Data Processing Agreement
Version 1.0 — Effective 6 June 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
| Party | Details |
|---|---|
| Data Controller | The pharmacy or pharmacist registering for and using QuickCCS, as identified during account creation (“you”, “the Controller”) |
| Data Processor | Alan McIntyre, trading as QuickCCS, Ireland (“QuickCCS”, “we”, “the Processor”) |
| Contact (Processor) | privacy@quickccs.ie |
This DPA forms part of and is incorporated into the QuickCCS Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence in relation to the processing of personal data.
2. Background and Purpose
QuickCCS provides a clinical decision support platform for Irish community pharmacists. As part of delivering this service, QuickCCS processes personal data — including special category health data — on behalf of pharmacies using the paid (Pro or Group/Network) tiers.
The Controller determines the purposes and means of processing patient data. QuickCCS processes that data solely as a processor, on the documented instructions of the Controller, in accordance with this DPA and applicable data protection law, including the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018.
3. Details of Processing
3.1 Subject Matter
The provision of clinical decision support software and associated consultation record storage, audit trail, and PDF summary features as described in the QuickCCS Terms of Service.
3.2 Duration
For the duration of the Controller's active subscription, and for such period thereafter as is required to fulfil deletion obligations under this DPA or applicable law.
3.3 Nature and Purpose of Processing
QuickCCS processes personal data for the following purposes on behalf of the Controller:
- Storing patient consultation records created by the pharmacist
- Generating and storing PDF summaries of consultations
- Maintaining an audit trail of consultation activity for regulatory compliance
- Enabling the Controller to retrieve, review, and export their consultation records
3.4 Types of Personal Data
The following categories of personal data may be processed under this DPA:
- Patient identifiers: name, date of birth, sex, address, telephone number
- Patient health scheme information: GMS/PRSI/DPS number
- Patient PPSN (where entered by the pharmacist)
- Clinical data: consultation outcomes, clinical decision support results, pharmacist notes
- Pharmacist identifiers: name, PSI registration number, associated pharmacy
- Timestamps: date and time of each consultation record
Patient consultation data constitutes special category personal data under GDPR Article 9 (health data) and is treated accordingly.
3.5 Categories of Data Subjects
Patients of the Controller's pharmacy who are the subject of Community Pharmacy Consultation Service (CPS) consultations conducted using QuickCCS.
4. Obligations of the Processor
4.1 Instructions
QuickCCS shall process personal data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service. QuickCCS shall immediately inform the Controller if it believes any instruction infringes applicable data protection law.
4.2 Confidentiality
QuickCCS shall ensure that all personnel authorised to process personal data under this DPA are bound by appropriate confidentiality obligations and have received adequate data protection training.
4.3 Security
QuickCCS shall implement and maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest (AES-256 via Supabase)
- Row-level security policies restricting data access by pharmacy account
- Access controls limiting platform access to authorised personnel only
- Regular security patching via managed infrastructure (Vercel, Supabase)
4.4 Sub-processors
The Controller grants QuickCCS general authorisation to engage the sub-processors listed in Schedule 1 of this DPA. QuickCCS shall:
- Impose equivalent data protection obligations on each sub-processor by contract
- Remain fully liable to the Controller for the acts and omissions of sub-processors
- Notify the Controller of any intended addition or replacement of sub-processors with no less than 14 days' notice, giving the Controller the opportunity to object
4.5 Data Subject Rights
QuickCCS shall assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts QuickCCS directly, QuickCCS will promptly forward the request to the Controller.
4.6 Data Protection Impact Assessments
QuickCCS shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) where required under GDPR Article 35, taking into account the nature of processing and information available to QuickCCS.
4.7 Breach Notification
In the event of a personal data breach affecting data processed under this DPA, QuickCCS shall:
- Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach
- Provide sufficient information to enable the Controller to meet its own 72-hour notification obligation to the Data Protection Commission (DPC)
- Cooperate with the Controller and take such steps as are reasonably directed to investigate, mitigate, and remediate the breach
Notification shall be made to the email address registered with the Controller's QuickCCS account.
4.8 Deletion and Return of Data
Upon termination or expiry of the Controller's subscription, QuickCCS shall, at the choice of the Controller:
- Provide an export of all consultation records in a structured, machine-readable format (JSON or CSV) within 30 days of request; or
- Permanently delete all personal data processed under this DPA within 30 days of subscription end
QuickCCS shall confirm in writing when deletion is complete. Data may be retained beyond this period only where required by Irish law (e.g. tax records), in which case QuickCCS shall notify the Controller of the specific legal basis and the data retained.
4.9 Audit Rights
QuickCCS shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may, on reasonable written notice of no less than 14 days and no more than once per calendar year, request an audit of QuickCCS's data processing activities. Such audits shall be conducted at the Controller's cost and in a manner that minimises disruption to QuickCCS's operations.
5. Obligations of the Controller
The Controller warrants and undertakes that:
- It has a valid legal basis under GDPR for processing patient data through QuickCCS, including for special category health data under Article 9
- It has provided all necessary notices to, and obtained all necessary consents from, patients whose data is entered into QuickCCS, as required by applicable law
- It shall use QuickCCS only in accordance with the Terms of Service and applicable data protection law
- It shall promptly inform QuickCCS of any changes to applicable law or regulatory requirements that may affect the processing carried out under this DPA
- It is responsible for the accuracy, quality, and legality of personal data it enters into QuickCCS
6. International Data Transfers
Personal data processed under this DPA is stored on Supabase servers located within the EU (Ireland region). QuickCCS shall not transfer personal data outside the European Economic Area (EEA) without:
- Ensuring an adequacy decision applies to the destination country; or
- Implementing appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission
Where sub-processors located outside the EEA are engaged (e.g. Vercel, Resend, Stripe for certain processing), QuickCCS has ensured appropriate SCCs or equivalent safeguards are in place. Details are available on request.
7. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the QuickCCS Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.
QuickCCS's total aggregate liability under or in connection with this DPA shall not exceed the total fees paid by the Controller to QuickCCS in the 12 months preceding the event giving rise to the claim.
8. Term and Termination
This DPA is effective from the date of acceptance and continues for as long as QuickCCS processes personal data on behalf of the Controller. It terminates automatically upon the permanent deletion of all personal data processed under this DPA following subscription termination.
Either party may terminate this DPA with immediate effect if the other party commits a material breach of its obligations that is not remedied within 30 days of written notice.
9. Governing Law and Jurisdiction
This DPA is governed by the laws of Ireland. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the Irish courts.
10. Updates to This DPA
QuickCCS may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or its sub-processor list. Material changes will be notified to the Controller by email with no less than 14 days' notice. Continued use of QuickCCS after the notice period constitutes acceptance of the updated DPA.
Upon incorporation of QuickCCS as a limited company, the contracting entity named in this DPA will transfer automatically to QuickCCS Limited. Controllers will be notified of this change; no re-acceptance will be required as the substance of the agreement is unchanged.
Schedule 1 — Approved Sub-processors
The following sub-processors are authorised as of the effective date of this DPA:
| Sub-processor | Purpose / Data Shared |
|---|---|
| Supabase (EU — Ireland) | Database hosting and authentication. All personal data stored. EU region only. |
| Vercel | Platform hosting and deployment. May process request metadata. SCCs in place. |
| Resend | Transactional email. Receives: name, email, pharmacy name, subscription status. No patient data. |
| Stripe | Payment processing. Receives: name, email, pharmacy name, user ID. No patient data. |
| PSI OData API | Pharmacist registration verification at signup. Receives PSI number only; no patient data stored. |
QuickCCS will provide 14 days' notice of any addition or replacement of sub-processors, giving the Controller the right to object before the change takes effect.
Schedule 2 — Technical and Organisational Security Measures
QuickCCS implements the following measures in accordance with Article 32 GDPR:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all connections via Vercel |
| Encryption at rest | AES-256 encryption of all stored data via Supabase |
| Access control | Row-level security (RLS) policies in Supabase; each pharmacy can only access its own data |
| Authentication | Supabase Auth with PKCE flow; PSI registration number verified at signup |
| Data minimisation | Only data necessary for the CPS consultation service is collected and stored |
| Availability | Managed infrastructure (Supabase, Vercel) with high availability SLAs |
| Breach detection | Platform logs monitored; breach notification procedure documented internally |
| Retention enforcement | Automated deletion jobs for IP/demo data; consultation data deleted on account closure |