Trust Centre

Here are all the things we do to help keep our
process open, fair and good.

Trust Centre Overview


Our mission is to enable and incentivise, through the development of innovative software tools, efficient access to and ethical sharing of genomic assets to advance biomedical research for the benefit of patients. Our business is based on the concept of a social enterprise. Read more about our mission to make a difference in the world here.

By standardising, indexing and curating the metadata of preclinical cancer models from contract research organisations, we’re enabling biopharma researchers to quickly and easily access the best available cancer model for their research. Driven by our mission, we have now established the world’s largest directory of preclinical cancer models by partnering with the leading contract research organisations around the world.


We are passionate about our mission, and our values are at the heart of everything that we do. Here are the ideals that we adhere to:

People first: we work to enable and incentivise efficient access and sharing of genomic data for the benefit of patients.

Ethical data sharing: we treat research data with the highest standard of care. We respect the importance of keeping model requests and model data confidential and manage your data with respect. We tell you exactly how your data will be used and who it will be shared with and will not use it for any other purpose than what we have agreed.

Open science: we support the Open Science movement and work where we can to:

  • make genomic data more accessible at all levels;
  • make genomics data and results easily citable; and
  • enable more reproducible results from genomics research.

Integrity and transparency: we value integrity of ideals and actions, and transparency in communicating our mission and goals.

Respect to privacy: we respect the individual right to privacy and advocate full adherence to patient consent and data privacy laws at all times.

Responsible data custodianship: we develop software technology and tools that enable, facilitate, and incentivise responsible data access, sharing, and collaboration.

Open source: Repositive endorses the release of software as Open Source for the research community and will strive to do this whenever practically and technically possible.

Triple Bottom Line (3 Ps): Repositive considers the impact of its decisions, not only on shareholders, but also on its employees, customers, suppliers, the community, and the environment. This approach reflects the value of a benefit corporation by considering people, planet, and profit (the 3 Ps).

We established this Trust Centre to provide you, our customers, with all of the information you need to ensure that we deliver technology and services that you can trust, and to feel confident in working with us. We are continually reviewing the position in respect of genomic data and global data processing legislation to ensure we deliver best practice.

To deliver our services, we operate the following interconnected policies:

Privacy Policy

Here’s how we protect your data and respect your privacy.

1. Our role in your privacy

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. If you are a Repositive customer or subscriber, or are just visiting our website, this policy applies to you. Any data we collect is solely for the purposes of delivering our services to you. We do not sell your data to third parties under any circumstances.

This Privacy Policy covers the information we collect about you, how and why we use it, the storage and security of your data, and your choices and rights.

2. Types of data we collect

From the moment you interact with Repositive, we are collecting data. We collect data from anyone that browses our website, customers of Repositive, and those who sign contracts with us. Sometimes you provide us with data, other times data about you is collected automatically.

Here’s the information about you that we collect:

  • Personal data, such as: your name, email address, contact details, and password.

  • Commercial data, such as: your project-related data, including data on the commercial transactions you enter into with researchers as a result of an introduction by Repositive. All commercial data is protected by our Confidentiality Undertaking. This also includes our communications with you, such as our general emails, meeting notes, and other correspondence.

    • If you are a contract research organisation (‘CRO’), we collect: essential metadata and raw genomic data. We define essential metadata as any information that describes the model, such as the model ID, primary site, cancer subtype, tumour origin, metastasis recurrence, and model type. We define raw genomic data as any data that comes from an assay performed on the original tissue that has not been processed. This includes sequencing and/or microarray data from DNA or RNA.

    • If you are a biopharma (‘researcher’), we collect: your Cancer Model Scout (‘CMS’) enquiries.

    • Our Confidentiality Undertaking covers more about how we collect and use this data, as it is commercially sensitive and not in the public domain.
  • Technical data, such as: information collected from our cookies, including your IP address, login information, browser type, time zone, plug-ins, operating system, and how you use our website, such as your URL clickstreams, pages you’ve viewed, page response times, download errors, how long you stay on our pages, what you do on those pages, and how often you visit our website.

  • Information from other sources, such as: third-party login sites, like Twitter and LinkedIn, general aggregated anonymous data, like our third-party analytics provider, Google Analytics, and press releases.

We collect this information when you:

  • browse our website;
  • contact us with an enquiry;
  • create an account or become a member;
  • sign up to marketing communications, including emails and newsletters;
  • give consent to third-party login sites, such as Twitter and LinkedIn; and
  • consent to cookie use.

We do not collect any ‘special categories of personal data’ which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or process any genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Any such personal data will be removed from our Platform.

We DO NOT sell your data to third parties under any circumstances.

You can choose to not provide us with personal data

At any time, you can choose to not provide us with personal data. If you choose to do this, you can still continue to browse our website and its pages.

3. How and why we use your data

We collect and process information about you only where we have a legal basis for doing so and where it is necessary.

The applicable EU data protection laws are set out in Article 6 of the GDPR. This means that we collect and use your information only where:

  • you have given us clear consent to process your personal data for a specific purpose;

  • the processing is necessary for the performance of a contract that we have entered into;

  • it is necessary for us to comply with a legal obligation, compliance or regulatory function, or disclosure in connection with any potential sale of our business; or

  • where we have a legitimate interest in processing your personal data, except where such interests are overridden by your interests, rights, and freedoms.

  • Our legitimate interests include:
    • providing our service We use information about you to provide our services to you, including to confirm your requests, process transactions with you, provide customer support, and to operate and maintain the security of our website.

    • providing listings in our inventory If you are a CRO, we may add your derived data to our Cancer Models Platform. We define ‘derived data’ as information that has been derived from analysing and processing raw genomic data.

    • improving our website We are always looking for ways to improve our services and make them more useful to you. We use your information to test features, interact with feedback platforms, and analyse how people use our website.

    • marketing and promoting our services We use your contact information and website behaviour to send promotional communications that may be of specific interest to you. We do this through email, by displaying Repositive ads on other companies’ websites and platforms like Twitter, LinkedIn, and Google. These communications are aimed at driving engagement and maximising what you get out of our services. You can opt out of receiving our emails at any time.

If you have consented to our use of your information for a specific purpose, you have the right to change your mind at any time.

4. Storage and security of your data

Repositive operates on Google Cloud servers, which use industry leading services to safeguard and secure the information we store. Some of the data centres that store our cloud-based information are located in the United States.

Under the GDPR, personal data can only be transferred outside of the EEA where there is adequate protection, meaning that the country provides an equivalent level of protection with EU law. Where your data is stored in the U.S., it is protected by the EU-US Privacy Shield, and the European Commission has determined that this framework adequately protects personal data.

Google Cloud complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries.

All data that is collected is securely transmitted to our servers in the Cloud. For more information on our efforts to ensure that your data is held in a secure manner, please see our Data Security and Compliance policy.

While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others. If you believe your privacy has been breached, please contact us immediately at

5. Cookies

We use cookies in accordance with Information Commissioner’s Office guidelines to analyse how you use our website, test new features and make improvements, and provide functionality. Some cookies delete themselves immediately, while others do not delete themselves so that we can recognise you when you return to our website. For more information, please see our Cookie Policy.

You can choose to turn off our collection of cookies

If you’ve opted in to our use of optional cookies, you can opt out at any time. Please note that any cookies that have been already saved by your browser would have to be removed in accordance with the instructions provided by the provider of your web browser. Alternatively, some browsers may offer functionality that allows you to block cookies altogether. Please refer to the help section of your browser for more information.

6. Your privacy rights

Right to access information we hold about you You have the right to ask us for supplementary information about:

  • the categories of data we’re processing,
  • the purposes of data processing,
  • the categories of third parties to whom the data may be disclosed,
  • how long your data will be stored, and
  • your other rights regarding our use of your data

We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of others (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.

Right to have personal data rectified

You have the right to have us rectify any personal data held by us that is inaccurate or incomplete.

Right to be ‘forgotten’ by us

You have the right to ask us to erase any personal data we hold about you if it is no longer necessary for us to hold that data. However, we may have a legal obligation to track the processing of personal data on our platform and to maintain a record of this use to establish or defend legal claims.

Right to lodge a complaint regarding our use of your data

You have the right to complain, but please tell us first so that we have a chance to address your concerns. If we fail in this, you can address any complaint to the UK Information Commissioner’s Office, either by calling their helpline or as directed on their website at

You can exercise your rights as described by sending us an email at

7. Confidentiality

Please see our Confidentiality Undertaking for more information on how we treat your information.

If you have any concerns about your privacy at Repositive, please email us at or write to us at Repositive Limited, Betjeman House, 104 Hills Road, Cambridge CB2 1LQ, UK.

Confidentiality Undertaking

Repositive recognise the fundamental importance of keeping your research and commercial interests confidential. From our first commercial interaction, we will treat any and all information provided by you as confidential in accordance with the undertakings laid out below. We expect that you will want us to enter into a confidentiality disclosure agreement (‘CDA’) on your own specific terms before we work together and we are happy to do so; our contracts are designed to allow this CDA to govern the confidentiality requirements between us going forward.

Here’s what we define as confidential, and how we treat such information, in the absence of or until we have a specific CDA in place with you.

What is ‘confidential information’

‘Confidential information’ is any information which has been disclosed by either of us, regardless of form. Our definition includes, but is not limited to:

  • non-public information provided from one party to the other;
  • information relating to one another’s business, technology, products, operations, systems, and processes;
  • research and development activities;
  • methods, know-how, inventions, trade secrets, or other intellectual property;
  • business plans, strategies, or financial information; and
  • vendors, buyers, or customer lists, whether current, former, or prospective.

Specifically, if you are a:

  • Contract research organisation (‘CRO’): this includes all data provided on your models and all commercial information including marketing materials, pricing and contracts.
  • Biopharma researcher: this includes your search criteria or model requirements, and any information or data on the research project you are undertaking.

Your search terms will only be shared on a need to know basis and to the minimum extent necessary. If there are any model requirements that you do not want us to share with our CRO partners or other CROs during this search, you will have the opportunity to specify this on the Cancer Model Scout Order Form

Confidential information does not include information which:

  • is available to the public;
  • is already known to either of us;
  • has been independently obtained; or
  • we’ve agreed is not confidential and may be disclosed.

How we treat your confidential information

We agree to keep your confidential information just that – confidential. We will not disclose your information to any third party, use it in competition with you, or use it for our own business advantage.

We agree to treat your confidential information with exactly the same level of care that we use to protect our own. Unless we have your written consent, we will not use your information for any other purpose than what we have agreed in a contract with you.

Sometimes, we may need to disclose your confidential information to our “representatives” – our directors, officers, employees, suppliers, legal advisers, auditors, and contractors. If we do so, your information will be disclosed only on a need to know basis and to the minimum extent necessary. All such representatives are subject to a duty of confidentiality, and we train our people in how to handle confidential information and design our business processes appropriately.

In case our business is sold, your personal data will transfer to the new owner. Any successor will have an obligation to continue to use your personal data in accordance with this Confidentiality Undertaking and with our Privacy Policy

Ownership of confidential information

You will always remain the owner of your confidential information. Nothing in our commercial relationship is intended to grant us any rights to or license of your confidential information.

Unauthorized use

If we become aware of any unauthorised use or disclosure of your confidential information, we will notify you immediately and take all reasonable steps to protect the information from further unauthorised use or disclosure.

Return or destruction of confidential information

  • If you so choose, we will, to the extent that it is commercially reasonable: return your confidential information and any copies supplied to us;
  • destroy or permanently erase all copies made by us, and ensure that anyone who has received your information destroys or permanently erases such copies; and
  • confirm in writing that we have complied with this commitment.

Legal proceedings

If we are required by law to disclose your confidential information to a third party, we will notify you immediately. We will disclose your information only to the extent that it is legally required, and we will not prevent any protective order or other remedy.


This Undertaking is effective from our first commercial interaction with you and shall continue until being replaced by a CDA between us or if not so replaced, it shall expire 5 years from date of our last interaction.

Equitable relief

We recognise that if there is a breach of this Confidentiality Undertaking, monetary damages may not be adequate to remedy such a breach. As a result, you may seek injunctive relief or other equitable relief as a remedy of any breach of this undertaking. Such remedy may be in addition to all other remedies, including money damages, available to you under English law.

Data Storage & Compliance

Data Security and Compliance

Last updated: 31 July 2019

We believe that it is our responsibility to provide end-to-end security over all the data we hold. From our first commercial interaction, all of your information is treated as confidential and stored safely. Please see our Confidentiality Undertaking for more information.

1. Storage of your data

We have partnered with a number of third parties to help us run our Platform and provide our services. We partner with third parties who we believe are the best in their field at what they do. Sometimes it is necessary for us to share your data with these third parties in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and best practices detailed in our Privacy Policy.

Here's an overview of the three inter-connected systems that we use to help deliver our services to you:

  1. Our website

Our website is hosted on Google Cloud. Any personal data that you submit to us is encrypted and transmitted securely across the server. Please see the information under the 'Security' heading below or Google Cloud's security policy for more information.

  1. Our Cancer Models Platform ('CMP')

The CMP is our proprietary technology that enables researchers to find the best cancer models from an inventory provided by contract research organisations ("CROs") across the globe. The CMP comprises public facing views for researchers, private access for CROs and back office functionality for internal use. The CMP is also hosted on Google Cloud and covered by its security policy. All processing and storing of your data is conducted on the same secured network.

If you are a CRO, your:

  • metadata is stored in SQL in our database on Google Cloud; and

  • raw genomic data is received through SFTP, and automatically moved to Google Cloud.

For more information, please follow the links to Google Cloud's privacy policy, data processing terms and compliance page.

  1. Our office administrative systems

Repositive uses industry leading third-party services within its business and to provide its services. A key criteria in selecting these systems is ensuring that they meet best practice security requirements. Below is an outline of the key systems that we use, with hyperlinks to their privacy policies.

  • Microsoft Office 365: including Microsoft Outlook and Microsoft Sharepoint to manage our general business administration

  • Freshworks: to manage our sales pipeline, store customer contact information and raise invoices

  • GetAccept: to manage all of our contract workflows efficiently

  • GitHub: to develop our software, store our code, and collaborate with other developers

  • Atlassian: we use Jira to plan, track, and release our software, and Confluence to organise our work, plan projects, and discuss business with vendors

  • LastPass: password management and security
  • Xero: Financial accounting and reporting

We understand the importance of being conscious of the way we conduct our internal day-to-day operations. Our office is access-controlled, and all computers are password-protected and require user authentication to access the systems. Access to customer data stored within applications is restricted on a 'need to know' basis. Awareness training is provided to our representatives during the on-boarding process, which covers the importance of and best practices for handling customer data.

2. Security

Repositive's core systems, its website and CMP, operates on Google Cloud servers. By running our platform on industry-leading cloud infrastructure, we benefit from the broad spectrum of the robust security measures which provide a high degree of protection, and built-in compliance with strict international standards.

The Google Cloud Platform undergoes SOC1, SOC2, and SOC3 audits by the American Institute of Certified Public Accountants (AICPA) and certification for ISO/IEC 27001, 27017, and 27018. This means that an independent auditor has examined the controls protecting the data in the Google Cloud Platform (including logical security, privacy, and data centre security), and assured that these controls are in place and operating effectively.

Data transferred to and stored in Google Cloud is encrypted at several levels.Google forces HTTPS (Hypertext Transfer Protocol Secure) for all transmissions between users and 'G Suite' services, and uses Perfect Forward Secrecy (PFS) for all its services. This protects it from unauthorised disclosure or modification.

Google encrypts data both while in transmission and while at rest. It uses 256-bit Transport Layer Security (TLS) and utilizes 2048 RSA encryption keys for the validation and key exchange phases. This protects message communications when client users send and receive emails with external parties also using TLS. Data encryption at rest helps guard against unauthorised access and ensures that data can only be accessed by authorised roles and services with audited access to the encryption keys.

Google Cloud runs around the clock to ensure operations by protecting against power outage, physical intrusion and network outage. These data centres conform to recognised industry standards of physical security and reliability.

3. How long we store information

We store personal data for no longer than is necessary. We may retain your personal information as long as you continue to use our services, have an account with us, or for as long as is necessary to fulfil the purposes outlined in our Privacy Policy. When we no longer need your personal data, we will either delete it, or anonymise it by removing all identifying information and keep it for statistical purposes only.

Even after our commercial relationship has ended, some personal data may be stored for longer periods as permitted under the GDPR, or as required under applicable laws for legal, tax or regulatory reasons, or for legitimate and lawful business purposes. This enables us to deal with any issues or concerns you may have about the services or your account, and also to allow us to bring and defend legal proceedings if necessary.

By law, we cannot hold your personal data for more than 6 years after the closure of your account with us.

As outlined in our Privacy Policy, you have the right to ask us to erase or delete your personal data where there is no reason for us to continue to process your personal data. This right would apply if we no longer need to use your personal data to provide services to you, where you withdraw your consent for us to process your personal data, or where you object to the way we process your personal data.

4. Compliance with data protection laws

The EU data protection regime

The European Union has taken a comprehensive approach to the protection of personal data. Repositive stands ready to ensure our clients can use our platform in full compliance with data protection laws.

The foundation of the EU data protection regime is the General Data Protection Regulation (GDPR), which lays out a detailed set of obligations intended to unify the data protection laws of European countries and reinforce commitments to European data privacy. It has modernised the protection of personal data in response to an evolving technology landscape, increased globalisation, and complex international data flows. It strengthens the rights of citizens with increased control over their personal information, while holding the companies they interact with accountable for transparency, fairness, and accuracy in how they collect, store, use, and protect personal data.

Key roles under the GDPR

Under the GDPR, Repositive operates both as a Data Processor and a Data Controller dependent on the specific service:

As Data Processor :

  • Repositive only processes the data as per the Controller's instructions –this means that we only process genomic data at the direction of our clients

As Data Controller :

  • Repositive decides what personal data is collected, as well as the purposes and means of processing such data. Our Privacy Policy outlines the information we collect, what we do with it, and the legal bases for processing it
  • We employ the same security and organisational measures that we employ in the services of our clients

Detailed provisions on our responsibilities as a Data Processor and Data Controller are incorporated in the appropriate contracts you will enter into with us.

For more information on our views of the status of the genomic data we hold under GDPR, please see our White Paper.

Website Terms of Use


These Terms of Use ("terms") describe our commitments to you, and your rights and responsibilities when using our website, These terms apply whether you are a registered customer or a guest using our website.

By using our website, you agree with these terms and agree to comply with them. If you do not agree, please do not use our website.

Information about us

In these terms, "we" and "us" refer to Repositive Limited. We are a limited company, registered in England and Wales under company number 08820538 and our VAT number is 184453100.

Our registered address is Betjeman House, 104 Hills Road, Cambridge, CB2 1LQ, United Kingdom.

You can contact us by email at or telephoning us at +44 (0) 1223 781 455.

Privacy policy

Your privacy is very important to us and we will always act to protect your information. Please see our Privacy Policy for more information on how we protect your data. By agreeing to these terms, you will be deemed to have read, understood, and agreed to our Privacy Policy in its whole.

Your account and password

If you create an account with us, it is your responsibility to maintain the confidentiality of your password and account and all activities that take place under your password or account.

If you believe that there has been a security breach or misuse of your password or account, please let us know immediately.

Repositive is not responsible for any unauthorised use of your account, unless it is our fault.

Your use of our website

Our website is made available free of charge.

You may only use our website for lawful purposes and must not use it in a way that violates the rights of any third party.

Intellectual property rights

The intellectual property rights contained within our website are owned by or licensed to us and unless authorised, the use or misuse of them is forbidden.

In return for your acceptance of these terms, we grant you a non-exclusive, on-going license to use our website on any device(s) that you control.

Linking to our website

You may link to our home page, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it.

Changes to these terms of use

We may revise these terms at any time to reflect changes in/to:

  • relevant laws or regulatory requirements;
  • security, technical or operational issues; and/or
  • the website's functionality or features.

Please check back periodically to take notice of any changes that we have made. If you have any questions, please contact us at

Disclaimer/limitation of liability

Your use of this website is at your own discretion. Repositive (i) makes no warranties or representations about this website or any of the content; (ii) accepts no responsibility for any loss suffered by you or anyone else in connection with the use of this website or content and; (iii) does not guarantee that this website will not cause damage or is free from viruses or any other defects or errors.

We will not be held responsible or liable for any direct or indirect loss or damages caused or alleged to have been caused by your use of or reliance on any content or services available on an external website.

Contact us

If you have any questions, comments, or concerns, you can contact us at any time at We will get back to you as soon as possible.

More information about our website can be found in our Privacy Policy, Confidentiality Undertaking, Data Security and Compliance, and Cookie Policy.

Service Support Policy


In order to provide optimal first level support service to all, queries must be received by email to


The Repositive Support Desk will provide the following support, based on a first level problem determination where:

  1. All issues will be recorded;
  2. User will be notified of issue receipt;
  3. Issues will be resolved or assigned to the appropriate specialist;
  4. Issues will be monitored;
  5. Users will be notified of commitment times and any problems that occur in meeting the established commitment;
  6. Problem resolution will be documented and available in report status.


Services will be provided between the hours of 9:00 a.m. and 5:00 p.m. (UK time), Monday through Friday, except holidays. During this period the Support Desk will be staffed.

Response Time

First level problem determination will be assigned using the following criteria:

  1. Number of customers affected
  2. Effect on business mission
  3. Context of problem
  4. Deadlines
  5. Estimated solution time
  6. Application involved
  7. Frequency of problem
  8. Customer's sense of priority
  9. Customer's commitment level
  10. Availability of workaround
  11. Threat to data integrity or computer security

The following system will be used internally to prioritize calls and to give a response time commitment:

  • Critical - Immediate response: System Down

  • Urgent - Response within 2 hours: Business outage or significant customer impact that threatens future productivity.

  • Essential - Response within 4 hours: High-impact problem where production is proceeding, but in a significantly impaired fashion; there is a time-sensitive issue important to long term productivity that is not causing an immediate work stoppage; or there is significant customer concern.

  • Important - Response within 2 days: Important issue that does not have significant current productivity impact.

  • Monitor - Response within 5 days: Issue requiring no further action beyond monitoring for follow-up, if needed.

  • Informational - Response within 10 days: Request for information only.


The Customer will assign an internal liaison who is the technical point of contact between the Customer and Repositive. The liaison will also assist Repositive in the maintaining of correct data base information. To facilitate this, the liaison will inform the Repositive of any changes of staff (i.e. replacements).

Cookies on our website

We use cookie to improve your user experience. If you’d like to know more, please refer to our cookies policy page.

Cookies on our website

We use cookie to improve your user experience. If you’d like to know more, please refer to our cookies policy page.