P
Porter

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Business Automation Ltd, trading as Porter ("Processor"), for the provision of the Porter visitor management platform ("Service"). This DPA sets out the terms under which the Processor shall process Personal Data on behalf of the Controller in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

1. Definitions

In this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the UK GDPR.

  • "Controller" means the customer who determines the purposes and means of the processing of Personal Data through use of the Service.
  • "Processor" means Business Automation Ltd (trading as Porter), company number 15847293, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means the Information Commissioner's Office (ICO) in the United Kingdom, or any other competent data protection authority with jurisdiction.
  • "UK GDPR" means the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
  • "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service. The Controller engages the Processor to provide a cloud-based visitor management platform. In the course of providing the Service, the Processor will process Personal Data as described in Section 3 on behalf of the Controller.

The Controller acts as the Data Controller and determines the purposes and means of processing visitor, contractor, and host data through the Service. The Processor acts as the Data Processor and processes Personal Data solely in accordance with the Controller's documented instructions as set out in this DPA and the Service agreement.

This DPA is supplementary to, and forms an integral part of, the Terms of Service and should be read in conjunction with the Privacy Policy.

3. Details of Processing

The following details describe the processing activities carried out by the Processor pursuant to Article 28(3) of the UK GDPR:

3.1 Subject Matter and Duration

The processing of Personal Data in connection with the provision of the Porter visitor management platform for the duration of the Service agreement between the Controller and the Processor.

3.2 Nature and Purpose of Processing

  • Visitor check-in and check-out management
  • Host notification and communication
  • Contractor compliance verification and document management
  • Security and audit trail maintenance
  • Analytics and reporting on visitor activity
  • Badge generation and visitor identification
  • Regulatory, health and safety, and workplace compliance
  • Transactional email delivery (visitor confirmations, host alerts)

3.3 Types of Personal Data

  • Full name
  • Email address
  • Phone number
  • Company or organisation name
  • Photographs (where enabled by the Controller)
  • Check-in and check-out timestamps
  • Purpose of visit and host details
  • Signed documents (e.g. NDAs, health declarations, waivers)
  • Contractor certifications and compliance documents
  • Vehicle registration numbers (where applicable)
  • IP addresses and browser metadata (for security and audit purposes)

3.4 Categories of Data Subjects

  • Visitors: individuals visiting the Controller's premises
  • Contractors: third-party workers, service providers, and temporary staff
  • Hosts: employees and staff of the Controller who receive and manage visitors
  • Administrators: Controller's staff who configure and manage the Service

4. Obligations of the Processor

The Processor shall:

  • Process on instructions only: process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so).
  • Confidentiality: ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security: implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 7.
  • Sub-processors: not engage another processor without prior specific or general written authorisation of the Controller, as detailed in Section 6.
  • Data subject rights: taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights, as detailed in Section 9.
  • Breach notification: notify the Controller without undue delay after becoming aware of a Data Breach, as detailed in Section 10.
  • Data protection impact assessments: assist the Controller in ensuring compliance with obligations relating to data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
  • Deletion or return: at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Audit: make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as detailed in Section 11.
  • Inform on unlawful instructions: immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the UK GDPR, the Data Protection Act 2018, or other applicable data protection provisions.

5. Obligations of the Controller

The Controller shall:

  • Ensure that there is a lawful basis for the processing of Personal Data through the Service, including obtaining any necessary consents from Data Subjects where required.
  • Provide clear, documented instructions to the Processor regarding the processing of Personal Data.
  • Ensure that Data Subjects are informed about the processing of their Personal Data in accordance with Articles 13 and 14 of the UK GDPR, including the identity of the Controller and the purposes of processing.
  • Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor.
  • Comply with its obligations under applicable data protection law, including responding to Data Subject requests within the statutory timeframes.
  • Notify the Processor promptly of any changes to data protection laws that may affect the Processor's performance of this DPA.

6. Sub-processors

The Controller provides general written authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by email notification, giving the Controller the opportunity to object to such changes within 30 days of notification. If the Controller raises a reasonable objection on data protection grounds, the parties shall discuss the concern in good faith with a view to achieving a resolution.

The Processor shall ensure that each Sub-processor is bound by a written contract that imposes data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

The following Sub-processors are authorised as at the date of this DPA:

Sub-processorPurposeData processedLocation
RailwayApplication hosting and infrastructureAll Personal Data processed by the ServiceEU (AWS eu-west-2, London)
NeonPostgreSQL database hosting and storageAll Personal Data stored by the ServiceEU (AWS eu-west-2, London)
ResendTransactional email deliveryEmail addresses, names, notification contentUnited States (SCCs in place)
StripePayment processing and subscription billingBilling contact details, payment method dataUnited States (SCCs in place)

An up-to-date list of Sub-processors is available upon request by contacting [email protected]. The Controller will be notified of any changes to this list at least 30 days before the new Sub-processor begins processing Personal Data.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, in accordance with Article 32 of the UK GDPR. These measures include, but are not limited to:

7.1 Encryption

  • In transit: all data transmitted between clients and the Service is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on all endpoints.
  • At rest: all Personal Data stored in the database is encrypted at rest using AES-256 encryption provided by the infrastructure layer.
  • Passwords: user passwords are hashed using bcrypt with appropriate cost factors. Plaintext passwords are never stored or logged.

7.2 Access Controls

  • Role-based access controls (RBAC) limiting access to Personal Data based on user roles and organisational membership.
  • Authentication via secure JSON Web Tokens (JWT) with appropriate expiry periods and refresh mechanisms.
  • Multi-tenancy isolation ensuring that each organisation's data is logically separated at the database level.
  • Administrative access to production systems is restricted to authorised personnel only, following the principle of least privilege.

7.3 Infrastructure Security

  • Application hosted on Railway with automated deployments, infrastructure monitoring, and automatic scaling.
  • Database hosted on Neon with automated daily backups, point-in-time recovery, and high availability.
  • Regular security updates and patching of application dependencies and infrastructure components.
  • HTTPS enforced on all endpoints with automatic certificate management.

7.4 Organisational Measures

  • All staff with access to Personal Data are subject to binding confidentiality obligations.
  • Access to production systems and Personal Data follows the principle of least privilege and is reviewed regularly.
  • Incident response procedures are in place for identifying, reporting, and managing Data Breaches.
  • Business continuity and disaster recovery procedures are maintained and tested.

8. International Data Transfers

The primary storage and processing of Personal Data takes place within the United Kingdom and the European Economic Area (EEA), specifically in the AWS eu-west-2 (London) region via our hosting provider Railway and database provider Neon.

Where Personal Data is transferred outside the UK or the EEA (for example, to Sub-processors based in the United States as listed in Section 6), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission, adopted under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
  • Verification that the Sub-processor maintains compliance with relevant data protection frameworks and certifications.
  • Transfer impact assessments conducted where required to evaluate the level of protection afforded in the recipient country.

The Processor shall not transfer Personal Data to any country outside the UK or the EEA without ensuring adequate safeguards are in place and, where required, without prior notification to the Controller.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the UK GDPR, including:

  • Right of access (Article 15): the Processor shall provide the Controller with the ability to export and access all Personal Data held within the Service relating to a Data Subject.
  • Right to rectification (Article 16): the Processor shall enable the Controller to correct or update Personal Data through the Service interface or upon documented instruction.
  • Right to erasure (Article 17): the Processor shall enable the Controller to delete Personal Data through the Service. Deleted data shall be removed from all active systems promptly and from backup systems within 30 days.
  • Right to restriction of processing (Article 18): the Processor shall, upon documented instruction from the Controller, restrict processing of specified Personal Data.
  • Right to data portability (Article 20): the Processor shall provide data export functionality in structured, commonly used, and machine-readable formats including CSV and JSON.
  • Right to object (Article 21): the Processor shall cease processing specified Personal Data upon documented instruction from the Controller.

If a Data Subject contacts the Processor directly regarding their rights, the Processor shall promptly redirect the request to the Controller and shall not respond to the Data Subject directly without the Controller's prior written authorisation, unless required by applicable law.

The Processor shall respond to the Controller's reasonable assistance requests in relation to Data Subject rights without undue delay and in any event within a timeframe that enables the Controller to comply with the applicable statutory response period.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA. The notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of the Processor's data protection point of contact from whom further information can be obtained.
  • A description of the likely consequences of the Data Breach.
  • A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

The Processor shall co-operate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach. The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. The Processor shall not inform any third party of a Data Breach without first obtaining the Controller's written consent, unless required by applicable law.

11. Audits and Inspections

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 of the UK GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice of not less than 30 days and during normal business hours.

The Controller shall ensure that any auditor is bound by appropriate confidentiality obligations. Audits shall be conducted no more than once per calendar year unless a Data Breach has occurred or there are reasonable grounds to believe the Processor is not complying with its obligations under this DPA. The Processor may charge reasonable costs for facilitating audits beyond the annual entitlement. The Controller shall bear the cost of any audit unless the audit reveals material non-compliance by the Processor.

12. Term and Termination

This DPA shall come into effect upon the Controller's creation of an account with the Service and shall remain in effect for the duration of the Service agreement between the Controller and the Processor.

Upon termination or expiry of the Service agreement:

  • The Controller shall have 30 days from the date of termination to request the return of Personal Data in a structured, commonly used, and machine-readable format (CSV or JSON).
  • Following the 30-day data retrieval period, the Processor shall permanently delete all Personal Data processed under this DPA, including all copies in backup systems, within a further 30 days, unless applicable law requires continued storage.
  • The Processor shall provide written confirmation of deletion upon request by the Controller.

The obligations of the Processor under Sections 4 (Obligations of the Processor), 7 (Security Measures), 10 (Data Breach Notification), and 13 (Liability) shall survive termination of this DPA insofar as they relate to Personal Data that remains in the Processor's possession or relates to events occurring prior to termination.

13. Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Terms of Service, except that neither party's liability for breaches of its obligations under applicable data protection law shall be limited to the extent such limitation is prohibited by applicable law.

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the UK GDPR specifically directed at processors, or where it has acted outside of or contrary to the lawful documented instructions of the Controller.

The total aggregate liability of either party under this DPA shall not exceed the fees paid by the Controller to the Processor in the 12 months preceding the event giving rise to the claim, except where liability cannot be limited under applicable data protection law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Where there is any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to the processing of Personal Data.

15. Contact

For any questions regarding this Data Processing Agreement, or to exercise any rights under this DPA, please contact:

  • Data Protection Officer: [email protected]
  • General enquiries: [email protected]
  • Entity: Business Automation Ltd (trading as Porter)
  • Company number: 15847293
  • Registered address: Suite 4, Innovation Centre, Leeds, LS1 4AP, United Kingdom
  • Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — ico.org.uk