Last updated: 12 May 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Inviaro Terms of Service between Inviaro (as identified in the customer's order documentation; "Inviaro", "we", or the "Processor") and the customer identified by the Inviaro workspace billing identity (the "Customer" or the "Controller").

The DPA reflects the parties' obligations under the EU General Data Protection Regulation 2016/679 ("GDPR") and other applicable data-protection laws.

1. Definitions

Capitalised terms have the meaning given in the GDPR unless defined here. "Personal Data" means data relating to identified or identifiable natural persons that the Customer submits to or processes through the Service. "Sub-processor" means a third party engaged by Inviaro to process Personal Data on the Customer's behalf.

2. Scope and purpose of processing

Inviaro processes Personal Data on the Customer's behalf solely to provide the Service: routing, storing, and operating on the messaging conversations, contacts, calendar events, and related records the Customer ingests through connected channels. The processing duration is the term of the Service agreement plus any retention period required by law.

3. Categories of data subjects and Personal Data

The Service typically processes Personal Data concerning:

  • The Customer's authorised users (operators inside the workspace)
  • The Customer's end-users (the people communicating with the Customer through Inviaro-connected channels)

Categories of Personal Data include:

  • Contact identifiers (names, phone numbers, email addresses, channel handles)
  • Message content (text, attachments, links, structured fields)
  • Booking and calendar event details
  • Behavioural metadata generated by use of the Service (timestamps, channel, conversation status)
  • Where the Customer operates in a regulated vertical, the Customer may receive Special Category Data (GDPR Article 9) through their channels — see Section 11

4. Roles

The Customer is the Controller of Personal Data they submit to the Service, including end-user conversations they receive. Inviaro is the Processor of that data. Inviaro is a separate Controller for account, billing, audit, and security data related to the Customer's authorised users (see our Privacy Policy for that processing).

5. Sub-processors

Inviaro engages a small number of sub-processors to operate the Service. The categories are summarised at /subprocessors. The current, named sub-processor list — including each vendor's legal entity, processing region, and applicable safeguard — is provided to the Customer as Exhibit A and updated on the Customer's account dashboard. The Customer authorises Inviaro's use of those sub-processors at acceptance of this DPA.

Inviaro will notify the Customer at least 30 days in advance of any addition or replacement of a sub-processor that materially affects how Personal Data is processed. Notice is delivered by email to the workspace owner and via an in-app banner. The Customer may object within the 30-day window by emailing [email protected]. If the parties cannot agree on a remedy, the Customer may terminate the Service with pro-rata refund of any prepaid fees covering the period after the objection.

6. International transfers

Some sub-processors are located outside the European Economic Area (notably US-based AI providers when AI features are enabled). For these transfers, the parties incorporate the EU Standard Contractual Clauses 2021/914 by reference, in the modules applicable to each transfer chain (Module 2 Controller to Processor, Module 3 Processor to Processor). Inviaro applies supplementary measures including encryption in transit, encryption at rest, and access controls as documented in this DPA and in our sub-processor list.

7. Inviaro's obligations

  • Process Personal Data only on documented instructions from the Customer (using the Service constitutes those instructions)
  • Ensure persons authorised to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organisational measures (Section 9)
  • Assist the Customer with Data Subject Requests through the API endpoints described in Section 10
  • Notify the Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware (Section 12)
  • Make available all information necessary to demonstrate compliance and allow for audits as described in Section 13
  • At the Customer's choice, delete or return all Personal Data after the end of provision of services (Section 14)

8. Customer's obligations

  • Have a lawful basis under GDPR Article 6 (and Article 9 where applicable) for the Personal Data they submit to the Service
  • Inform their end-users about the processing as required
  • Ensure connected channels are operated in compliance with the channel provider's terms (e.g. Meta Commerce Policies, Google API Services User Data Policy)
  • Configure the Service's retention and erasure features in line with the Customer's own retention obligations
  • Fulfil Data Subject Requests they receive directly, with Inviaro's assistance where requested

9. Security measures

Inviaro implements appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest for the application database, object storage, and stored credentials
  • Salted one-way password hashes; passwords never stored in plain text
  • Two-factor authentication required for staff with administrative access; access limited to a small group and audited
  • Signed session cookies and protection against cross-site request forgery
  • Workspace data isolation enforced at the application layer
  • Audit logging of administrative actions, workspace mutations, AI inference, and integration calls
  • Daily automated backups on a rolling 30-day cycle with tested restore procedures
  • Secure-coding practices, automated code review, and dependency scanning in the development pipeline

10. Data Subject Request assistance

Inviaro provides API endpoints in the Customer's workspace that allow the Customer to fulfil Data Subject Requests received from their end-users:

  • Access / portability: per-workspace data export, returning a structured archive of all conversations, contacts, and bookings
  • Erasure: per-contact erasure endpoint that cascades to all messages, attachments, calendar bookings, and widget identity records belonging to the contact, with audit-preserving redaction
  • Rectification: standard contact and conversation edit endpoints in the operator UI
  • Restriction: conversation-level flagging that pauses automated processing

Inviaro will assist with regulator queries and complex requests on a reasonable-effort basis at no additional charge for our standard plans.

11. Special Category Data (GDPR Article 9)

The Customer acknowledges that depending on the Customer's vertical (medical, dental, aesthetics, veterinary, wellness, or any other Article-9 adjacent industry), end-user messages may contain health information, biometric data, or other Special Category Data.

The Customer represents and warrants that they have an appropriate Article 9 lawful basis to process such data (typically Article 9(2)(a) explicit consent from the data subject, or 9(2)(h) provision of health or social care). Inviaro processes Special Category Data strictly as a Processor on the Customer's behalf and does not independently assume Article 9 Controller responsibility.

At workspace setup or upon vertical tagging, the Customer's authorised representative confirms this Article 9 acknowledgement in the operator UI. This acknowledgement is logged in our consent ledger with timestamp, IP, and user agent.

12. Personal Data Breach notification

Inviaro will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Customer's Personal Data. Notice will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate.

The Customer is responsible for notifying its own data subjects and the competent supervisory authority where required, and Inviaro will assist the Customer with information reasonably needed for that purpose. Inviaro maintains a documented internal breach-response runbook.

13. Audits

Inviaro makes available to the Customer information necessary to demonstrate compliance with this DPA. Upon reasonable written request — no more than once per calendar year, except where a Personal Data Breach has occurred — and on no less than 30 days' notice, Inviaro will respond to a documented audit questionnaire. Where the Customer has a regulatory requirement to perform on-site or third-party audit, the parties will agree on scope, cost, and confidentiality in writing.

Inviaro reserves the right to satisfy audit obligations by providing third-party certification reports (when available) or by participating in industry-standard assessment frameworks.

14. Return or deletion of data

Upon termination of the Service, the Customer can export all data via the per-workspace export endpoint for up to 30 days after the closure date. After 30 days, Inviaro deletes the Customer's Personal Data from active systems, subject to:

  • Encrypted backups continue to exist on the rolling 30-day cycle and are then automatically purged
  • Invoice records and related billing data are retained for the period required by applicable accounting and tax law
  • Audit and security records may be retained for up to 24 months for fraud and abuse defence

15. Customer's instructions

The Customer's use of the Service through its configured features constitutes the Customer's documented instructions to Inviaro. Additional instructions can be communicated to [email protected]. If Inviaro believes an instruction violates GDPR or other applicable law, Inviaro will notify the Customer and may suspend execution pending clarification.

16. Liability and limitations

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service. Each party's liability under this DPA shall be limited to the extent permitted by applicable law.

17. Term and termination

This DPA is effective from the date the Customer accepts it at subscription (or signature) and continues for the duration of the Service. Sections relating to retention, audit cooperation, and breach notification survive termination as required by law.

18. Governing law

This DPA is governed by the laws of the jurisdiction stated in the Inviaro Terms of Service, with mandatory EU GDPR provisions prevailing where applicable. Nothing in this DPA limits any data subject's right to lodge a complaint with their local supervisory authority.

Questions or requests for a counter-signed copy: [email protected].