PExpoPharma Platform
For Clinics For Brands Integrations Pricing About Blog Contact
Sign up →
For Clinics For Brands Integrations Pricing About Blog Contact Sign up →
Legal · DPA

Data Processing Agreement

Last updated: 14 May 2026

Contents

  1. Parties
  2. Subject matter and duration
  3. Nature and purpose of processing
  4. Types of data and data subjects
  5. Controller obligations
  6. Processor obligations
  7. Approved subprocessors
  8. International transfers
  9. Return or deletion
  10. Liability and indemnity
  11. Governing law
  12. Signatures

01Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Processor: Pharmaexpo Ltd, trading as PExpo. Company number 12993595. Registered office: 277–279 Chiswick High Road, London, W4 4PU, United Kingdom.
  • Controller: the Clinic or Brand entering into a PExpo services agreement ("Client").

Capitalised terms not defined here have the meaning given in the UK GDPR.

02Subject matter and duration

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller for the duration of the underlying PExpo services agreement, and for any post-termination period required for return or deletion.

03Nature and purpose of processing

The Processor processes Personal Data only to deliver the contracted Services, which may include:

  • Operating clinic dispensing workflows and dispatch.
  • Operating white-label telehealth flows, including intake, prescribing and pharmacy fulfilment.
  • Hosting branded patient portals on the Controller's domain.
  • Routing transactional and lifecycle communications.
  • Providing dashboards, audit trails and analytics to the Controller.

04Types of data and data subjects

Data subjects: patients, clinic users, brand users.

Categories of personal data:

  • Identifiers (name, email, phone, date of birth).
  • Account credentials and access logs.
  • Order and dispense history.
  • Health data and clinical intake responses (special category data under UK GDPR Article 9).
  • Payment metadata (no full card data — handled by PCI-DSS providers).

05Controller obligations

The Controller will:

  • Ensure it has a valid lawful basis (and, where applicable, Article 9 condition) for the processing instructed.
  • Provide accurate and lawful processing instructions.
  • Honour data subject requests where data is held by the Processor.
  • Maintain its own records of processing under Article 30.

06Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorised to process Personal Data are under a duty of confidentiality.
  • Implement appropriate technical and organisational security measures (encryption at rest and in transit, role-based access, MFA, logging, regular review).
  • Use subprocessors only with the Controller's consent, and impose equivalent data protection obligations on them by contract.
  • Assist the Controller with data subject requests, DPIAs and prior consultation with the ICO.
  • Notify the Controller of a personal data breach without undue delay and in any event within 72 hours of becoming aware.
  • Make available all information necessary to demonstrate compliance, and allow for audits or inspections at reasonable intervals.

07Approved subprocessors

The Controller authorises the following subprocessors:

SubprocessorPurposeLocation
JotForm Inc.Form intake and submissionsUSA (SCCs in place)
Cal.com, Inc.Calendar and bookingUSA (SCCs in place)
Cloudflare, Inc.DNS, CDN, security, edge computeGlobal (UK regions where possible)
Customer.io, Inc.Transactional and lifecycle emailEU/USA
Hosting providerApplication hostingUK / EU

The Processor will give 30 days' notice before adding or replacing a subprocessor; the Controller may object on reasonable data-protection grounds.

08International transfers

Where Personal Data is transferred outside the UK, the Processor will rely on the UK International Data Transfer Addendum, Standard Contractual Clauses, or an adequacy decision, and apply additional safeguards where the receiving jurisdiction requires them.

09Return or deletion

On termination of the underlying services agreement, the Processor will, at the Controller's choice, return or securely delete all Personal Data within 30 days, save where retention is required by law (for example HMRC retention obligations) or for the establishment, exercise or defence of legal claims.

10Liability and indemnity

Liability under this DPA is limited as set out in the main PExpo Terms of Service. Each party indemnifies the other against losses arising from its own breach of this DPA or applicable data protection law.

11Governing law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the English courts.

12Signatures

Signed for and on behalf of the parties

Processor — Pharmaexpo Ltd
Name · Title · Date
Controller — Client
Name · Title · Date
PExpoPharma Platform

The UK platform behind clinic dispensing and white-label telehealth — built by operators, for operators.

Solutions
  • For Clinics
  • For Brands
  • Integrations
  • Pricing
Company
  • About
  • Blog
  • Contact
Legal
  • Privacy
  • Terms
  • Cookies
  • DPA
PExpo is a trading name of Pharmaexpo Ltd, registered in England & Wales · Company No. 12993595 · Registered office: 277–279 Chiswick High Road, London, W4 4PU · ICO registered · UK GDPR compliant.
© 2026 PExpo. All rights reserved. · hello@pexpo.co.uk
GPhC alignedMHRAUK GDPRISO 27001Cyber EssentialsUK · US · EU
Operating across UK, US and EU.