§ UK GDPR · DPA 2018 · MHRA aligned § ISO 27001 A.8.3 session control § RLS enforced on 42 database tables § Penetration tested 14 April 2026 § 7-year audit retention § HMAC-signed prescription PDFs § UK GDPR · DPA 2018 · MHRA aligned § ISO 27001 A.8.3 session control § RLS enforced on 42 database tables § Penetration tested 14 April 2026 § 7-year audit retention § HMAC-signed prescription PDFs
§ 1.0 Software · Dispensing · Compliance

Turn your brand
into a
prescription retailer.

End-to-end pharmacy integration, signed prescriptions, and a patient onboarding flow you can build and test in weeks. Full compliance as standard.

Request a demo See the platform
42tables
RLS enforced
7yr
Audit retention
15min
ISO 27001 A.8.3
Pen-tested
14 · 04 · 2026
Attestation § Compliance
Statement of compliance controls
Ref. SRX/CMP/2026-04 · Issued 28 April 2026
  • UK GDPRIn force
  • Data Protection Act 2018In force
  • MHRA digital health alignmentIn force
  • ISO 27001 A.8.3 session controlIn force
  • Row-Level Security · 42 tablesIn force
  • HMAC-SHA256 prescription signaturesIn force
Sync-RX Ltd UK · Confidential
§ 2.0
The compliance gap

Standard commerce SaaS has no architecture for patient’s data.

2.1 / United Kingdom

The DPA
and UK GDPR

Health data is special-category under UK GDPR Article 9. Lawful processing requires architectural safeguards that bolt-on plugins cannot deliver.

Storing PHI in a system not designed for it is a regulatory exposure, not a configuration choice.
2.2 / United States

Shopify is not
HIPAA compliant

Shopify’s own guidance is unambiguous: only non-HIPAA data. SOC 2 and PCI DSS Level 1 are not PHI cover.

Quoted from the published HIPAA review: "Shopify does not support HIPAA compliance."
2.3 / EU & Canada

EU DPD,
and PIPEDA

GDPR, PIPEDA, and UK DPA impose parallel constraints. Each jurisdiction carries full legal weight.

Compliance is the architecture. Built in from day one.

Operators lose deals, pharmacy partners, and investor conviction when compliance becomes a workaround. Sync-RX builds compliance into the architecture.

§ 3.0
The platform

One operations layer. Built for operators and patients.

For operators

Replaces your spreadsheet, CRM, and manual order log.

Patients, orders, prescriptions, and compliance. All in one place. Everything is audit-ready from day one.

For patients

Entirely white-label. The patient sees your brand throughout.

Treatment tracking, questionnaires, and test results — all white-label. Test and optimise the onboarding flow like any conversion surface.

3.1 / Patients Core

Patient records

Every patient record is PHI-safe, role-isolated, and audit-ready.

  • RLS-enforced on every read and write
  • Role-scoped admin and clinician access
  • Patient-owned uploads via signed URLs
3.2 / Orders Core

Order lifecycle

Full order lifecycle from pending to delivered, synced with the dispensing partner in real time.

  • Pharmacy partner webhook integration
  • Subscription holds until prescription is issued
  • Live status sync via Supabase Realtime
3.3 / Prescriptions Core

Signed prescriptions

Generate, sign, and dispatch prescriptions with HMAC-SHA256 integrity in every PDF.

  • HMAC-SHA256 digital signatures
  • Direct dispensary submission
  • Auditable issuance record per script
3.4 / Forms Engine

Dynamic questionnaires

Build and test onboarding flows with branching logic and AI flagging. No back-end code.

  • Branch on any answer, any condition
  • AI questionnaire audit on submission
  • DOMPurify-sanitised at every render
3.5 / Automation Engine

Visual flow builder

Trigger follow-ups, repeat-prescription gates, and partner events without back-end code.

  • Drag-and-drop workflow canvas
  • Time-based and event-based triggers
  • Repeat-prescription wellness gating
3.6 / Audit Compliance

Audit & incident register

Every auth event, record change, and patient access logged and retained for seven years.

  • 7-year retention aligned to MHRA & GDPR
  • Severity-tagged incident register
  • AI-powered compliance scanning
§ 4.0
Compliance controls

A live ledger, not a marketing page.

Every control in place, published and kept current. Live in production. Pen-tested. Seven-year retention.

Last assessed 14 · 04 · 2026 · 0 critical · 0 high open
Ref Control Standard Status
4.1.01 Row-Level Security on all 42 tables UK GDPR · ISO In force
4.1.02 Role-based access via app_role enum DPA 2018 In force
4.1.03 15-minute inactivity session timeout ISO 27001 A.8.3 In force
4.1.04 Auth event & record-change audit log MHRA · GDPR In force
4.1.05 7-year audit log retention MHRA · GDPR In force
4.1.06 HMAC-SHA256 prescription signatures Internal In force
4.1.07 DOMPurify on all dynamic HTML render OWASP In force
4.1.08 Pen-test programme · quarterly cadence PTES In force
4.1.09 GDPR SAR export tooling UK GDPR Q2 2026
4.1.10 Right to Erasure cascade workflow UK GDPR Q2 2026
§ 5.0
Partner stack

Plugged into the infrastructure you already trust.

Pharmacy fulfilment
Pharmacy partner integration

Live prescription submission, order webhooks, and bidirectional status sync.

Headless commerce
Shopify

Headless storefront and order sync. PHI never crosses the Shopify boundary.

Subscriptions
ReCharge

Recurring billing for repeat prescriptions, with subscription release gated on clinical sign-off rather than payment.

Identity verification
LexisNexis & Verif

Configurable per product line. LexisNexis for standard journeys, Verif for selfie capture on GLP-1 and consultation flows.

GP notification
Docman

NHS surgery notification with in-app GP search at the point of treatment selection. Datagraphic as fallback.

Clinical AI
AI-assisted tooling

Questionnaire auditing, blood test interpretation, and compliance research — all in an audited, role-scoped frame.

§ 6.0
Built for UK digital health

Verticals where compliance and conversion collide.

W

Weight management

GLP-1 supply with mandatory wellness check-ins gating each repeat dispense.

T

Testosterone

Bloods-driven protocols, clinician sign-off, and scheduled review cadences.

E

Erectile dysfunction

Discreet patient journeys with consent capture and identity verification baked in.

M

Men’s wellness

Hair, skin, mental health, and adjacent men’s health categories on the same chassis.

§ 8.0 / Request access

Become a prescription retailer. Let us show you the build.

We take on a small number of UK operators each quarter. If you’re launching a new vertical, replatforming, or scoping a pharmacy integration, we should talk.

Operator enquiry · UK only
Are you currently selling prescription medication?

By submitting you agree to our Privacy Policy.