Porter is built for organisations that take security seriously. This page describes our security practices, data handling procedures, and compliance posture. If you have questions not covered here, contact our security team directly.
1. Security Overview
Porter is a cloud-hosted visitor management platform. We process visitor check-in data, host notifications, contractor compliance documents, and organisational configuration on behalf of our customers. Security is a core requirement, not an afterthought.
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control (RBAC) with seven built-in roles
- Immutable audit logging of all administrative and security events
- Automated data retention and GDPR deletion workflows
- Rate limiting on all authentication and public endpoints
- CSRF protection via origin validation on state-changing requests
2. Infrastructure & Hosting
Porter runs on Railway, a cloud platform built on top of Google Cloud infrastructure. Our production environment is deployed in European data centres to support UK and EU data residency requirements.
- Application hosting: Railway (Google Cloud Platform underlying infrastructure)
- Database: PostgreSQL on Railway with automated daily backups
- Region: EU (primary), with failover capabilities
- Monitoring: Automated health checks and alerting
3. Encryption
All communication between clients and Porter servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.
- In transit: TLS 1.2+ with modern cipher suites
- At rest: AES-256 encryption on all database volumes
- Passwords: Hashed with bcrypt (cost factor 12), never stored in plain text
- API keys: Stored as SHA-256 hashes; the raw key is only shown once at creation
- Session tokens: Signed with HS256 JWTs, short-lived (15 min) with secure refresh rotation
4. Access Controls
Porter implements role-based access control with strict tenant isolation. Every API request is authenticated and authorised against the user's role and organisation membership.
| Role | Permissions |
|---|---|
| Owner | Full access including billing, team management, and security settings |
| Admin | All operational access; cannot transfer ownership |
| Location Admin | Manage assigned locations, kiosks, and local team members |
| Receptionist | Check in/out visitors, manage deliveries, view visitor log |
| Host | View own visitors, approve visits, receive notifications |
| Security | View on-site visitors, evacuation controls, blocklist management |
| Read-Only | View-only access to visitor logs and analytics |
Administrators can further restrict team invitations to specific email domains (e.g. only @company.com addresses), and configure session timeout policies.
5. Data Handling
Porter acts as a Data Processor on behalf of our customers (Data Controllers). We only process personal data as instructed by the customer through their use of the platform.
- Storage location: EU-based PostgreSQL database
- Data retention: Configurable per organisation (30 days to indefinite). Automated deletion of expired records.
- Data export: Full GDPR data export available via the dashboard (JSON format)
- Data deletion: Organisations can submit deletion requests through the dashboard. Individual visitor records can also be deleted on request.
- Backups: Automated daily database backups with 7-day retention. Backups are encrypted at rest.
6. GDPR Compliance
Porter is designed from the ground up for GDPR compliance.
- Lawful basis: Legitimate interest (workplace security) and explicit consent (visitor sign-in)
- Consent logging: Every consent event (data processing, NDA signing, photo capture) is recorded with timestamp, IP address, and user agent
- Data minimisation: We only collect data necessary for visitor management
- Right to erasure: Supported via dashboard GDPR request workflow
- Right to portability: JSON data export available for organisations and individual visitors
- Data Processing Agreement: Available at /dpa
- Privacy Policy: Available at /privacy
7. Sub-processors
Porter uses the following third-party services to deliver the platform. Each sub-processor has been evaluated for security and GDPR compliance.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Railway | Application hosting and PostgreSQL database | EU / US |
| Stripe | Payment processing and subscription billing | US (PCI DSS Level 1) |
| Resend | Transactional email delivery (notifications, invites) | US |
| Twilio | SMS notifications for host alerts | US |
| Pexels | Stock imagery for marketing pages (no personal data processed) | US |
| Vercel | CDN and edge network for static assets | Global |
We will notify customers of any changes to our sub-processor list with at least 30 days advance notice.
8. Incident Response
In the event of a security incident or data breach:
- Affected customers will be notified within 72 hours of discovery, as required by GDPR Article 33
- A detailed incident report will be provided including scope, root cause, and remediation steps
- Our team will work directly with affected organisations to minimise impact
- Post-incident reviews are conducted and findings are applied to prevent recurrence
9. Compliance & Certifications
Porter is actively pursuing industry-standard security certifications:
- GDPR: Fully compliant. DPA available on request and at /dpa
- Cyber Essentials: Certification in progress
- SOC 2 Type 1: Planned for 2026
- ISO 27001: On our roadmap
10. Security Contact
If you have security concerns, need to report a vulnerability, or require additional documentation for your procurement process, contact us directly:
- Email: [email protected]
- Response time: We aim to acknowledge all security inquiries within 1 business day
- Responsible disclosure: We welcome responsible disclosure of security vulnerabilities. Please email the address above with details and we will respond promptly.
This trust page is reviewed and updated regularly. For the most current information, contact [email protected].