Farmacy OS

Data processing

Data Processing Agreement

A plain-language summary of the DPA we sign with every pharmacy — the Article 28 terms that govern how we process your customers' personal data on your behalf. This page orients; the signed DPA governs.

Last updated 2 July 2026

Summary, not the signed text

This summarises the operative DPA in readable terms. The executed agreement — with the full Article 28 clauses and Standard Contractual Clauses — is what legally binds. Request it any time.

At a glance

  • You're the controller; Farmacy OS is your processor.
  • We process only on your documented instructions.
  • EU (Ireland) hosting, tenant isolation, encryption, audit logs.
  • Sub-processors are authorised with notice + an objection window.
  • Breach notice without undue delay; SCCs for any transfer.
  • Return or deletion of data at the end of the service.
On this page

Section 1

Roles of the parties

For your pharmacy’s customer, order and clienteling data, you are the controller and Farmacy OS is the processor. Where we determine purposes for our own account, billing, security or platform-improvement data, we act as an independent controller under our Privacy Policy.

Section 2

Subject matter, duration, nature & purpose

TermThis DPA
Subject matterProcessing customer personal data to provide the Farmacy OS platform
DurationFor the term of the subscription, plus any wind-down period
Nature & purposeContent, ads, clienteling, storefront and operations run on your behalf
Type of processingCollection, storage, structuring, retrieval, use, and erasure

Section 3

Categories of data & data subjects

  • Data subjects: your pharmacy's customers, and your staff users.
  • Data categories: contact details, purchase history, consent state, follow-up and routine context, and communications.
  • Special category: health-adjacent data may be implied — minimised, and processed only under an appropriate Article 9 condition.

Section 4

Processing on documented instructions only

  • We process customer personal data only on your documented instructions, including for transfers.
  • We tell you if an instruction appears to infringe data-protection law.
  • People authorised to process the data are bound by confidentiality.

Section 5

Security measures (Article 32)

  • EU (Ireland) hosting on managed Postgres; AES-256 at rest, TLS 1.3 in transit.
  • Per-tenant isolation enforced in application code and backstopped by Postgres Row-Level Security.
  • Envelope encryption with KMS-held keys for the most sensitive fields.
  • Least-privilege access, per-tenant audit logs, and time-boxed, reason-logged support access.
  • Testing, dependency scanning, and a documented incident-response process.

Section 6

Sub-processors

You give general authorisation for us to engage sub-processors. We keep a current list, bind each to data-protection terms no less protective than this DPA, and notify you before adding one — so you can object within the window the DPA sets.

See the list

The named core sub-processors (Supabase, Vercel, OpenAI, Stripe) and their regions are in the Privacy Policy.

Section 7

Assisting with data-subject requests

Taking account of the nature of processing, we assist you — with appropriate technical and organisational measures, including per-tenant export and deletion tooling — to respond to data-subject requests to access, rectify, erase, restrict, port, or object.

Section 8

Personal-data breach notification

We notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own notification obligations, and we assist with your DPIAs and prior-consultation duties where relevant.

Section 9

International transfers

EU customer data stays in the EU by default. Any transfer outside the EU relies on EU Standard Contractual Clauses plus a transfer impact assessment and supplementary measures such as encryption and, where offered, zero-data-retention routing for AI inference.

Section 10

Audits & information

We make available the information needed to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate — on reasonable notice and subject to confidentiality.

Section 11

Return & deletion at the end

On termination, at your choice, we return or delete the customer personal data and delete existing copies, unless law requires storage. You keep export tooling throughout — no hostage-taking.

Section 12

How to sign the DPA

Ask for the executable DPA at farmacie@farmacy-growth.com. It’s signed alongside your order form before we process any customer data.

Founder action · [F]

Finalise the executable DPA (with the current EU SCC modules and your Annexes I–III) with counsel, and decide whether to offer click-through acceptance or countersignature.