DATA PROCESSING AGREEMENT (DPA)

(In accordance with Article 28 of the GDPR)

Last Updated: April 7th, 2026

1. Roles & Scope

Legal Text (Binding)

1.1 Definitions: For the purposes of this agreement, the Customer acts as Data Controller and Pharmalytics as Data Processor. The Processor undertakes the processing of personal data exclusively on behalf and at the direction of the Controller.

1.2 Nature of Processing: Processing involves the collection, storage (hosting), pseudonymization (hashing), and analysis of pharmacy sales data via Cloud infrastructure (SaaS).

In Plain Words (Explanation)

TL;DR
What this means:

You are the "Boss" of the data. You decide what data you give us.

We are the "Technicians". We process the data only to give you the charts and analyses you see on your screen, and for no other hidden purpose.

2. Security & Hashing

Legal Text (Binding)

2.1 Technical Measures: Pharmalytics takes all appropriate technical and organizational measures (Article 32 GDPR) for data security. We use Microsoft Azure & Fabric infrastructure with "at rest" and "in transit" encryption.

In Plain Words (Explanation)

TL;DR
What this means:

We use Microsoft's systems (the same ones banks use) for security.

3. Sub-processors

Legal Text (Binding)

3.1 Authorization: The Data Controller provides general permission to the Processor to use third-party service providers (Sub-processors) as listed in Annex A.

3.2 Main Provider: The primary infrastructure provider is Microsoft Corporation (Services: Azure SQL, Fabric, Entra ID). Data is hosted in Data Centers within the European Union (EU Region). 3.3 Changes: Pharmalytics must inform the Customer before any change or addition of a Sub-processor. The Customer has the right to object to new Sub-processors within 30 days.

In Plain Words (Explanation)

TL;DR
What this means:

For the application to work, we rent servers from Microsoft.

Your data stays in Europe and is protected by the strict rules of the EU. If we ever decide to change provider (e.g., go to Amazon or Google), we will inform you first.

4. Commercial Use of Aggregated Data

Legal Text (Binding)

4.1 Creation of Sets: The Processor is entitled to use the Data to create Aggregated Data which does not identify natural persons or specific pharmacies.

4.2 Ownership & Use: Such Anonymized Data is the intellectual property of Pharmalytics and may be used for market research purposes, algorithm improvement, and commercial exploitation, without time limit. This data ceases to be considered "Personal Data" under the GDPR

In Plain Words (Explanation)

TL;DR
What this means:

We can take the numbers from all pharmacies together (e.g., "How many boxes of aspirin were sold in total in Greece") to produce statistics.

These general statistics are our own products. In no case will it be shown that the numbers came from *your* pharmacy.

5. Subject Rights & Breach Incidents

Legal Text (Binding)

5.1 Assistance: Pharmalytics will assist the Customer (to the extent technically feasible) in case a data subject exercises their rights (e.g., deletion, portability).

5.2 Breach Notification: In case of a data breach, Pharmalytics must inform the Customer without undue delay (within 48 hours of detection) and provide all relevant information for reporting to the Data Protection Authority.

In Plain Words (Explanation)

TL;DR
What this means:

If a customer asks you to delete their data, we will help you do it in our system as well.

If (knock on wood) our servers are hacked, we will tell you immediately (within 2 days) so you know what to do.

6. Duration & Deletion (Termination)

Legal Text (Binding)

6.1 Return/Deletion: Upon termination of the contract, Pharmalytics is obliged, at the Customer's choice, to delete or return all Personal Data. Deletion from backup systems is performed based on the Microsoft Azure retention cycle (usually 30 days).

In Plain Words (Explanation)

TL;DR
What this means:

If we stop working together, your data is deleted. We don't keep it "on the side". You can take it back before you leave.

7. Audit Rights

Legal Text (Binding)

7.1 Audit Right: The Customer has the right to conduct an audit of Pharmalytics' compliance with this Agreement and the GDPR, at most once (1) per calendar year.

7.2 Audit Procedure: The Customer must submit an audit request with at least thirty (30) days' notice. The audit may be conducted either on-site or remotely, as agreed. The Customer may appoint an independent auditor, subject to confidentiality. 7.3 Cost: The Customer covers the cost of the audit. If the audit reveals significant violations, Pharmalytics will cover the audit costs. 7.4 Limitations: The audit must be conducted during business hours and must not unduly disrupt Pharmalytics' operations.

In Plain Words (Explanation)

TL;DR
What this means:

You can "check" us once a year to make sure we keep our promises.

You need to ask us one month in advance. It can be done at our office or remotely. You can even bring your own auditor.

You pay for the audit. But if it turns out we made a mistake, we pay.

The audit happens during office hours and shouldn't stop us from doing our work.

8. Handling Data Subject Requests

Legal Text (Binding)

8.1 Request Submission: The Customer submits requests for the exercise of data subject rights (access, rectification, deletion, portability, restriction) via email to dpo@pharmalytics.gr.

8.2 Response Time: Pharmalytics will respond to the request within five (5) working days, confirming receipt. The completion of the request will take place within thirty (30) days of submission, unless an extension is required due to complexity. 8.3 Technical Feasibility: Pharmalytics will assess the technical feasibility of each request and inform the Customer if a request cannot be fulfilled for technical reasons. 8.4 Portability Format: Data for portability is provided in a structured, commonly used format (JSON or CSV).

In Plain Words (Explanation)

TL;DR
What this means:

When a customer asks you to see or delete their data, you send us an email at dpo@pharmalytics.gr.

We will answer within 5 days to say we got it, and we will finish the job within 30 days.

If something can't be done for technical reasons, we will let you know.

If you want to take your data, we will give it to you in JSON or CSV format (files that open with Excel).

9. Data Protection Impact Assessment (DPIA) Support

Legal Text (Binding)

9.1 Assistance in DPIA: Pharmalytics will provide the Customer with all necessary information to conduct a Data Protection Impact Assessment (DPIA) when required by Article 35 of the GDPR.

9.2 Information Provided: Pharmalytics will provide information regarding: (a) The nature of processing, (b) Technical security measures, (c) Sub-processors, (d) Breach procedures, (e) Subject rights.

In Plain Words (Explanation)

TL;DR
What this means:

If you need to do a "Risk Assessment" for your data (as required by GDPR in some cases), we will give you all the information you need regarding Pharmalytics.

APPENDIX A: Sub-processors

Legal Text (Binding)

ProviderServiceLocationPurpose
Microsoft Ireland Operations LtdAzure SQL DatabaseEU (North Europe)Data storage
Microsoft Ireland Operations LtdMicrosoft FabricEU (North Europe)Data analysis
Microsoft Ireland Operations LtdEntra IDEU (North Europe)Identity management
Plausible Insights OÜPlausible AnalyticsEU (Estonia)Usage statistics (anonymous)
Note: Plausible Analytics does not process personal data. It is used exclusively for anonymous traffic statistics.

In Plain Words (Explanation)

TL;DR

APPENDIX B: Standard Contractual Clauses (SCCs)

Legal Text (Binding)

European Commission Clauses for the Transfer of Data to Third Countries(Version 2021/914 - June 4, 2021)

-----

MODULE 2: Transfer from Controller to ProcessorPARTIES TO THE AGREEMENT:Party A - Data Controller (Data Exporter):
  • Name: [Pharmacy/Business Name]
  • Address: [Address]
  • Signatory: [Name]
Party B - Data Processor (Data Importer):
  • Name: ONISIS Consulting IKE
  • Address: 5 Agias Glykerias, 11147 Athens, Greece
  • Signatory: Konstantinos Kormentzas
APPENDIX I.A: List of Parties

The data subjects' data transferred concerns pharmacy customers (Customer IDs with hashing) and sales data.

APPENDIX I.B: Description of Transfer
CategoryDescription
Nature of processingCollection, storage, analysis of sales data
PurposeProvision of BI and analytics services
Subject categoriesPharmacy customers
Data typesCustomerID (hashed), sales data
Sensitive dataNo
Retention periodDuration of subscription + 180 days
APPENDIX I.C: Technical Security Measures

See Section 2.1 of this DPA and Appendix C: Technical Security Details.

In Plain Words (Explanation)

TL;DR

APPENDIX C: Technical Security Details

Legal Text (Binding)

For your technical consultants, Pharmalytics' security is based on the following:

  1. Identity Management: Microsoft Entra ID (formerly Azure AD) with MFA support.
  2. Database Security: Azure SQL with Transparent Data Encryption (TDE) and Firewall rules.
  3. Analytics Engine: Microsoft Fabric with Row-Level Security (RLS) – each user sees only the data rows that correspond to them.
  4. Anonymization: Automatic Hashing (SHA-256) of identification fields during the ETL process.
  5. Encryption in Transit: TLS 1.3 for all communications.
  6. Encryption at Rest: AES-256 for all stored data.
  7. Access Logging: Full logging of all data access.
  8. Backup Encryption: Encrypted backups with a 30-day retention cycle.

-----

Contact for Data Protection Issues:

πŸ“§ dpo@pharmalytics.gr

πŸ“ ONISIS Consulting IKE, 5 Agias Glykerias, 11147 Athens, Greece

In Plain Words (Explanation)

TL;DR

Legal Disclaimer

The "In Plain Words" sections are provided for convenience only and have no legal effect. In the event of any dispute, the technical and binding legal text in the left column shall prevail. These documents are subject to the laws of the Hellenic Republic.

    DATA PROCESSING AGREEMENT (DPA) | Pharmalytics