Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Routly Terms of Service agreed between a pharmacy ("the Pharmacy", "you") and PharmGrowth, trading as Routly ("Routly", "we", "us"). It applies whenever Routly processes Personal Data on the Pharmacy's behalf in the course of providing the Routly platform.

1. Definitions

Terms used in this DPA have the meanings given to them in UK GDPR and the Data Protection Act 2018, unless defined below.

• "UK GDPR" means the UK General Data Protection Regulation, as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Personal Data Breach" have the meanings given in UK GDPR.
• "Sub-processor" means any third party engaged by Routly to process Personal Data on the Pharmacy's behalf, as listed in Section 7.
• "Services" means the Routly staff dashboard and driver mobile application, as described in the Terms of Service.

2. Subject Matter and Duration

This DPA governs the Processing of Personal Data by Routly on behalf of the Pharmacy for the duration of the Pharmacy's subscription, and continues to apply for as long as Routly retains any Personal Data processed under it (including during the data export window described in our Cancellation Policy).

3. Roles of the Parties

The parties agree that, in relation to the Personal Data described in Section 6 below:

• The Pharmacy is the Controller, and determines the purposes and means of Processing patient and delivery data entered into the Services.
• Routly is the Processor, and processes that Personal Data only on the Pharmacy's documented instructions, as set out in this DPA and the Terms of Service.

Where Routly collects the Pharmacy's own account, billing and contact information in order to provide and bill for the Services, Routly acts as an independent Controller of that information, as described in our Privacy Policy. This DPA does not apply to that category of data.

4. Processor Obligations

Routly shall:

• process Personal Data only on the documented instructions of the Pharmacy, including with regard to international transfers, unless required to do otherwise by UK law (in which case Routly shall, where permitted, inform the Pharmacy before processing);
• ensure that any person authorised to process Personal Data, including Routly's own staff, is subject to an appropriate duty of confidentiality;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 8 below;
• not engage another processor (a Sub-processor) without the Pharmacy's prior general authorisation, which is given for the Sub-processors listed in Section 7; Routly will give reasonable notice of any intended changes to that list;
• assist the Pharmacy, insofar as reasonably possible, in responding to requests from Data Subjects exercising their rights under UK GDPR;
• assist the Pharmacy in ensuring compliance with its obligations relating to the security of Processing, breach notification, and data protection impact assessments;
• at the Pharmacy's choice, delete or return all Personal Data after the end of the provision of the Services, in line with our Cancellation Policy, unless UK law requires retention;
• make available to the Pharmacy all information reasonably necessary to demonstrate compliance with this DPA, and allow for reasonable audits, subject to reasonable prior notice and confidentiality.

5. Personal Data Breach Notification

Routly shall notify the Pharmacy without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting the Pharmacy's Personal Data. The notification will, so far as reasonably possible, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

6. Details of Processing

• Subject matter: provision of the Routly pharmacy delivery management platform
• Duration: for the term of the Pharmacy's subscription, plus any agreed data retention/export period thereafter
• Nature of processing: collection, storage, organisation, retrieval, use, disclosure (to delivery drivers and pharmacy staff) and erasure of data within the Routly platform
• Purpose of processing: to enable the Pharmacy to manage and track patient medication deliveries, including route planning, driver communication, controlled drug compliance, and invoicing
• Categories of Data Subjects: patients receiving deliveries; delivery drivers engaged by the Pharmacy
• Categories of Personal Data: patient name, address, postcode, phone number, delivery instructions, controlled drug/fridge-item flags, delivery outcome notes, signatures; driver name, contact details, pay details, and live location data while on an active route
• Special category data: none is expected to be processed beyond what may be inferred from delivery instructions (e.g. medical necessity); the Pharmacy is responsible for minimising any such data entered into the platform

7. Authorised Sub-processors

• Supabase — database hosting and storage (UK region)
• Railway — backend application hosting (UK region)
• Netlify — frontend hosting for the staff dashboard and driver app (global content delivery network; serves the application interface only, not stored patient data)
• Stripe — payment processing (PCI-DSS compliant; global service; billing data only, never patient data)
• Google Maps Platform — geocoding, live tracking and route optimisation (global service; processes addresses transiently, not as part of a stored patient record)

8. Technical and Organisational Security Measures

• Encrypted connections (HTTPS/TLS) across the staff dashboard, driver app, and all data transmitted between them and Routly's servers
• Database-level row-level security ensuring each Pharmacy can only access its own data
• Role-based access control for staff and driver accounts, including optional password protection on restricted sections of the staff dashboard
• Mandatory witness signature capture for controlled drug deliveries, stored securely against the relevant delivery record
• Restricted internal access to production systems, limited to personnel who require it to operate and support the Services

9. International Transfers

Patient and delivery data is stored and processed entirely on UK-region infrastructure (Supabase and Railway), and does not leave the UK in the ordinary course of providing the Services. Stripe and Google Maps Platform are global services that may process limited, non-patient data outside the UK as part of their normal operation; where this happens, appropriate safeguards are in place, such as the UK International Data Transfer Addendum or equivalent Standard Contractual Clauses.

10. Assistance with Data Subject Requests

Where a Data Subject submits a request directly to Routly relating to Personal Data for which the Pharmacy is the Controller, Routly shall promptly notify the Pharmacy and shall not respond to the request itself (other than to confirm receipt and redirect the Data Subject to the Pharmacy), unless otherwise instructed by the Pharmacy.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability arising from its own infringement of UK GDPR to the extent such liability cannot be excluded or limited under applicable law.

12. Term and Termination

This DPA takes effect when the Pharmacy creates a Routly account and continues for as long as Routly processes Personal Data on the Pharmacy's behalf. Either party may terminate this DPA by terminating the underlying subscription in accordance with the Terms of Service.

13. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the governing law provisions of the Terms of Service.

14. Requesting a signed copy

This published DPA applies automatically to every Routly account and is incorporated into our Terms of Service. If your pharmacy's own compliance process requires a separately signed copy for your records, email support@pharmgrowth.co and we'll send one over.