Portal AI Platform Data Processing Agreement

Last updated: June 27, 2026

This Data Processing Agreement (“DPA”) describes how Portal AI Inc. (“Portal”, “Processor”, “we”, “us”, or “our”) processes Customer Personal Data on behalf of customers (“Customer”, “Controller”, “you”, or “your”) in connection with Portal AI Platform, including platform.portal.ai, CoreX private access, Portal APIs, modules, dashboards, keys, prepaid credits, documentation, and related services (the “Services”).

This DPA forms part of the Portal AI Platform Terms of Service unless you and Portal sign a separate written DPA or order form. For a counter-signed copy or enterprise procurement review, contact privacy@portal.ai.

This DPA covers the developer and business platform. Processing for Portal One+ consumer assistant services is addressed in the Portal One+ Privacy Policy and Terms unless a separate written agreement says otherwise.

1. Definitions

“Customer Data” means prompts, messages, inputs, files, API payloads, context, instructions, outputs, and, where enabled or stored, account-visible call content such as response content, reasoning traces, tool-call metadata, debugging records, and other content submitted by or returned to Customer through the Services.

“Service Data” means operational and business information generated from use of the Services, such as timestamps, token counts, route or model identifiers, module selection, cost, latency, status, errors, fraud and abuse signals, account status, billing records, and security logs.

“Customer Personal Data” means Customer Data that constitutes personal data, personal information, personally identifiable information, or equivalent terms under Data Protection Laws. “Portal Account Data” and “Service Data” are processed by Portal as described in the Privacy Policy and are processor-scoped under this DPA only to the extent they are included in Customer Data or expressly covered by a signed order form or DPA schedule.

“Data Protection Laws” means all privacy and data protection laws applicable to the processing of Customer Personal Data under this DPA, including the EU GDPR, UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act as amended by the CPRA, and other applicable U.S. state privacy laws.

“Subprocessor” means any third party engaged by Portal to process Customer Personal Data on behalf of Customer in order to provide the Services.

2. Roles and Scope

Customer is the Controller of Customer Personal Data, and Portal is the Processor. Portal processes Customer Personal Data only on Customer’s documented instructions, including use of the Services as configured by Customer, the Terms of Service, this DPA, the Privacy Policy, the No-Training & Data Use Policy, an applicable order form, and Customer’s API requests or account settings.

Portal may process Portal Account Data and Service Data as an independent controller or business where necessary to operate, secure, bill, support, comply with law, prevent fraud or abuse, and manage the Services, provided Portal does not use Customer Data to train AI models.

Portal will inform Customer if, in Portal’s opinion, an instruction violates Data Protection Laws, unless prohibited by law.

3. Portal Obligations

4. Retention, Return, and Deletion

Portal retains Customer Data only as long as necessary to provide the Services, and no longer than thirty (30) days from submission unless a shorter retention route applies, Customer configures or agrees to a different retention setting, or retention is required or permitted by law, security, fraud prevention, dispute resolution, or abuse investigation.

These retention windows describe transient processing of API inputs and outputs on the Platform. Where a Platform feature is expressly designed to store data on Customer’s behalf, such as customer-visible logs, history, or a stateful module Customer enables, that data is retained for the life of the feature or account per its settings, as described where the feature is offered.

Where available, Portal uses zero-retention or transient processing routes at the provider layer. Portal may retain Service Data, billing records, security logs, fraud/abuse records, tax/accounting records, and aggregated or de-identified metrics for longer periods as needed for legitimate business, compliance, and security purposes.

Upon termination of Services or Customer’s written request, Portal will delete or, at Customer’s election where technically feasible, return Customer Data within thirty (30) days, unless retention is required or permitted as described above. Portal will provide deletion confirmation on request.

5. Subprocessors

Customer gives Portal general authorization to engage Subprocessors to provide the Services. Portal will impose written data-protection obligations on each Subprocessor that are no less protective than the obligations in this DPA for the processing performed by that Subprocessor, including no-training, confidentiality, security, purpose limitation, and limited-retention obligations. Portal remains responsible for Subprocessors’ performance of their data-protection obligations to the extent required by applicable law.

Public materials may list Subprocessors by role and category to protect the confidentiality of Portal’s infrastructure. Where Data Protection Laws or Standard Contractual Clauses require individual Subprocessor identification, Portal will provide a named Subprocessor schedule under NDA, written enterprise procurement process, or counter-signed DPA/SCC schedule. Unless a different period is stated in a signed agreement, Portal will provide at least thirty (30) days’ advance notice of intended additions or replacements to that named schedule, and Customer may object on reasonable data-protection grounds within that notice period. If the parties cannot resolve a reasonable objection, Customer may stop using the affected Services or terminate the affected order as required by the applicable signed agreement or Data Protection Laws.

6. International Transfers

Customer Data is processed in the United States unless otherwise agreed. Where Customer Personal Data originating in the EEA, UK, Switzerland, or another regulated region is transferred to Portal in the United States, the parties incorporate the EU Standard Contractual Clauses, Module Two (Controller to Processor), and, where applicable, the UK International Data Transfer Addendum and Swiss transfer adaptations. The parties will complete the required annexes with the information in this DPA and any applicable order form or counter-signed schedule.

Portal implements supplementary measures such as encryption in transit, access controls, contractual no-training obligations, limited retention, confidentiality commitments, and security monitoring.

7. Customer Obligations

Customer will:

8. Audits and Assurance

On reasonable written request and subject to confidentiality, Portal will make available information reasonably necessary to demonstrate compliance with this DPA, such as this DPA, a Trust and Security summary, infrastructure and access-control summary, incident-response summary, data-retention summary, Subprocessor assurances, named Subprocessor schedule where required, security questionnaire responses, and third-party attestations or certifications when available.

Where the foregoing is insufficient under Data Protection Laws, Customer may request one audit per twelve (12) month period on at least thirty (30) days’ notice, subject to reasonable scope, confidentiality, security, and operational restrictions. Portal may satisfy audit requests with independent third-party reports, written responses, or security documentation where appropriate. Portal does not provide unrestricted access to systems, source code, internal forensic materials, confidential infrastructure details, or other customers’ data.

9. U.S. State Privacy Terms

For personal information subject to the CCPA/CPRA or similar U.S. state privacy laws, Portal acts as a service provider or processor for Customer Personal Data. Portal will not sell or share Customer Personal Data, retain/use/disclose it outside the business purposes of providing, securing, supporting, troubleshooting, monitoring, complying with, and improving the safety, reliability, quality, and functionality of the Services except as permitted by law, or combine it with personal information from other sources except as permitted by applicable law.

10. Liability

Liability under this DPA is subject to the limitations in the Terms of Service or applicable order form, except that nothing limits either party’s liability to the extent such limitation is prohibited by Data Protection Laws or the Standard Contractual Clauses.

11. Term and Precedence

This DPA remains in effect for the duration of Customer’s use of the Services and until all Customer Data is deleted or returned. If this DPA conflicts with the Terms of Service regarding processing of Customer Personal Data, this DPA controls. If this DPA conflicts with the Standard Contractual Clauses regarding international transfers, the Standard Contractual Clauses control.

Annex I — Processing Details

Annex II — Technical and Organizational Measures

Portal maintains measures designed to protect Customer Personal Data, including:

Annex III — Subprocessors

Portal uses Subprocessors by role and category, including payment processing, hosting/infrastructure, AI model/inference infrastructure, security/monitoring, communications, support, and analytics necessary to provide the Services.

Because Portal’s routing and provider composition are confidential, public documents may identify Subprocessors by category. Where individual Subprocessor names are required by applicable Data Protection Laws, SCCs, enterprise procurement, or a counter-signed DPA, Portal will provide a named schedule under NDA or written schedule. That schedule should identify, as applicable, legal entity name, role, processing location, processing activity, transfer mechanism, data categories, retention/no-training commitment, notice period, objection deadline, and unresolved-objection remedy.

Contact

Privacy and data requests, DPA questions, or counter-signed copies: privacy@portal.ai