Scope and roles
This Data Processing Addendum (the “DPA”) applies whenever neolife processes personal data on behalf of a customer in connection with the neolife order-fulfillment service. neolife is the rail that carries a clinic’s compounded-prescription orders to that clinic’s pharmacy: orders arrive by chat, upload, or connected data; software drafts the order; a licensed provider approves it; the pharmacy fills it; and tracking flows back. A licensed provider approves every order. Always.
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the UK GDPR as defined in the Data Protection Act 2018, the parties acknowledge:
- Customer is the controller. The clinic, provider organisation, or pharmacy that engages neolife determines the purposes and means of processing the personal data submitted through the service and remains the controller (or, where it processes on behalf of another, a processor in its own right).
- neolife is the processor. neolife processes personal data only to deliver the service and only on the customer’s documented instructions, as set out in this DPA.
- Subprocessors engaged by neolife act as further processors under written terms that flow down the obligations in this DPA.
Where the customer is itself a processor for a third-party controller, neolife acts as a subprocessor and the customer warrants it has authority to engage neolife on those terms.
Subject-matter, duration, nature, and purpose
Subject-matter. The processing of personal data necessary to capture, draft, route for provider approval, transmit to the pharmacy, and return status and tracking for compounded-prescription orders.
Duration. Processing continues for the term of the services agreement and for any wind-down, return, or deletion period described in the “Return and deletion” section below.
Nature. Collection, structuring, storage, drafting and normalisation of order data, transmission to the controller’s designated pharmacy, retrieval of fulfillment and shipment status, and deletion or return on termination. neolife sits on top of the controller’s existing pharmacy systems; it does not dispense, manufacture, or substitute clinical judgment.
Purpose. To operate the order-fulfillment rail so the controller can submit orders to its pharmacy, have a licensed provider approve each order, and track fulfillment. neolife does not use customer personal data for its own purposes, for advertising, or to train general-purpose models.
Categories of personal data and data subjects
Categories of data subjects.
- Patients of the controller clinic.
- Prescribing and approving licensed providers.
- Clinic and pharmacy staff who operate the service.
Categories of personal data.
- Identifiers and contact details (name, date of birth, address, email, phone).
- Order and prescription details, including medication, dose, quantity, directions, and order identifiers.
- Health data and other special category data within the meaning of GDPR Article 9 (and protected health information where US law applies), to the extent contained in an order.
- Provider credentials and approval records, including audit timestamps.
- Shipment and tracking data, and operational logs.
neolife processes special category data only as needed to deliver the service and on the controller’s instructions. The controller is responsible for establishing a lawful basis and an Article 9 condition for the processing it directs.
Processing on documented instructions
neolife processes personal data only on the customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU, UK, or Member State law to which neolife is subject. Where such a legal requirement applies, neolife will inform the customer before processing, unless the law prohibits this on important grounds of public interest.
The services agreement, this DPA, and the configuration the customer selects within the service constitute the customer’s complete and final documented instructions. If neolife considers an instruction to infringe the GDPR or UK GDPR, it will inform the customer.
Confidentiality
neolife ensures that persons authorised to process personal data are bound by an appropriate obligation of confidentiality, whether contractual or statutory. Access is limited to personnel who need it to deliver or support the service, and that access is logged.
Security of processing (Article 32)
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects, neolife implements appropriate technical and organisational measures, including as appropriate:
- Encryption of personal data in transit and at rest.
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of systems.
- Role-based access controls, least-privilege provisioning, and authentication for personnel and integrations.
- Tamper-evident audit logging of order access and provider approvals.
- The ability to restore availability and access to personal data in a timely manner after an incident.
- A process for regularly testing, assessing, and evaluating the effectiveness of these measures.
The parties acknowledge that this processing involves health data; security measures are scaled to that sensitivity. Where US law applies, neolife also maintains HIPAA Security Rule safeguards under a separate Business Associate Agreement.
Assistance with data subject rights and breach
Data subject requests. Taking into account the nature of the processing, neolife assists the controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests to exercise data subject rights under Chapter III of the GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, and objection. If a request comes to neolife directly, neolife will not respond except on the controller’s instructions and will promptly forward it.
Personal data breaches. neolife notifies the controller without undue delay after becoming aware of a personal data breach affecting the customer’s data, and provides the information reasonably available to help the controller meet its own notification obligations under Articles 33 and 34.
DPIAs and prior consultation. neolife provides reasonable assistance with data protection impact assessments under Article 35 and prior consultation with a supervisory authority under Article 36, taking into account the nature of processing and the information available to neolife.
Subprocessors
The customer grants neolife general authorisation to engage subprocessors to deliver the service. neolife maintains a current list of subprocessors and the processing each performs at neolife.health/legal/subprocessors.
neolife informs the customer of any intended addition or replacement of a subprocessor, giving the customer a reasonable opportunity to object on legitimate data-protection grounds. neolife imposes on each subprocessor, by written contract, data-protection obligations that are no less protective than those in this DPA (flow-down), and remains fully liable to the customer for the performance of each subprocessor’s obligations.
International transfers
Where neolife transfers personal data originating in the European Economic Area, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, the transfer is made under an appropriate safeguard in Article 46 of the GDPR or UK GDPR:
- EEA transfers are governed by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with the relevant module completed and incorporated into this DPA by reference.
- UK transfers are governed by the UK International Data Transfer Addendum to those Standard Contractual Clauses, issued by the Information Commissioner under section 119A of the Data Protection Act 2018.
neolife carries out a transfer impact assessment where required and applies supplementary measures, such as encryption and access controls, where appropriate to protect transferred data. Where a conflict arises, the Standard Contractual Clauses and the UK Addendum prevail over this DPA in respect of the transfer they govern.
Audits and inspections
neolife makes available to the controller all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and UK GDPR, and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates.
Audits are conducted on reasonable prior notice, no more than once per twelve-month period (except where a supervisory authority requires more, or following a material breach), during business hours, subject to confidentiality undertakings, and in a manner that does not unreasonably disrupt neolife’s operations or compromise the security of other customers. neolife may satisfy audit requests in the first instance by providing current third-party certifications and audit reports.
Return and deletion on termination
On termination or expiry of the services, neolife will, at the customer’s choice, delete or return all personal data processed on the customer’s behalf, and delete existing copies, unless EU, UK, or Member State law requires continued storage. Where the customer does not select an option within a reasonable period, neolife will delete the data.
Personal data retained to meet a legal obligation, or held in routine backups, remains subject to the security and confidentiality terms of this DPA until deleted in the ordinary course.
Liability and precedence
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the services agreement. This DPA does not limit any rights a data subject may have under the GDPR or UK GDPR.
A separately executed, countersigned DPA between the customer and neolife takes precedence over this web version. In the event of a conflict between this DPA and the services agreement on matters of data protection, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses or the UK Addendum, those instruments prevail in respect of the transfers they govern.
How to execute this DPA
To put a signed DPA in place for your organisation, email [email protected] with your legal entity name, registered address, and the name and title of your authorised signatory. We will return a countersigned copy, incorporating the Standard Contractual Clauses and UK Addendum where international transfers apply, and a Business Associate Agreement where US law applies.
Contact
Questions about this addendum or our processing can be directed to [email protected], or, for execution, to [email protected].
This addendum is provided for transparency and may be updated from time to time. Material changes will be reflected in the “Last updated” date above.