Praxara
All legal documents
Praxara Ltd · Legal

Data Processing Addendum

Effective 1 May 2026 · Praxara Ltd, registered in England & Wales · contact [email protected]

Working draft. This document is the current operative version Praxara uses with pilot customers. A solicitor-stamped final is in flight. If your procurement team needs the executable version under your standard MSA framework, email [email protected] — we negotiate redlines case-by-case.

1. Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Use between Praxara Ltd ("Processor") and the Customer ("Controller") and applies whenever Praxara processes Personal Data on Customer's behalf in providing the Praxara Service.

2. Roles & subject matter

  • Controller: Customer (and Customer's end-users where applicable).
  • Processor: Praxara Ltd.
  • Subject matter: provision of a multi-tenant SaaS platform for AI-assisted regulatory and pharmacovigilance workflows, including document ingestion, AI extraction, e-signed approvals and audit-evidence export.
  • Duration: for the term of the underlying Service contract plus any retention period below.

3. Categories of data subjects & data

The Service may process the following Personal Data categories on Customer's instructions:

  • Customer's authorised users (name, business email, role, login telemetry, e-signature events).
  • Patient identifiers in pharmacovigilance source documents (initials, age range, sex). Note: Customer is responsible for redacting direct identifiers before upload where Customer's policy requires.
  • Healthcare-professional identifiers in adverse-event report sources.
  • Special category data (Article 9 GDPR) — health data — when present in source documents.

4. Processor obligations (Article 28(3) GDPR)

  1. Process Personal Data only on Customer's documented instructions, including with regard to international transfers.
  2. Ensure persons authorised to process the Personal Data are bound by confidentiality obligations.
  3. Implement appropriate technical and organisational measures (see §6).
  4. Engage sub-processors only with Customer's general written authorisation (see §5) and impose the same data-protection obligations.
  5. Assist Customer in responding to data-subject rights requests within 5 business days of notification.
  6. Assist with Articles 32-36 obligations (security, breach notification, DPIAs).
  7. On termination, delete or return all Personal Data within 30 days at Customer's choice.
  8. Make available all information necessary to demonstrate compliance and allow for audits (see §9).

5. Sub-processors

Customer authorises Praxara to use the sub-processors listed at /legal/subprocessors. Praxara will give Customer at least 30 days notice (via email to the tenant administrator + the Trust portal) before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds; if the parties cannot agree, Customer may terminate the affected portion of the Service for a pro-rata refund.

6. Technical & organisational measures (Article 32)

  • Encryption: TLS 1.3 in transit, AES-256 at rest. Keys managed via Azure Key Vault with role-bound access.
  • Access control: 5-role RBAC, MFA enforced for ADMIN role by default, SAML SSO for Enterprise tenants. NIST 800-63B-aligned password policy.
  • Audit: SHA-256 chained audit log of every data-affecting action (ALCOA+ aligned). Integrity verifiable on demand.
  • Hosting: Microsoft Azure UK South + West Europe regions. EU/UK data residency.
  • Backup & recovery: daily automated backups, 30-day retention, RPO 1 hour / RTO 4 hours.
  • Vulnerability management: annual external penetration test, continuous bug-bounty programme via Intigriti, monthly dependency scanning.
  • Personnel: background checks for all engineers with production access, contractual confidentiality, mandatory annual data-protection training.

7. Personal data breach notification

Praxara will notify Customer without undue delay (and in any event within 24 hours) of becoming aware of a Personal Data breach, providing all information reasonably required to enable Customer to meet its Article 33 obligations.

8. International transfers

Customer Data is hosted in EU/UK regions by default. Where Praxara or a sub-processor processes Customer Data outside the UK/EEA (limited to Anthropic, Google AI, OpenAI, SendGrid for specific bounded purposes), Praxara relies on:

  • The UK International Data Transfer Agreement (IDTA) where applicable; or
  • The EU Standard Contractual Clauses (Module 2 — Controller to Processor; Module 3 — Processor to Sub-processor) as approved by Commission Implementing Decision (EU) 2021/914; or
  • An adequacy decision where one exists.

Transfer impact assessments are available on request.

9. Audits

Customer may, on 30 days written notice and at its own expense, conduct one audit per twelve-month period of Praxara's compliance with this DPA. Audits will be remote, scoped to Customer's Personal Data, conducted by an independent third party under NDA, and limited to Praxara's standard business hours. Praxara's annual SOC 2 Type II report and ISO 27001 certificate (when available) shall satisfy this audit obligation at Customer's election.

10. Liability

Liability arising under this DPA is governed by the limitation clause in the Terms of Use. The parties acknowledge that GDPR Article 82 imposes joint and several liability between Controller and Processor in the case of a Personal Data breach, but their internal allocation of liability follows the Terms.

11. Order of precedence

In the event of conflict between this DPA and the Terms of Use, this DPA prevails on data-protection matters; the Terms prevail on commercial matters.

12. Contact

Privacy queries: [email protected]. Customer's data-subject rights workflow assistance: [email protected].

Document path: /legal/dpa

Other legal documents: Terms of Use · DPA · E-Signature Agreement · AUP · Privacy · Cookies · Sub-processors