01Parties
This Data Processing Agreement ("DPA") is entered into between:
- Processor: Pharmaexpo Ltd, trading as PExpo. Company number 12993595. Registered office: 277–279 Chiswick High Road, London, W4 4PU, United Kingdom.
- Controller: the Clinic or Brand entering into a PExpo services agreement ("Client").
Capitalised terms not defined here have the meaning given in the UK GDPR.
02Subject matter and duration
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller for the duration of the underlying PExpo services agreement, and for any post-termination period required for return or deletion.
03Nature and purpose of processing
The Processor processes Personal Data only to deliver the contracted Services, which may include:
- Operating clinic dispensing workflows and dispatch.
- Operating white-label telehealth flows, including intake, prescribing and pharmacy fulfilment.
- Hosting branded patient portals on the Controller's domain.
- Routing transactional and lifecycle communications.
- Providing dashboards, audit trails and analytics to the Controller.
04Types of data and data subjects
Data subjects: patients, clinic users, brand users.
Categories of personal data:
- Identifiers (name, email, phone, date of birth).
- Account credentials and access logs.
- Order and dispense history.
- Health data and clinical intake responses (special category data under UK GDPR Article 9).
- Payment metadata (no full card data — handled by PCI-DSS providers).
05Controller obligations
The Controller will:
- Ensure it has a valid lawful basis (and, where applicable, Article 9 condition) for the processing instructed.
- Provide accurate and lawful processing instructions.
- Honour data subject requests where data is held by the Processor.
- Maintain its own records of processing under Article 30.
06Processor obligations
The Processor will:
- Process Personal Data only on documented instructions from the Controller.
- Ensure persons authorised to process Personal Data are under a duty of confidentiality.
- Implement appropriate technical and organisational security measures (encryption at rest and in transit, role-based access, MFA, logging, regular review).
- Use subprocessors only with the Controller's consent, and impose equivalent data protection obligations on them by contract.
- Assist the Controller with data subject requests, DPIAs and prior consultation with the ICO.
- Notify the Controller of a personal data breach without undue delay and in any event within 72 hours of becoming aware.
- Make available all information necessary to demonstrate compliance, and allow for audits or inspections at reasonable intervals.
07Approved subprocessors
The Controller authorises the following subprocessors:
| Subprocessor | Purpose | Location |
| JotForm Inc. | Form intake and submissions | USA (SCCs in place) |
| Cal.com, Inc. | Calendar and booking | USA (SCCs in place) |
| Cloudflare, Inc. | DNS, CDN, security, edge compute | Global (UK regions where possible) |
| Customer.io, Inc. | Transactional and lifecycle email | EU/USA |
| Hosting provider | Application hosting | UK / EU |
The Processor will give 30 days' notice before adding or replacing a subprocessor; the Controller may object on reasonable data-protection grounds.
08International transfers
Where Personal Data is transferred outside the UK, the Processor will rely on the UK International Data Transfer Addendum, Standard Contractual Clauses, or an adequacy decision, and apply additional safeguards where the receiving jurisdiction requires them.
09Return or deletion
On termination of the underlying services agreement, the Processor will, at the Controller's choice, return or securely delete all Personal Data within 30 days, save where retention is required by law (for example HMRC retention obligations) or for the establishment, exercise or defence of legal claims.
10Liability and indemnity
Liability under this DPA is limited as set out in the main PExpo Terms of Service. Each party indemnifies the other against losses arising from its own breach of this DPA or applicable data protection law.
11Governing law
This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the English courts.
12Signatures
Signed for and on behalf of the parties
Processor — Pharmaexpo Ltd
Name · Title · Date
Controller — Client
Name · Title · Date