Data Processing Agreement (DPA)
1. Scope and roles
- Data Fiduciary: the Tenant, who determines the purposes and means of processing of personal data of its retailers, customers, employees, MRs, doctors, and patients.
- Data Processor: PharmIT Services Private Limited, who processes Tenant Data on the Tenant's instructions, as set out in the Terms and this DPA.
- Data Principal: the natural person to whom the personal data relates.
- For personal data of the Tenant's own administrators (the people signing into the Platform on behalf of the Tenant), the Company is itself the Data Fiduciary; processing of that data is governed by the Privacy Policy.
2. Subject-matter, duration, and nature of processing
| Item | Detail |
|---|---|
| Subject-matter | Processing of Tenant Data to provide the PharmIT Platform per the Terms. |
| Duration | The Term of the Tenant's subscription, plus retention period in §8. |
| Nature | Hosting, storage, transmission, indexing, search, computation, communication, AI inference (when enabled by Tenant), backup, restore, deletion. |
| Purpose | Performance of contract; enabling the Tenant's billing, GST, scheme, SFA, sample, and accounting workflows. |
| Categories of Data Principals | Tenant employees, retailers / B2B customers, walk-in customers in retail-pharmacy mode, doctors visited by MRs, suppliers / vendors. |
| Categories of personal data | Names, contact details, GSTIN, drug-licence info, prescription images (where uploaded), MR GPS coordinates (where enabled), invoice metadata, payment references. |
3. Processor obligations
The Company will:
- Process Tenant Data only on the Tenant's documented instructions, including configuration choices in the Platform UI
- Ensure that personnel authorised to process Tenant Data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organisational measures consistent with the IT Rules 2011 and ISO/IEC 27001-aligned controls (see the Security Statement)
- Assist the Tenant in fulfilling Data-Principal rights requests under the DPDP Act 2023, including access, correction, erasure, and portability
- Notify the Tenant of any personal-data breach without undue delay, and in any event within 24 hours of becoming aware
- Make available all information necessary to demonstrate compliance with this DPA, and allow audits per §7
- Delete or return Tenant Data on termination per §9
4. Tenant (Fiduciary) obligations
The Tenant warrants that:
- It has a lawful basis under DPDP §7 for each category of personal data uploaded to the Platform
- It has obtained valid consent (or relies on a valid alternative legal basis) before uploading personal data of Data Principals
- It will not upload personal data of children or persons with disabilities without complying with DPDP §9
- It is responsible for the legal classification of any data it uploads, including any sensitive categories
- It will configure the Platform's controls (retention, access, integration toggles) to match its lawful basis
- It will respond to Data-Principal rights requests in the manner and timeline required by DPDP and applicable law
5. Subprocessors
The Tenant authorises the Company to engage subprocessors for the provision of the Platform. The current list is published at /subprocessors and may be updated from time to time.
- Each subprocessor is bound by written terms imposing data-protection obligations no less protective than this DPA
- The Company will give at least 14 days' notice of any new subprocessor by updating the public list
- The Tenant may object on reasonable data-protection grounds; if the parties cannot agree, the Tenant may terminate the affected service for convenience
- The Company remains liable for the acts and omissions of its subprocessors
6. Technical and organisational measures
The Company implements and maintains technical and organisational measures appropriate to the risks presented by the processing, in line with Rule 8 of the IT (Reasonable Security Practices) Rules, 2011 and recognised information-security standards. Categories of measures include:
- Encryption of personal data in transit and at rest where supported by the underlying platform
- Role-based access control with the principle of least privilege; multi-tenant logical isolation
- One-way cryptographic hashing of authentication credentials
- Audit logging of administrative and business-critical actions, retained in line with applicable law and the CERT-In Direction (Apr 2022)
- Perimeter defences including web-application-layer protections and rate limiting
- Host-level intrusion-detection and file-integrity controls
- Routine vulnerability scanning and patch management
- Encrypted backups with appropriate retention and periodic restore drills
- A documented incident-response procedure
- Periodic personnel security and privacy training
- Background verification of personnel handling personal data, where lawful
For confidentiality reasons, the specific tools, vendors, software versions, and configuration parameters are not disclosed publicly. Customers under NDA may request additional detail.
7. Audit rights
The Tenant may, on at least 30 days' written notice and not more than once per calendar year:
- Request a copy of the Company's most recent independent audit report (e.g., ISO 27001 statement of applicability, SOC 2 Type II, or equivalent), if available
- Submit a reasonable written questionnaire on the Company's data-protection practices, to which the Company will respond within 30 days
- Conduct an on-site audit at the Tenant's expense, subject to the Company's reasonable security and confidentiality requirements, when an independent audit report is not sufficient and the Tenant has a specific evidence-based concern
8. Retention
The Company retains Tenant Data for the periods set out in the Retention Schedule, including statutory minimums under the GST Act (8 years) and Drugs Rules (5 years).
9. Return or deletion of Tenant Data
On termination of the Tenant's subscription, the Company will:
- Provide self-service export tools for 30 days from termination, allowing the Tenant to download a structured copy of Tenant Data
- After 30 days, delete or anonymise Tenant Data, except for portions subject to a statutory retention requirement (see §8) or pending dispute hold
- On Tenant's written request, certify deletion within 60 days
10. Cross-border transfers
Personal data is processed and stored in India. Any cross-border transfer will be limited to jurisdictions notified by the Central Government under DPDP §16, and only with appropriate safeguards (e.g., standard contractual clauses, additional encryption).
11. Liability under this DPA
The aggregate liability of each party under this DPA is subject to the limitation of liability in §7 of the Terms. Nothing in this DPA increases the Company's overall liability beyond that cap.
12. Order of precedence
In case of conflict, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the AUP, (4) other policies. Provisions of this DPA prevail over conflicting provisions in the Terms only with respect to data protection matters.
13. Contact
Data-protection enquiries: privacy@pharmit.in
Grievance Officer: grievance@pharmit.in