Data Processing Addendum

Last Updated: June 10, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between InVitroManager ("Processor," "we") and the customer organization ("Controller," "you") and applies to the extent we process personal data on your behalf.

1. Roles

For personal data contained in your data, you are the Controller and we are the Processor (or sub-processor). Each party will comply with applicable data protection laws, including the EU GDPR, UK GDPR, and applicable US state privacy laws.

2. Processing Instructions

We process personal data only on your documented instructions — as set out in the Terms, this DPA, and your configuration and use of the service — unless required by law. We will not sell or share personal data, or use it for any purpose other than providing the service.

3. Confidentiality

Personnel authorized to process personal data are bound by appropriate confidentiality obligations and process it only as instructed.

4. Security

We implement appropriate technical and organizational measures (see Annex 2), including per-organization data isolation, encryption in transit, hashed credentials, role-based access control, and audit logging. Where you use the optional browser-side encryption for designated content, we cannot access or recover that content or its keys; you are responsible for safeguarding your keys.

5. Sub-processors

You authorize us to engage the sub-processors listed in Annex 3. We will give notice before adding or replacing a sub-processor and allow you to object on reasonable data-protection grounds. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain liable for their performance.

6. Data Subject Requests

Taking into account the nature of processing, we will assist you (insofar as possible) in responding to individuals exercising their rights. If we receive a request directly, we will refer the individual to you unless legally required to act.

7. Personal Data Breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and provide information reasonably available to help you meet your notification obligations.

8. Assistance

Taking into account the nature of processing and information available to us, we will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where required.

9. Deletion or Return

On termination or expiry of the Terms, we will, at your choice, delete or return your personal data and delete existing copies unless retention is required by law, subject to the export window and routine backup cycles.

10. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, subject to reasonable notice, frequency, confidentiality, and without compromising other customers' security. We may satisfy audit obligations through third-party reports or documentation.

11. International Transfers

Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (and the UK Addendum for UK transfers), incorporated by reference, with supplementary measures as needed.

12. Liability and Precedence

Liability under this DPA is subject to the limitations and exclusions in the Terms. In case of conflict, this DPA prevails over the Terms with respect to the processing of personal data; the Standard Contractual Clauses prevail to the extent of any conflict regarding restricted transfers.


Annex 1 — Details of Processing

  • Subject matter: provision of the InVitroManager platform.
  • Duration: the term of the Terms (plus a limited post-termination export/deletion period).
  • Nature and purpose: hosting, storage, transmission, display, backup, and processing of your data to provide the service.
  • Types of personal data: names, email addresses, usernames, user roles, profile images, authentication metadata, IP addresses and usage/audit logs, in-app messages, and limited billing-contact information.
  • Categories of data subjects: your authorized users (employees, contractors, agents) and any individuals whose data you enter.

Annex 2 — Security Measures

  • Per-organization data isolation (a separate database schema per organization)
  • Encryption in transit (HTTPS/TLS) with HSTS
  • Optional browser-side encryption for designated content (keys held by you)
  • Salted password hashing (Argon2) and optional multi-factor authentication
  • Role-based access control and least-privilege administration
  • Audit logging of sensitive actions; error monitoring with personal-data sending disabled
  • Routine backups to object storage with restore procedures

Annex 3 — Approved Sub-processors

  • DigitalOcean — cloud hosting, infrastructure, and backup storage
  • Stripe — payment processing
  • Google (Gemini API) — AI-assisted features (e.g. scanned-card lot-number recognition)
  • Error-monitoring and transactional-email providers

Contact

For data-protection inquiries, contact brett@invitromanager.com.