Data Processing Agreement

Effective 28 November 2025

This DPA forms part of your agreement with Portalry and governs our processing of personal data as a processor on your behalf. It is designed to meet the requirements of UK GDPR/GDPR and standard contractual safeguards for processors.

1. Roles and scope

  • You are the Controller for member and attendee data within your portalries; Portalry acts as Processor.
  • Processing includes hosting, storage, transmission, and support activities needed to provide the Portalry service.

2. Processor obligations

  • Process personal data only on documented instructions from the Controller, including with regard to transfers.
  • Ensure confidentiality and restrict access to personnel with a need to know and appropriate safeguards (MFA for privileged access).
  • Implement appropriate technical and organisational measures (see “How Portalry Protects Your Data”). (Security)
  • Assist the Controller with data subject requests, security, breach notifications, DPIAs, and prior consultations as required.
  • Delete or return personal data at termination, subject to legal retention obligations.

3. Subprocessors

Portalry may engage subprocessors (e.g., hosting, email delivery). We remain responsible for their obligations and will provide notice of changes upon request.

4. Security

Portalry maintains industry-standard security controls, including encryption in transit, encrypted object storage for user-generated assets, hardened access for staff accounts, least privilege, and audit logging for admin actions in premium portalries.

5. Breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your data and will provide information to support your assessment and response.

6. Audit and records

On reasonable request, Portalry will provide information necessary to demonstrate compliance with this DPA. Formal audits can be coordinated subject to reasonable notice and scope.

7. International transfers

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

8. Term and termination

This DPA terminates with the underlying agreement or when a portalry owner deletes their portalry. When a portalry is deleted, associated personal data (e.g., member roles in that portalry) is deleted and not returned. Upon overall agreement termination, we delete personal data as instructed, subject to required backups/retention.

Questions? Contact our Data Protection Officer: [email protected]