This Data Processing Agreement (“DPA”) is entered into between the customer identified in the Drug Catalog account (the “Controller”) and the company operating Drug Catalog at drug-database.com (the “Processor”, “we”, “us”), a company incorporated under Swiss law. This DPA is incorporated into and forms part of the Terms of Service between the parties (the “Principal Agreement”) and is effective on the date the Controller accepts the Terms of Service or, if later, the date the Controller first uses the Service to process personal data of its end-users.

This DPA satisfies Article 28 of Regulation (EU) 2016/679 (“GDPR”) and the equivalent provisions of the Swiss revised Federal Act on Data Protection (“nFADP”). It applies whenever the Processor processes personal data on behalf of the Controller.

Subject matter. Processing of personal data by the Processor on behalf of the Controller for the purpose of providing the Service described in the Principal Agreement (a worldwide drug master and interactions API, change feed, MCP server, and associated dashboards and SDKs).

Duration. The term of the Principal Agreement, plus any post-term period required for the return or deletion of personal data under Section 11.

The Processor processes personal data only to:

• authenticate API requests and dashboard sessions originating from the Controller’s tenant;
• meter API usage and enforce quota and rate-limit policies;
• route bucketed clinical context submitted to /v1/prescriptions/validate to the Processor’s PHI Gateway sibling product and retain counters and elapsed times for audit;
• generate billing records and operational telemetry;
• respond to the Controller’s support requests;
• fulfil any other instruction the Controller documents in the dashboard or in a signed addendum.

The processing may relate to the following categories of data subjects:

• employees, contractors, and authorised personnel of the Controller (dashboard users, API key holders);
• end-users of the Controller’s application (e.g. clinicians, pharmacists, healthcare professionals using the Controller’s product).

• Identification and contact data of the Controller’s administrators: name, owner email, country code.
• Authentication data: hashed API keys, HMAC-signed session cookies, single-use magic-link tokens.
• Technical metadata of API calls: key identifier, endpoint, HTTP status, response time, request count. Drug catalogue values (drug names, ATC, NDC, Pharmacode, GTIN, dm+d) are not recorded.
• Webhook destination URLs and HMAC signing secrets configured by the Controller.
• Bucketed clinical context (age band, eGFR band, pregnancy flag, condition codes) submitted to the /v1/prescriptions/validate endpoint. This context is, by design, not directly identifying. It is forwarded to the Processor’s PHI Gateway sibling product; only counters and elapsed-time values are retained in Drug Catalog.
• BYOL credentials the Controller supplies for tenant-scoped passthrough to commercial upstreams (HCI, Vidal, Rote Liste, etc.), stored encrypted with pgsodium AEAD.
• Billing metadata from Stripe (customer id, subscription state, last-four digits of the payment instrument). No card primary account numbers are ever held by the Processor.

The Service is not designed to process special categories of personal data within the meaning of Article 9 GDPR. The Controller must not submit names, dates of birth, medical record numbers, addresses, or other directly identifying patient data through the Service.

The Processor will:

• process personal data only on documented instructions from the Controller, including transfers to a third country, unless required to do so by Swiss or applicable EU law; in such a case the Processor will inform the Controller before processing, unless that law prohibits notification;
• ensure that persons authorised to process personal data are bound by confidentiality obligations;
• implement appropriate technical and organisational measures as described in Section 9 and in the Security Overview;
• respect the conditions in Section 7 for engaging sub-processors;
• assist the Controller in responding to requests from data subjects exercising their rights under Articles 15–22 GDPR (Section 8);
• assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
• at the choice of the Controller, return or delete all personal data after the end of the provision of services (Section 11);
• make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 10.

The Controller authorises the Processor to engage the sub-processors listed below. Each sub-processor has executed a written agreement with the Processor containing data-protection obligations no less protective than this DPA.

The Processor will give the Controller at least thirty (30) days’ advance notice in the dashboard of any intended change concerning the addition or replacement of sub-processors. The Controller may object on reasonable data-protection grounds during the notice period. If the parties cannot agree on a resolution, the Controller may terminate the Principal Agreement for the affected service without penalty.

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Specifically, the dashboard exposes tooling to identify the personal data held under a given tenant and to delete an account’s records.

If a data subject contacts the Processor directly, the Processor will, where identifiable, forward the request to the relevant Controller without undue delay and will not respond to the request itself except on the Controller’s documented instruction.

The Processor implements the security measures described in the Security Overview, including:

• TLS 1.2 or higher for all client connections, with HSTS preload;
• API key storage as SHA-256 hashes only; plaintext shown once and never persisted;
• BYOL credential storage encrypted with pgsodium AEAD using per-provider keys;
• HMAC-signed session cookies (HttpOnly, Secure, SameSite=Lax), thirty-day expiry, revocable;
• staging-first ingestion pipeline (“watchtower”) with per-source schema validation, quarantine, and drift alerts to PagerDuty and Slack;
• audit logging of every API call (key id, endpoint, status, timing) and of administrative actions on tenants and keys;
• regular dependency scans and a documented CVE response window of seven days for criticals;
• annual third-party penetration testing.

On reasonable prior written request, and subject to confidentiality undertakings, the Processor will make available to the Controller the most recent third-party audit reports, certifications, and the Security Overview, to demonstrate compliance with this DPA. The Controller may, no more than once per year, conduct a questionnaire-based audit or, where strictly necessary, an on-site audit of the Processor’s facilities at the Controller’s expense, during business hours and without unreasonable disruption to the Processor’s operations.

Where a supervisory authority requires an audit, the Processor will cooperate to the extent legally required.

The Processor will notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting the Controller’s data, at the owner email on file and at any additional incident contact registered in the dashboard. The notice will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point.

The Processor will provide reasonable cooperation to the Controller’s own notification obligations under Articles 33–34 GDPR and equivalent provisions of the nFADP.

On termination or expiry of the Principal Agreement, and at the choice of the Controller, the Processor will return all personal data processed on the Controller’s behalf or delete it and certify deletion, in each case within thirty (30) days, unless retention is required by Swiss or applicable EU law (for example, accounting and tax records under the Swiss Code of Obligations).

The Controller acknowledges that, while the production database is hosted in Switzerland, certain sub-processors operate from or with control-plane access in third countries (notably the United States in the case of Cloudflare and Stripe sub-processors).

For any transfer of personal data outside the European Economic Area or Switzerland that is not covered by an adequacy decision, the parties incorporate by reference the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries under the GDPR, together with the Swiss Federal Data Protection and Information Commissioner (FDPIC) addendum:

• Module 2 (controller-to-processor) applies where the Controller is established in the EEA or Switzerland and the Processor exports data to a sub-processor in a third country;
• Module 3 (processor-to-processor) applies where the Processor onward-transfers to a sub-processor that itself acts as a processor.

Where Module 2 or Module 3 applies: the optional docking clause is incorporated; Option 2 of Clause 9(a) applies with the thirty-day notice period in Section 7; for Clause 17, the parties choose the law of Switzerland (or, where Swiss law cannot lawfully apply under the SCC text, the law of Ireland); for Clause 18(b), the parties choose the courts of Zurich, Switzerland (or, where required, the courts of Ireland). Annex I (parties, description of transfer), Annex II (technical and organisational measures), and Annex III (sub-processors) are populated from the Principal Agreement, this DPA, and the Security Overview.

Where the EU–US Data Privacy Framework is available for a given sub-processor, the parties additionally rely on that framework as an alternative transfer mechanism.

Each party’s liability under this DPA is subject to the limitations and exclusions of the Principal Agreement. Nothing in this DPA limits a party’s liability to data subjects under Article 82 GDPR, and the parties’ respective allocation of internal liability follows that Article.

The Controller indemnifies the Processor against claims, fines, and losses arising from the Controller’s submission to the Service of data prohibited under Section 6 of the Terms of Service or Section 5 of this DPA (in particular, direct patient identifiers).

This DPA is governed by the substantive laws of Switzerland. The exclusive forum for any dispute arising out of or related to this DPA is the ordinary courts of the City of Zurich, Switzerland, without prejudice to mandatory protective jurisdiction rules for data subjects under the GDPR.

In case of conflict between (i) the SCCs, (ii) this DPA, and (iii) the Principal Agreement, the order of precedence with respect to personal data is the SCCs first, this DPA second, the Principal Agreement third.

For DPA-related matters, including breach notification, data-subject requests passed through to the Controller, and sub-processor objections, contact privacy@drug-database.com and, for incident reports, incidents@drug-database.com.