How Portalry Protects Your Data

Effective 28 November 2025

Hosting and infrastructure

  • Portalry runs on DigitalOcean managed cloud infrastructure with network and host-level hardening.
  • Email delivery is handled via AWS SES.
  • Backups are taken nightly and monitored (see retention below).

Encryption

  • In transit: All web traffic is served over TLS.
  • At rest: Application data and user-generated images/attachments are stored on encrypted storage provided by our cloud and object storage providers.

Access controls

  • Staff access follows least-privilege; administrative access requires strong authentication (MFA).
  • Premium portalries provide an admin audit log for changes to settings, portals, integrations, invites, and RSVPs.

Authentication and passwords

  • Passwords are hashed; strong password rules enforced for changes.
  • Multi-factor authentication (MFA) is available and recommended for admins; we provide guidance but do not mandate it platform-wide.
  • Social login: If you connect Google, we receive your account ID, email, name, and avatar to create/link your Portalry account; we do not receive your Google password.

Logging and monitoring

  • Login audits retained for 36 months.
  • Portal creation failures, reminder email logs, portal integration sync logs, and audit logs retained for 12 months.
  • Inactive accounts: after 24 months of inactivity we notify, remind, and delete after 2 months unless the user returns.

Backups

  • Nightly database backups are stored in encrypted object storage; integrity is monitored via backup health checks.
  • Retention: all backups kept 1 day; daily backups kept 7 days; weekly kept 4 weeks; monthly kept 12 months; yearly kept 7 years (per backup cleanup policy). Restored data remains subject to applicable deletions after restoration.

Incident response

  • We monitor for security events and triage incidents promptly.
  • In case of a personal data breach, affected customers will be notified without undue delay with relevant details to support regulatory assessment.

Data location and transfers

  • Primary processing occurs on DigitalOcean (London region). Email is sent via AWS SES (eu-west-2).
  • Where data is transferred outside the UK/EEA, we rely on appropriate safeguards (e.g., Standard Contractual Clauses).

Contact

Data Protection Officer: Toby Beresford — [email protected]