Data Processing Addendum
Processor obligations, subprocessors, security controls, and data-return commitments for customer data.
Last updated: February 23, 2026
1. Roles
Customer acts as Data Controller and PortaliaFlow acts as Data Processor for personal data processed within customer workspaces.
2. Processing scope
Processing is limited to providing the contracted platform, account support, security operations, and related service administration.
3. Documented instructions
PortaliaFlow processes personal data only on documented customer instructions, unless required otherwise by applicable law.
4. Technical and organizational measures
Measures include encryption in transit, access controls, logging, secure backups, vulnerability management, and least-privilege administration.
5. Subprocessors
PortaliaFlow may engage vetted subprocessors for hosting, payments, and email delivery. Customers may request the active subprocessor list and receive notice of material changes.
6. Incident notification
PortaliaFlow will notify customers without undue delay after becoming aware of a personal-data breach affecting customer data and will provide relevant mitigation information.
7. Assistance obligations
PortaliaFlow assists customers with data-subject requests, DPIAs, security evidence, and supervisory authority inquiries where reasonably required.
8. Data return and deletion
Upon termination and customer instruction, PortaliaFlow returns or deletes customer data, except where retention is legally required.
9. Audit and compliance evidence
PortaliaFlow provides reasonable compliance information and may support proportionate audit requests under confidentiality and security constraints.
10. Signed DPA request
To request a signed DPA document, contact privacy@portaliaflow.com.