Legal
Data Processing Agreement
Last updated 15 May 2026
PharmaSafe processes personal data on behalf of pharmacy organisations. As a controller you need a UK GDPR Article 28 DPA in place with us. Ours is short, plain-language, and ready to countersign.
Request the DPA
Email dpa@deephumanstudios.com with your organisation's legal name and registered address. We'll send the countersigned DPA within one working day.
For an instant copy of the template, click below.
What the DPA covers
- Roles — DeepHuman Studios is the processor; your organisation is the controller.
- Subject matter — incidents, SOPs, presence sessions, profile data that your team enters.
- Subprocessors — Supabase Inc. (EU), Microsoft Azure (UK + EU), Vercel Inc. (EU edge), Sentry (anonymised).
- Security — TLS 1.2+ in transit, encryption at rest, RLS-isolated tenancy, audit logging, SOC 2 controls in flight.
- Breach notification — within 48h of becoming aware.
- Data subject requests — we forward + assist within 5 working days.
- International transfers — none outside UK/EU/SCC-compliant regions.
- Sub-processor changes — 30 days' notice; right to object.
Standard Contractual Clauses
Where any subprocessor is established outside the UK/EEA we rely on the UK ICO's International Data Transfer Addendum (Feb 2022) layered over the EU SCCs (Module 2 / Module 3). Copies available on request as part of the DPA pack.
Related documents
- Privacy Policy — what we collect and why.
- Terms of Service — the commercial contract.
- Cookie policy — what we set on your browser.