Data Protection Policy (DPP)

Data Protection Policy

Exela Pharma Sciences, LLC (“Exela”) is committed to protecting the personal information entrusted to us during our operations. This Data Protection Policy (DPP) establishes how Exela collects, processes, shares, and safeguards personal data, while ensuring compliance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy and data protection frameworks.

This Policy is limited in scope to Personal Identifiable Information (PII), Protected Health Information (PHI), and a defined category of Sensitive Information. Informationprovided pursuant to contract are governed exclusively by those agreements.

1. Purpose & Scope

This Policy governs the collection, use, storage, and sharing of PII, PHI, and Sensitive Information by Exela Pharma Sciences. It applies to all employees, contractors, partners, and third parties who interact with such data through Exela’s operations or websites.

2. Definitions

– PII (Personally Identifiable Information): Data that identifies or can reasonably identify an individual (e.g., name, address, email, financial identifiers).
– PHI (Protected Health Information): Health-related information subject to HIPAA.
– Sensitive Information: Data not legally classified as PII/PHI but requiring additional safeguards, such as biometric data, lab access logs, or R&D usage analytics.
– Confidential Information: As defined in executed CDAs, MSAs, or other agreements; not covered by this Policy.

3. Legal Basis

Exela processes personal data under the following legal bases:
– Consent (e.g., when individuals provide data via forms).
– Contract performance (e.g., client data processing under CDMO work).
– Legal obligations (e.g., FDA, HIPAA, or state record-keeping requirements).
– Legitimate interests, balanced against data subject rights.

4. Collection & Processing of Data

We collect and process data for purposes including:
– Responding to inquiries and managing customer relationships.
– Conducting pharmaceutical manufacturing and CDMO services.
– Compliance with regulatory requirements (FDA, HIPAA, GDPR).
– Website analytics, security monitoring, and user preference management.

5. Data Sharing & Retention

Exela does not sell personal data.

– Data may be shared with trusted service providers under confidentiality and data protection agreements. 
– Data may be disclosed when legally required (e.g., regulatory requests).

– Retention: 
• PHI: As required by HIPAA and applicable state law.  
• Employee records: 7 years post-employment. 
• Website inquiries: 2 years. 
– Provided that no additional legal or regulatory obligations apply requiring retention, data is securely deleted or anonymized once the above retention obligations expire.

6. Security Measures

We employ technical and organizational safeguards including: 
– Encryption (AES-256 for data at rest, TLS 1.3 for data in transit). 
– Role-based access controls (RBAC) and multi-factor authentication. 
– Vendor due diligence and contractual security obligations. 
– Continuous monitoring, intrusion detection, and annual penetration testing.

7. Data Subject Rights

Individuals have rights under GDPR, HIPAA, and CCPA, including: 
– Access to their data. 
– Correction of inaccuracies.
– Deletion (where applicable).
– Restriction or objection to processing.
– Data portability.
– Right to lodge a complaint with a supervisory authority.

Requests will be responded to within applicable regulatory timelines (30–45 days).

8. Relationship to Other Agreements

This DPP does not supersede confidentiality obligations under CDAs, MSAs, or other negotiated agreements. Confidential Information governed by those agreements remains subject exclusively to their terms.

9. California Privacy Rights (CCPA Addendum)

Under the California Consumer Privacy Act (CCPA), California residents have the right to: 
– Know what categories of personal data we collect and the purposes of use. 
– Request access to or deletion of their personal data. 
– Opt out of any sale of personal data (note: Exela does not sell personal data). 
– Be free from discrimination when exercising privacy rights.
Exela provides mechanisms on its website for California residents to exercise these rights.

 

10. Breach Notification & Incident Response

Exela will notify affected individuals and regulators of any data breach involving PII or PHI within legally mandated timelines (e.g., 72 hours under GDPR; as required under HIPAA breach notification rules).

11. Policy Updates

This Policy is reviewed annually or as laws or operations change. Updates will be published on Exela’s website with a revised ‘Last Updated’ date.

12. Contact Information

For any questions or to exercise data rights, contact:

Data Protection Officer
Exela Pharma Sciences 
1245 Blowing Rock Blvd, Lenoir, NC 28645 
Email: dpo@exela.us

Scroll to Top