Data Processing Agreement

Last updated: February 26, 2026

1. Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and PvSentinel (the "Processor") for the provision of pharmacovigilance management services.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: The entity that processes personal data on behalf of the Controller

3. Scope of Processing

PvSentinel will process personal data only:

  • On documented instructions from the Controller
  • For the purpose of providing pharmacovigilance management services
  • In accordance with applicable data protection laws

4. Data Subject Categories

Personal data processed may include information about patients, healthcare professionals, and authorized users of the platform.

5. Security Measures

PvSentinel implements appropriate technical and organizational measures including:

  • Encryption of data at rest and in transit (AES-256, TLS 1.3)
  • Role-based access controls and authentication
  • Regular security audits and penetration testing
  • Comprehensive audit logging and monitoring
  • Business continuity and disaster recovery procedures
  • Employee training and confidentiality agreements

6. Sub-processors

PvSentinel may engage sub-processors to assist in providing services. Current sub-processors include:

  • Cloud infrastructure providers (AWS, Azure, or equivalent)
  • Email service providers
  • Monitoring and analytics services

Changes to sub-processors will be communicated with 30 days' notice.

7. Data Subject Rights

PvSentinel will assist the Controller in fulfilling data subject requests for access, rectification, erasure, restriction, portability, and objection to processing.

8. Data Breach Notification

PvSentinel will notify the Controller of any personal data breach within 24 hours of becoming aware of the breach, providing all relevant information to assist with regulatory notifications.

9. Data Retention & Deletion

Upon termination of services, PvSentinel will delete or return all personal data within 60 days unless required to retain data by law.

10. Audits

The Controller may audit PvSentinel's compliance with this DPA upon reasonable notice, no more than once per year unless required by regulatory authorities.

11. International Transfers

Any transfer of personal data outside Kenya will be subject to appropriate safeguards, including Standard Contractual Clauses approved by relevant data protection authorities.

12. Contact

For questions about this Data Processing Agreement, please contact: dpo@pvsentinel.com