Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between Port Ledger ("we", "us", "Processor") and the subscribing organization ("Customer", "Controller"). It governs how we process data on Customer's behalf — including confidential lab reports, supplier and production data, and the personal data of Customer's authorized users and contacts (together, "Customer Data").
1. Roles
Customer is the controller (or business) and determines the purposes and means of processing Customer Data. Port Ledger is the processor (or service provider) and processes Customer Data only on Customer's documented instructions, including as set out in the Subscription Agreement and this DPA. Port Ledger will not "sell" or "share" Customer Data as those terms are defined under applicable privacy laws, and will not process it for its own purposes.
2. Scope & purpose of processing
We process Customer Data solely to provide, maintain, secure, and support the Service — for example, to store and organize production data and lab reports, to perform AI-assisted review, and to prepare and transmit filings at Customer's direction. The duration of processing is the term of the Subscription Agreement plus any limited wind-down period described below.
3. Confidentiality
We treat Customer Data as confidential. Personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Service.
4. Security measures
We maintain technical and organizational measures designed to protect Customer Data, including:
- encryption of data in transit (TLS) and at rest where applicable;
- strict multi-tenant isolation enforced server-side, so one Customer cannot access another's data;
- least-privilege, role-based access controls and authentication;
- report files stored in private object storage and accessed via short-lived, presigned links; and
- AI review configured for zero data retention — prompts and report files are not retained by the AI gateway and are not used to train models.
5. Sub-processors
Customer authorizes us to engage sub-processors to help provide the Service, including providers of cloud hosting and content delivery, transactional email delivery, and the zero-retention AI gateway used for report review. We impose data-protection obligations on sub-processors no less protective than this DPA and remain responsible for their performance. We will give Customer notice of any new sub-processor and a reasonable opportunity to object on legitimate data-protection grounds.
6. International transfers
We process Customer Data in the United States. Where applicable law requires, the parties will rely on a lawful transfer mechanism (such as Standard Contractual Clauses) for cross-border transfers of personal data.
7. Assistance & data subject requests
Taking into account the nature of the processing, we will provide reasonable assistance to help Customer respond to requests from individuals to exercise their rights, and to meet Customer's security, breach-notification, and data-protection-assessment obligations.
8. Personal data breach
We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to help Customer meet its notification obligations.
9. Return & deletion
On termination of the Subscription Agreement, we will, at Customer's choice, make Customer Data available for export and then delete or anonymize it within a commercially reasonable period, except where retention is required by law.
10. Audit
On reasonable prior written request, and subject to confidentiality, we will make available information reasonably necessary to demonstrate compliance with this DPA.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Subscription Agreement.
Contact
Questions about this DPA, or want a countersigned copy? Contact us.
This DPA is a general template provided for convenience and is not legal advice. Have it reviewed by qualified counsel and tailored to your business before relying on it.