Data Processing Agreement
Last updated: 16 February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between XYGEN Ltd, trading as SecPortal ("Processor", "we", "us") and you, the workspace owner ("Controller", "you", "your").
This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing the SecPortal platform (the "Service"). Where the terms of this DPA conflict with the Terms of Service, this DPA shall prevail with respect to data-protection matters.
1. Definitions
- "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU 2016/679), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any successor or equivalent legislation applicable to the processing of Personal Data.
- "Personal Data" has the meaning given in the Data Protection Laws and refers to any personal data processed by the Processor on behalf of the Controller under this DPA.
- "Processing" has the meaning given in the Data Protection Laws.
- "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Roles
- You (the workspace owner) are the Controller. You determine the purposes and means of processing Personal Data within your workspace.
- SecPortal is the Processor. We process Personal Data only on your behalf and in accordance with your documented instructions (as set out in this DPA and the Terms of Service).
- Your end clients who access the client portal are Data Subjects. Your team members are also Data Subjects in relation to their account data.
3. Categories of Data and Data Subjects
3.1 Data Subjects
- Workspace team members (consultants, employees)
- Clients and client contacts invited to the client portal
- Individuals referenced in security findings, engagement notes, or uploaded documents
3.2 Categories of Personal Data
- Contact information: names, email addresses
- Authentication data: hashed passwords, MFA recovery codes
- Workspace content: client records, engagement details, security findings, vulnerability descriptions, remediation notes, CVSS scores, comments, messages
- Documents: files uploaded to engagements (may contain personal data depending on content)
- Financial data: invoice amounts, payment references (full card details are held solely by Stripe)
- Usage data: IP addresses, browser type, page views, timestamps
3.3 Sensitive Data
The Service is not designed to process special categories of personal data (e.g. health, biometric, political opinions). If you upload content containing such data, you do so at your own risk and are responsible for ensuring a lawful basis for processing.
4. Processing Instructions
- We will process Personal Data only in accordance with your documented instructions, which are: (a) this DPA, (b) the Terms of Service, and (c) your use of the Service features (e.g. creating clients, uploading documents, generating AI reports).
- We will not process Personal Data for any other purpose unless required by applicable law, in which case we will inform you of that requirement before processing (unless prohibited by law from doing so).
- If we believe an instruction from you infringes Data Protection Laws, we will promptly inform you.
5. Confidentiality
- We ensure that all persons authorised to process Personal Data are bound by appropriate obligations of confidentiality.
- Access to Personal Data is restricted to personnel who require it to operate and maintain the Service.
6. Security Measures
We implement appropriate technical and organisational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security (RLS) for strict tenant isolation between workspaces
- Role-based access control within workspaces (Owner, Admin, Member, Viewer)
- Private storage buckets with short-lived signed URLs for document access
- Password hashing using industry-standard algorithms
- Rate limiting on authentication endpoints
- Regular infrastructure updates and security patching by our hosting providers
Full details of our security measures are described in our Privacy Policy, Section 6.
7. Sub-Processors
You authorise us to engage the following Sub-Processors. We maintain contracts with each Sub-Processor that impose data-protection obligations no less protective than those in this DPA.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Supabase Inc. | US / EU | Database hosting, authentication, file storage |
| Stripe Inc. | US | Payment processing, subscription billing |
| Resend Inc. | US | Transactional email delivery |
| Anthropic PBC | US | AI report generation (Pro/Team plans; data not used for training) |
| Vercel Inc. | US | Application hosting, edge network |
| PostHog Inc. | US | Product analytics (only with user consent) |
We will notify you by email at least 14 days before adding or replacing a Sub-Processor. If you object to a new Sub-Processor on reasonable data-protection grounds, you may terminate the affected Service by cancelling your subscription before the change takes effect.
8. International Transfers
Where Personal Data is transferred outside the United Kingdom or the European Economic Area, we ensure that appropriate safeguards are in place. Our Sub-Processors maintain Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), or equivalent transfer mechanisms as required by applicable Data Protection Laws.
9. Data Subject Rights
- We will assist you in fulfilling your obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) by providing reasonable technical and organisational support.
- If we receive a Data Subject request directly, we will promptly redirect the request to you unless legally required to respond directly.
- The Service provides built-in data export features (CSV/JSON) to facilitate data portability requests.
10. Security Incidents
- We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any Security Incident affecting Personal Data processed under this DPA.
- The notification will include: (a) the nature of the incident, (b) the categories and approximate number of Data Subjects affected, (c) the likely consequences, and (d) the measures taken or proposed to mitigate the effects.
- We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
- Notification of a Security Incident shall not be construed as an acknowledgement of fault or liability.
11. Data Protection Impact Assessments
We will provide reasonable assistance to you with any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities that you are required to carry out under Data Protection Laws, to the extent that such assistance relates to our processing of Personal Data under this DPA.
12. Audits
- We will make available to you, on request, all information reasonably necessary to demonstrate compliance with our obligations under this DPA and applicable Data Protection Laws.
- We will allow and contribute to audits and inspections conducted by you or an independent auditor mandated by you, subject to reasonable notice (at least 30 days), confidentiality obligations, and during normal business hours.
- If an audit reveals material non-compliance, we will promptly remediate the issue at our own expense.
13. Data Retention and Deletion
- We retain Personal Data for the duration of the Terms of Service and as described in our Privacy Policy, Section 10.
- Upon termination of the Service or upon your written request, we will delete all Personal Data within 30 days, except where retention is required by applicable law.
- Infrastructure-level backups may retain data for up to 30 additional days after deletion from the live system, after which it is permanently purged.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.
15. Term and Termination
- This DPA takes effect when you create a SecPortal workspace and remains in force for as long as we process Personal Data on your behalf.
- This DPA automatically terminates when the Terms of Service terminate and all Personal Data has been deleted or returned in accordance with Section 13.
- Obligations that by their nature should survive termination (including Sections 10, 12, 13, and 14) shall survive.
16. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales, consistent with the governing law of the Terms of Service. For users in the United States, the applicable provisions of US federal and state privacy laws (including the CCPA/CPRA) shall also apply. For the purposes of the CCPA, the Processor acts as a "Service Provider" and shall not sell, share, or use Personal Data for any purpose other than performing the services specified in this DPA.
17. Contact
For questions about this DPA or to exercise any rights under it:
- Email: legal@secportal.io
- General Support: support@secportal.io