Data Processing Agreement
Last updated March 27, 2026. This agreement governs how Portlo processes personal data on your behalf in compliance with the GDPR and other applicable data protection laws.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Portlo Terms of Service between Portlo ("Processor," "we," "us") and you ("Controller," "you"), and governs the processing of personal data by Portlo on your behalf when you use the Service. This DPA applies where you, as a freelancer or service business using Portlo, act as a data controller and Portlo acts as a data processor in respect of personal data relating to your clients and portal visitors. By using the Service, you agree to this DPA. If the EU General Data Protection Regulation (GDPR), UK GDPR, or similar data protection laws apply to your processing of personal data through Portlo, this DPA ensures compliance with Article 28 of the GDPR.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed through the Service on your behalf. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction. "Data Subject" means the individual to whom the Personal Data relates (e.g., your clients or portal visitors). "Sub-processor" means a third-party service provider engaged by Portlo to process Personal Data on your behalf. "Data Protection Laws" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, and any other applicable data protection legislation.
3. Scope and purpose of processing
Portlo processes Personal Data on your behalf solely to provide the Service as described in the Terms of Service. This includes: Categories of Data Subjects: Your clients, portal visitors, and contract/proposal signatories. Categories of Personal Data processed: - Client names and email addresses - Company names and phone numbers (if provided) - Files and documents uploaded to portals - Invoice details (amounts, descriptions, payment status) - Proposal and contract content - Electronic signature data (name, signature image, IP address, timestamp) - Portal access data (email, OTP verification, IP address if logging enabled) - Messages exchanged through portal messaging Nature and purpose of processing: Hosting and delivering portal content, processing payments, sending transactional emails, managing authentication and access control, and maintaining activity logs. Duration of processing: For the duration of your use of the Service, plus any retention period specified in the Privacy Policy.
4. Controller obligations
As the Controller, you are responsible for: - Ensuring you have a lawful basis for collecting and sharing your clients' Personal Data through Portlo - Providing appropriate privacy notices to your clients about how their data is processed - Ensuring you have the right to upload any content containing Personal Data - Responding to Data Subject requests from your clients (with our assistance as described below) - Ensuring that your instructions to Portlo comply with Data Protection Laws - Configuring portal security settings (access mode, PIN, email verification) appropriately for the sensitivity of the data
5. Processor obligations
Portlo shall: - Process Personal Data only on your documented instructions, unless required by applicable law (in which case, we will inform you unless prohibited by law) - Ensure that persons authorized to process Personal Data have committed to confidentiality - Implement appropriate technical and organizational security measures as described in Section 7 - Assist you, taking into account the nature of processing, in responding to Data Subject requests - Assist you in ensuring compliance with data breach notification obligations - Make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9 - Delete or return Personal Data upon termination of the Service, at your choice, unless retention is required by applicable law - Inform you if, in our opinion, an instruction from you infringes Data Protection Laws
6. Sub-processors
You provide general authorization for Portlo to engage Sub-processors to assist in providing the Service. Our current Sub-processors are: Firebase (Google Cloud Platform) — Authentication, database (Firestore), and file storage (Cloud Storage). Processing location: United States. Stripe — Payment processing for subscriptions and client invoice payments. Processing location: United States, with global infrastructure. Resend / SendGrid — Transactional email delivery (OTP verification, payment notifications, invitations). Processing location: United States. PostHog — Product analytics (configured for identified users only, not anonymous tracking). Processing location: United States / EU (depending on instance). We will notify you of any intended changes to Sub-processors at least 30 days in advance via email or through the Service. If you object to a new Sub-processor on reasonable data protection grounds, you may notify us within 14 days, and we will work with you to find a resolution. If no resolution can be reached, you may terminate the affected services. We ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Security measures
Portlo implements appropriate technical and organizational measures to protect Personal Data, including: Encryption: All data in transit is encrypted using TLS. Data at rest is encrypted by our infrastructure providers (Firebase/Google Cloud). Access control: Portal data is scoped to authenticated users. Client portal access is controlled through unique links, PIN protection, or email verification with hashed OTP codes (SHA-256). Authentication: User accounts are secured through Firebase Authentication with support for email/password and OAuth (Google). Sensitive tokens are never stored in plaintext. Infrastructure security: The Service runs on managed cloud infrastructure (Google Cloud / Firebase) with built-in security controls, automatic patching, and redundancy. Payment security: All payment card data is handled exclusively by Stripe, which is PCI DSS Level 1 certified. Portlo never stores, processes, or transmits raw card numbers. Employee access: Access to production systems is limited to authorized personnel on a need-to-know basis. We regularly review and update our security measures to address evolving threats.
8. Data breach notification
In the event of a Personal Data breach, Portlo will: - Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach - Provide sufficient information for you to meet your own breach notification obligations under Data Protection Laws - Include in the notification: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach - Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach - Document the breach and maintain records of all facts, effects, and remedial actions taken Notification of a breach shall be sent to the email address associated with your Portlo account.
9. Audits and compliance
Upon reasonable request and subject to reasonable confidentiality obligations, Portlo will: - Make available information necessary to demonstrate compliance with this DPA - Allow for and contribute to audits, including inspections, conducted by you or a third-party auditor mandated by you (at your cost) - Respond to reasonable written questions about our data processing practices Audit requests must be made with at least 30 days' written notice and shall be conducted during normal business hours in a manner that minimizes disruption to our operations. Audits shall not exceed one per year unless required by a supervisory authority or triggered by a data breach.
10. International data transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States, where our Sub-processors operate. For transfers from the EEA/UK to countries not covered by an adequacy decision, we rely on: - Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) - The UK International Data Transfer Addendum where applicable - Additional safeguards including encryption and access controls Where the EU-US Data Privacy Framework applies to a Sub-processor, such certification may serve as an additional transfer mechanism. You may request copies of the applicable transfer mechanisms by contacting legal@portlo.io.
11. Data Subject requests
If we receive a request directly from a Data Subject (your client) regarding their Personal Data processed through your portals, we will: - Promptly notify you of the request (unless prohibited by law) - Not respond to the request directly unless authorized by you or required by law - Provide you with reasonable assistance to fulfill the request You remain responsible for responding to Data Subject requests within the timeframes required by applicable Data Protection Laws (generally 30 days under the GDPR).
12. Data retention and deletion
Upon termination of your account or the Service: - You may request deletion of all Personal Data processed on your behalf - We will delete Personal Data within 30 days of your request, unless retention is required by applicable law (e.g., payment records for tax compliance) - Backup copies will be deleted in accordance with our standard backup rotation schedule (within 90 days) - We will confirm deletion upon your request During the term of the Service, you may delete individual portals, files, invoices, and other content through the platform's interface.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects under applicable Data Protection Laws.
14. Term and termination
This DPA takes effect when you start using the Service and remains in effect for as long as Portlo processes Personal Data on your behalf. The obligations in this DPA survive termination to the extent necessary to complete the deletion or return of Personal Data.
15. Changes to this DPA
We may update this DPA to reflect changes in our processing activities, Sub-processors, or applicable law. Material changes will be communicated via email or through the Service at least 30 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated DPA.
16. Contact
For questions about this DPA or to exercise any rights under it, contact us at: Email: legal@portlo.io