Data Processing Addendum
This Data Processing Addendum (“DPA”) governs Customer Personal Data that you share with Portal AI Inc. (“Portal AI, “us”, “we”). This DPA supplements and incorporates the Portal AI Terms of Service (“Terms”) and governs in case of any conflict. Terms defined in those Terms have the same meaning here. Regardless of whether the Terms or other applicable agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Portal AI deletes all Personal Data as described in this DPA.
Business Personal Data
The Portal AI Privacy Policy provides information on how we process Business Personal Data.
Customer Personal Data
In connection with the Customer Personal Data, you are the person that determines the purposes and means for which data is processed (the “Data Controller”), whereas Portal AI processes Customer Personal Data in accordance with your instructions and on your behalf (as a “Data Processor”). The terms “personal data,” “data subject,” “processing,” “data controller,” and “data processor” as used in this DPA have the meanings given by applicable privacy law or, absent any such meaning or law, by the European Union General Data Protection Regulation. Portal AI will process Customer Personal Data as your data processor only in accordance with your instructions as set out in the Terms and this DPA.
Portal AI’s Obligations
As a data processor, Portal AI agrees to process Customer Personal Data only for (a) the purpose of providing, operating, developing, updating, and improving our Service (including to provide insights, reporting, analytics, customer support, personalization, recommendations, and customization, and to keep the Service safe and secure); (b) in compliance your written instructions including this DPA; and (c) consistent with a data processor’s privacy obligations under applicable data privacy laws.
Portal AI will (a) promptly inform you if we discover that we cannot comply with the requirements of this DPA; (b) promptly inform you if, in our opinion, your instruction violates applicable data privacy laws; and (c) require our employees and others working on our behalf to agree to a confidentiality agreement with respect to Customer Personal Data and to comply with the data protection obligations that apply to us under the Terms and this DPA.
Portal AI will use only Sub-processors listed at Sub-processors (each a “Sub-processor”), as updated from time to time, to help us satisfy our obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors. You hereby consent to the use of such Sub-processors. We will notify you of additions to this Sub-processor list at least 15 days before we allow the new Sub-processor to process Customer Personal Data. If you do not wish to consent to the use of the new Sub-processor, you may notify us within 15 days that you object and the reasonable grounds for your objection. If you object, you agree that we may choose one of the following solutions: (a) we will cancel our plans to use the Sub-processor with regards to processing Customer Personal Data or will offer an alternative to provide our Service without such Sub-processor; (b) we will take any corrective steps you request in your objection notice and proceed to use the Sub-processor; or (c) we may cease to provide the particular aspect or feature of our Service that would involve the use of such Sub-processor. If none of the above options are commercially feasible, in our reasonable judgment, and any objection has not been resolved to our mutual satisfaction within 30 days of our receipt of your objection, then either party may terminate any subscriptions, order forms or usage regarding the Service that cannot be provided without the use of the new Sub-processor for cause and in such case, you will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is your sole and exclusive remedy if you object to any new Sub-processor. We will enter into contractual arrangements with each Sub-processor binding them to provide a comparable level of data protection and information security to that provided for herein. Subject to the limitations of liability included in the Terms, we agree to be liable for the acts and omissions of our Sub-processors to the same extent we would be liable under the terms of this DPA if we performed such acts or omissions ourselves.
Upon reasonable request no more than once per year, we will provide you with our privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable data protection laws.
Where required by law and upon reasonable notice and appropriate confidentiality agreements, Portal AI will cooperate with assessments, audits, or other steps performed by or on your behalf at your sole expense and in a manner that is minimally disruptive to our business, and only as necessary to confirm that we are processing Customer Personal Data in a manner consistent with this DPA. Where permitted by law, we may instead make available to you a summary of the results of a third-party audit or certification reports relevant to our compliance with this DPA. Such results, and/or the results of any such assessments, audits, or other steps shall be the Confidential Information of Portal AI.
Where the Customer Personal Data is subject to the California Consumer Privacy Act (“CCPA”), Portal AI will not retain, use, disclose, or otherwise process Customer Personal Data except as necessary for the business purposes specified in the Terms or this DPA. Nor will Portal AI retain, use, disclose, or otherwise process Customer Personal Data in any manner outside of the direct business relationship between you and us. Nor will we combine any Customer Personal Data with Personal Data that we receive from or on behalf of any other third party, provided that Portal AI may so combine Customer Personal Data for a purpose permitted under the CCPA if you direct us to do so or as otherwise permitted by the CCPA. We do not compensate you in any form in exchange for Customer Personal Data, do not “sell” data as defined by the CCPA, or other privacy laws in the United States, and do not “share” data as defined under the CCPA.
Where required by law, Portal AI grants you the rights to: (a) take reasonable and appropriate steps to ensure that Portal AI uses Customer Personal Data in a manner consistent with applicable data privacy laws by exercising the audit provisions set forth in this DPA; and (b) stop and remediate unauthorized use of Customer Personal Data, for example by requesting that Portal AI provide written confirmation that applicable Customer Personal Data has been deleted.
Portal AI will inform you if we becomes aware of: (a) any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless we are otherwise forbidden by law to inform you, for example to preserve the confidentiality of an investigation by law enforcement authorities; or (b) any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Personal Data.
Assistance to You
Portal AI will provide reasonable assistance to you regarding: (a) information necessary, taking into account the nature of the processing, to respond to requests received pursuant to applicable data privacy laws from your data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Personal Data that Portal AI processes for you. In the event that a data subject sends a complaint or request directly to us, and we are able to identify you as the data controller, we will promptly send you this request. We will not respond to any such request without your prior written authorization; (b) the investigation of any breach of Portal AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data processed by Portal AI for you; and (c) where appropriate, the preparation of data protection impact assessments with respect to the processing of Customer Personal Data by Portal AI and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.
Your Obligations
You represent, warrant, and covenant that you have and shall maintain throughout the term all necessary rights, consents, and authorizations to provide the Customer Personal Data to Portal AI and to authorize Portal AI to use, disclose, retain and otherwise process Customer Personal Data as contemplated by this DPA, the Terms and/or other processing instructions provided to Portal AI.
You shall comply with all applicable data privacy laws.
You shall reasonably cooperate with Portal AI to assist us in performing any of our obligations regarding any requests from your data subjects.
Without prejudice to Portal AI’s security obligations in this DPA, you acknowledge and agree that you, rather than Portal AI, are responsible for certain configurations, integrations, and design decisions for the Service and that you, and not Portal AI, are responsible for implementing those configurations, integrations, and design decisions in a secure manner that complies with applicable data privacy laws.
You shall not provide Customer Personal Data to Portal AI except through agreed mechanisms. For example, you shall not transfer Customer Personal Data to Portal AI by email. Without limitation to the foregoing, you represent, warrant and covenant that you shall only transfer Customer Personal Data to Portal AI using secure, reasonable and appropriate mechanisms, including mechanisms to facilitate the data transfer to us from those platforms of your choice to the extent such mechanisms are within your choice or control.
You shall not take any action that would: (a) render the provision of Customer Personal Data to Portal AI a “sale” under U.S. Privacy Laws or “sharing” under the CCPA (or equivalent concepts under U.S. Privacy Laws), or (b) render Portal AI not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws or applicable laws.
Required Processing
If we are required by applicable data privacy laws to process any Customer Personal Data for a reason other than in connection with the Terms, we will inform you of this requirement in advance of any such processing, unless legally prohibited.
Security
Portal AI takes the security of your Customer Personal Data seriously. We will: (a) maintain reasonable and appropriate organizational and technical security measures, including but not limited to those measures described in Appendix A to this DPA (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Personal Data and to protect the rights of the subjects of that Customer Personal Data; (b) take appropriate steps to confirm that Portal AI personnel are protecting the security, privacy and confidentiality of Customer Personal Data consistent with the requirements of this DPA; and (c) notify you of any Personal Data beach by Portal AI, our Sub-processors, or any other third parties acting on Portal AI’s behalf without undue delay after Portal AI becomes aware of such Personal Data breach.
International Data Transfers
To the extent that you are a data controller and transfer Customer Personal Data originating in the EEA, Switzerland, or the UK to us, we will process Customer Personal Data in accordance with Module Two (Controller to Processor) of the EU Standard Contractual Clauses (“EU SCCs”), as amended by the UK addendum to the EU SCCs where applicable. You must complete Module Two of the EU SCCs and return it to us at [email protected], if applicable.
To the extent that you are a data processor and transfer Customer Personal Data originating in the EEA, Switzerland, or the UK to us, we will process Customer Personal Data in accordance with Module Three (Processor to Processor) of the EU SCCs, as amended by the UK addendum to the EU SCCs where applicable. You must complete Module Three of the EU SCCs and return it to us at [email protected], if applicable.
Supplemental terms for data transfers subject to Swiss privacy law are provided in Annex IV to the EU SCCs, while the UK addendum is provided in Annex V.
Data Return and Deletion
Portal AI will retain Customer Personal Data for a maximum of thirty (30) days after termination of the Terms after which Customer Personal Data will be deleted, except where Portal AI is required to retain copies under applicable laws, in which case Portal AI will isolate and protect that Customer Personal Data from any further processing except to the extent required by applicable laws. On the termination of the Terms, Portal AI will direct each Sub-processor to delete the Customer Personal Data within thirty (30) days of the termination of the Terms, unless prohibited by law.
Third-Party Beneficiaries
Except as required by law, and only to the extent required thereunder, no provision of the Terms or this DPA shall give rise to any third-party right or cause of action, contractual or otherwise, and that the Terms and this DPA do not create any intended third-party beneficiaries.
APPENDIX A
As from the date on which you accepted this DPA, Portal AI will implement and maintain the security measures described in this Appendix A.
- Organization of Information Security. Portal AI has personnel responsible for oversight of security of the Service.
- Physical and Environmental Security. Portal AI utilizes best-in-class cloud storage solutions that implement controls designed to provide reasonable assurance that physical access to data centers is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls include:
- Logging and auditing of physical access to the data center by employees and contractors;
- Camera surveillance systems at the data center;
- Systems that monitor and control the temperature and humidity for the computer equipment at the data center;
- Power supply and backup generators at the data center; and
- Procedures for secure deletion and disposal of data, subject to the DPA and Privacy Policy
- Personnel
- Training. Portal AI will ensure that all personnel with access to Customer Personal Data undergo security training.
- Screening. Portal AI will have a process for verifying the identity of the personnel with access to Customer Personal Data.
- Personnel Security Breach. Portal AI will take disciplinary action in the event of unauthorized access to Customer Personal Data by Portal AI personnel, including, where legally permissible, punishments up to and including termination.
- Security Testing. Portal AI will perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
- Access Control.
- Password Management. Portal AI has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- Password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password;
- Cryptographically protecting passwords when stored in computer systems or in transit over the network;
- Altering default passwords from vendors;
- Strong passwords relative to their intended use; and
- Education on good password practices.
- Access Management. Portal AI will also control and monitor its personnel’s access to its systems using the following:
- Established procedures for changing and revoking access rights and user IDs, without undue delay;
- Established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
- Maintaining appropriate security logs including where applicable with userid and timestamp;
- Synchronizing clocks with NTP; and
- Logging the following minimum user access management events:
- Authorization changes;
- Failed and successful authentication and access attempts; and
- Read and write operations.
- Password Management. Portal AI has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- Communications Security
- Network Security
- Portal AI will employ technology that is consistent with industry standards for network segregation.
- Remote network access to Portal AI systems will require encrypted communication via secured protocols and use of multi-factor authentication.
- Protection of Customer Personal Data in Transit
- Portal AI will enforce use of appropriate protocols designed to protect the confidentiality of Customer Personal Data in transit over public networks.
- Network Security
- Vulnerability Management. Portal AI has instituted and will maintain a vulnerability management program covering the Service that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment.
- Security Incident Management
- Security Incident Response. Portal AI will maintain a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Customer Personal Data. The security incident response plan at least includes definitions of roles and responsibility, communication, and post-mortem reviews, including root cause analysis and remediation plans.
- Monitoring. Portal AI will monitor for any security breaches and malicious activity affecting Customer Personal Data.
Portal AI may update these Data Security Terms from time to time to reflect evolving security standards.