Farmacy OS is the processor. Where we determine purposes for our own account, billing, security or platform-improvement data, we act as an independent controller under our Privacy Policy.
Section 2
Subject matter, duration, nature & purpose
| Term | This DPA |
|---|---|
| Subject matter | Processing customer personal data to provide the Farmacy OS platform |
| Duration | For the term of the subscription, plus any wind-down period |
| Nature & purpose | Content, ads, clienteling, storefront and operations run on your behalf |
| Type of processing | Collection, storage, structuring, retrieval, use, and erasure |
Section 3
Categories of data & data subjects
- Data subjects: your pharmacy's customers, and your staff users.
- Data categories: contact details, purchase history, consent state, follow-up and routine context, and communications.
- Special category: health-adjacent data may be implied — minimised, and processed only under an appropriate Article 9 condition.
Section 4
Processing on documented instructions only
- We process customer personal data only on your documented instructions, including for transfers.
- We tell you if an instruction appears to infringe data-protection law.
- People authorised to process the data are bound by confidentiality.
Section 5
Security measures (Article 32)
- EU (Ireland) hosting on managed Postgres; AES-256 at rest, TLS 1.3 in transit.
- Per-tenant isolation enforced in application code and backstopped by Postgres Row-Level Security.
- Envelope encryption with KMS-held keys for the most sensitive fields.
- Least-privilege access, per-tenant audit logs, and time-boxed, reason-logged support access.
- Testing, dependency scanning, and a documented incident-response process.
Section 6
Sub-processors
You give general authorisation for us to engage sub-processors. We keep a current list, bind each to data-protection terms no less protective than this DPA, and notify you before adding one — so you can object within the window the DPA sets.
See the list
Section 7
Assisting with data-subject requests
Taking account of the nature of processing, we assist you — with appropriate technical and organisational measures, including per-tenant export and deletion tooling — to respond to data-subject requests to access, rectify, erase, restrict, port, or object.
Section 8
Personal-data breach notification
We notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own notification obligations, and we assist with your DPIAs and prior-consultation duties where relevant.
Section 9
International transfers
EU customer data stays in the EU by default. Any transfer outside the EU relies on EU Standard Contractual Clauses plus a transfer impact assessment and supplementary measures such as encryption and, where offered, zero-data-retention routing for AI inference.
Section 10
Audits & information
We make available the information needed to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate — on reasonable notice and subject to confidentiality.
Section 11
Return & deletion at the end
On termination, at your choice, we return or delete the customer personal data and delete existing copies, unless law requires storage. You keep export tooling throughout — no hostage-taking.
Section 12
How to sign the DPA
Ask for the executable DPA at farmacie@farmacy-growth.com. It’s signed alongside your order form before we process any customer data.
Founder action · [F]
Finalise the executable DPA (with the current EU SCC modules and your Annexes I–III) with counsel, and decide whether to offer click-through acceptance or countersignature.