Last Updated: June 10, 2026
This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between InVitroManager ("Processor," "we") and the customer organization ("Controller," "you") and applies to the extent we process personal data on your behalf.
For personal data contained in your data, you are the Controller and we are the Processor (or sub-processor). Each party will comply with applicable data protection laws, including the EU GDPR, UK GDPR, and applicable US state privacy laws.
We process personal data only on your documented instructions — as set out in the Terms, this DPA, and your configuration and use of the service — unless required by law. We will not sell or share personal data, or use it for any purpose other than providing the service.
Personnel authorized to process personal data are bound by appropriate confidentiality obligations and process it only as instructed.
We implement appropriate technical and organizational measures (see Annex 2), including per-organization data isolation, encryption in transit, hashed credentials, role-based access control, and audit logging. Where you use the optional browser-side encryption for designated content, we cannot access or recover that content or its keys; you are responsible for safeguarding your keys.
You authorize us to engage the sub-processors listed in Annex 3. We will give notice before adding or replacing a sub-processor and allow you to object on reasonable data-protection grounds. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain liable for their performance.
Taking into account the nature of processing, we will assist you (insofar as possible) in responding to individuals exercising their rights. If we receive a request directly, we will refer the individual to you unless legally required to act.
We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and provide information reasonably available to help you meet your notification obligations.
Taking into account the nature of processing and information available to us, we will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where required.
On termination or expiry of the Terms, we will, at your choice, delete or return your personal data and delete existing copies unless retention is required by law, subject to the export window and routine backup cycles.
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, subject to reasonable notice, frequency, confidentiality, and without compromising other customers' security. We may satisfy audit obligations through third-party reports or documentation.
Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (and the UK Addendum for UK transfers), incorporated by reference, with supplementary measures as needed.
Liability under this DPA is subject to the limitations and exclusions in the Terms. In case of conflict, this DPA prevails over the Terms with respect to the processing of personal data; the Standard Contractual Clauses prevail to the extent of any conflict regarding restricted transfers.
For data-protection inquiries, contact brett@invitromanager.com.