Portal AI Platform Data Processing Agreement
Last updated: June 27, 2026
This Data Processing Agreement (“DPA”) describes how Portal AI Inc. (“Portal”, “Processor”, “we”, “us”, or “our”) processes Customer Personal Data on behalf of customers (“Customer”, “Controller”, “you”, or “your”) in connection with Portal AI Platform, including platform.portal.ai, CoreX private access, Portal APIs, modules, dashboards, keys, prepaid credits, documentation, and related services (the “Services”).
This DPA forms part of the Portal AI Platform Terms of Service unless you and Portal sign a separate written DPA or order form. For a counter-signed copy or enterprise procurement review, contact privacy@portal.ai.
This DPA covers the developer and business platform. Processing for Portal One+ consumer assistant services is addressed in the Portal One+ Privacy Policy and Terms unless a separate written agreement says otherwise.
1. Definitions
“Customer Data” means prompts, messages, inputs, files, API payloads, context, instructions, outputs, and, where enabled or stored, account-visible call content such as response content, reasoning traces, tool-call metadata, debugging records, and other content submitted by or returned to Customer through the Services.
“Service Data” means operational and business information generated from use of the Services, such as timestamps, token counts, route or model identifiers, module selection, cost, latency, status, errors, fraud and abuse signals, account status, billing records, and security logs.
“Customer Personal Data” means Customer Data that constitutes personal data, personal information, personally identifiable information, or equivalent terms under Data Protection Laws. “Portal Account Data” and “Service Data” are processed by Portal as described in the Privacy Policy and are processor-scoped under this DPA only to the extent they are included in Customer Data or expressly covered by a signed order form or DPA schedule.
“Data Protection Laws” means all privacy and data protection laws applicable to the processing of Customer Personal Data under this DPA, including the EU GDPR, UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act as amended by the CPRA, and other applicable U.S. state privacy laws.
“Subprocessor” means any third party engaged by Portal to process Customer Personal Data on behalf of Customer in order to provide the Services.
2. Roles and Scope
Customer is the Controller of Customer Personal Data, and Portal is the Processor. Portal processes Customer Personal Data only on Customer’s documented instructions, including use of the Services as configured by Customer, the Terms of Service, this DPA, the Privacy Policy, the No-Training & Data Use Policy, an applicable order form, and Customer’s API requests or account settings.
Portal may process Portal Account Data and Service Data as an independent controller or business where necessary to operate, secure, bill, support, comply with law, prevent fraud or abuse, and manage the Services, provided Portal does not use Customer Data to train AI models.
Portal will inform Customer if, in Portal’s opinion, an instruction violates Data Protection Laws, unless prohibited by law.
3. Portal Obligations
Purpose limitation. Portal processes Customer Personal Data only to provide, route, secure, support, troubleshoot, monitor, comply with, and improve the safety, reliability, quality, and functionality of the Services as described in this DPA and Customer’s instructions. Portal will not use Customer Personal Data for model training, fine-tuning, or model improvement.
No training. Portal does not train, fine-tune, or improve AI models using Customer Data and does not permit Subprocessors to do so.
No sale. Portal does not sell Customer Data or Customer Personal Data.
No unauthorized disclosure. Portal discloses Customer Data only to Subprocessors and providers necessary to deliver, secure, support, or comply with the Services; to comply with law; to enforce terms; to protect rights, safety, and security; or with Customer’s instruction or consent.
Confidentiality and authorized access. Portal personnel authorized to process Customer Personal Data are bound by confidentiality obligations. Access to Customer Personal Data is limited to authorized purposes such as service delivery, support, debugging, security, abuse prevention, legal compliance, dispute resolution, and reliability or service-quality review.
Security. Portal maintains appropriate technical and organizational measures designed to protect Customer Personal Data, including the measures summarized in Annex II.
Breach notification. Portal will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Security Incident affecting Customer Personal Data. “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. Security Incident does not include unsuccessful access attempts, pings, scans, denial-of-service attempts, provider outages, scheduled maintenance, or events that do not result in confirmed unauthorized access to Customer Personal Data. Portal’s investigation of a suspected event or precautionary notice is not an admission that a Security Incident occurred.
Assistance. Taking into account the nature of processing and information available to Portal, Portal will reasonably assist Customer with data subject requests, security obligations, data protection impact assessments, and regulator consultation obligations where required by Data Protection Laws.
Deletion or return. Portal will delete or return Customer Data as described in Section 4.
4. Retention, Return, and Deletion
Portal retains Customer Data only as long as necessary to provide the Services, and no longer than thirty (30) days from submission unless a shorter retention route applies, Customer configures or agrees to a different retention setting, or retention is required or permitted by law, security, fraud prevention, dispute resolution, or abuse investigation.
These retention windows describe transient processing of API inputs and outputs on the Platform. Where a Platform feature is expressly designed to store data on Customer’s behalf, such as customer-visible logs, history, or a stateful module Customer enables, that data is retained for the life of the feature or account per its settings, as described where the feature is offered.
Where available, Portal uses zero-retention or transient processing routes at the provider layer. Portal may retain Service Data, billing records, security logs, fraud/abuse records, tax/accounting records, and aggregated or de-identified metrics for longer periods as needed for legitimate business, compliance, and security purposes.
Upon termination of Services or Customer’s written request, Portal will delete or, at Customer’s election where technically feasible, return Customer Data within thirty (30) days, unless retention is required or permitted as described above. Portal will provide deletion confirmation on request.
5. Subprocessors
Customer gives Portal general authorization to engage Subprocessors to provide the Services. Portal will impose written data-protection obligations on each Subprocessor that are no less protective than the obligations in this DPA for the processing performed by that Subprocessor, including no-training, confidentiality, security, purpose limitation, and limited-retention obligations. Portal remains responsible for Subprocessors’ performance of their data-protection obligations to the extent required by applicable law.
Public materials may list Subprocessors by role and category to protect the confidentiality of Portal’s infrastructure. Where Data Protection Laws or Standard Contractual Clauses require individual Subprocessor identification, Portal will provide a named Subprocessor schedule under NDA, written enterprise procurement process, or counter-signed DPA/SCC schedule. Unless a different period is stated in a signed agreement, Portal will provide at least thirty (30) days’ advance notice of intended additions or replacements to that named schedule, and Customer may object on reasonable data-protection grounds within that notice period. If the parties cannot resolve a reasonable objection, Customer may stop using the affected Services or terminate the affected order as required by the applicable signed agreement or Data Protection Laws.
6. International Transfers
Customer Data is processed in the United States unless otherwise agreed. Where Customer Personal Data originating in the EEA, UK, Switzerland, or another regulated region is transferred to Portal in the United States, the parties incorporate the EU Standard Contractual Clauses, Module Two (Controller to Processor), and, where applicable, the UK International Data Transfer Addendum and Swiss transfer adaptations. The parties will complete the required annexes with the information in this DPA and any applicable order form or counter-signed schedule.
Portal implements supplementary measures such as encryption in transit, access controls, contractual no-training obligations, limited retention, confidentiality commitments, and security monitoring.
7. Customer Obligations
Customer will:
- ensure it has a lawful basis to provide Customer Personal Data to Portal and instruct Portal to process it;
- provide data subjects with required notices and obtain required consents;
- ensure Customer’s use of the Services complies with Data Protection Laws and the Acceptable Use Policy;
- not submit special categories of Customer Personal Data, protected health information, payment card data, children’s data, biometric identifiers, export-controlled technical data, classified information, or other regulated data unless Portal has expressly agreed in writing to support that data category;
- configure the Services appropriately and not submit data Customer is not authorized to process; and
- respond to data subject requests, regulator inquiries, and end-user notices for Customer’s own products or applications.
8. Audits and Assurance
On reasonable written request and subject to confidentiality, Portal will make available information reasonably necessary to demonstrate compliance with this DPA, such as this DPA, a Trust and Security summary, infrastructure and access-control summary, incident-response summary, data-retention summary, Subprocessor assurances, named Subprocessor schedule where required, security questionnaire responses, and third-party attestations or certifications when available.
Where the foregoing is insufficient under Data Protection Laws, Customer may request one audit per twelve (12) month period on at least thirty (30) days’ notice, subject to reasonable scope, confidentiality, security, and operational restrictions. Portal may satisfy audit requests with independent third-party reports, written responses, or security documentation where appropriate. Portal does not provide unrestricted access to systems, source code, internal forensic materials, confidential infrastructure details, or other customers’ data.
9. U.S. State Privacy Terms
For personal information subject to the CCPA/CPRA or similar U.S. state privacy laws, Portal acts as a service provider or processor for Customer Personal Data. Portal will not sell or share Customer Personal Data, retain/use/disclose it outside the business purposes of providing, securing, supporting, troubleshooting, monitoring, complying with, and improving the safety, reliability, quality, and functionality of the Services except as permitted by law, or combine it with personal information from other sources except as permitted by applicable law.
10. Liability
Liability under this DPA is subject to the limitations in the Terms of Service or applicable order form, except that nothing limits either party’s liability to the extent such limitation is prohibited by Data Protection Laws or the Standard Contractual Clauses.
11. Term and Precedence
This DPA remains in effect for the duration of Customer’s use of the Services and until all Customer Data is deleted or returned. If this DPA conflicts with the Terms of Service regarding processing of Customer Personal Data, this DPA controls. If this DPA conflicts with the Standard Contractual Clauses regarding international transfers, the Standard Contractual Clauses control.
Annex I — Processing Details
- Subject matter. Portal’s processing of Customer Personal Data to provide Portal AI Platform services, including API access, model routing, platform modules, dashboards, prepaid credits, support, security, compliance, and related services.
- Duration. The term of Customer’s use of the Services, plus the deletion/return period and any legally required or permitted retention.
- Nature and purpose. Hosting, transmitting, routing, processing, generating outputs, metering, securing, troubleshooting, supporting, billing, compliance, abuse prevention, reliability review, and service-quality improvement for the Services.
- Categories of data subjects. Customer’s authorized users, employees, contractors, representatives, end users, and other individuals whose data Customer submits to the Services.
- Categories of Customer Personal Data. Customer-controlled prompts, inputs, files, API payloads, context, instructions, outputs, and other personal data submitted by Customer through the Services. Portal Account Data and Service Data are covered by this DPA only where processor-scoped by a signed order form or schedule.
- Sensitive data. Not permitted unless expressly agreed in writing.
Annex II — Technical and Organizational Measures
Portal maintains measures designed to protect Customer Personal Data, including:
- encryption in transit using HTTPS/TLS;
- encrypted disks or equivalent protections at rest where applicable;
- access controls designed to limit Customer Personal Data access to authorized personnel and authorized service purposes;
- role-based or purpose-based access controls where technically feasible;
- logical tenant isolation designed to separate each customer’s Customer Data, usage, and API keys from other customers;
- credential and API key separation from Customer Data where technically feasible;
- logging and monitoring for security, abuse, and operational health;
- confidentiality obligations for authorized personnel;
- incident response procedures;
- data retention limits and deletion processes;
- vendor and subprocessor contractual controls, including no-training obligations; and
- backup, recovery, and availability measures appropriate to the Service.
Annex III — Subprocessors
Portal uses Subprocessors by role and category, including payment processing, hosting/infrastructure, AI model/inference infrastructure, security/monitoring, communications, support, and analytics necessary to provide the Services.
Because Portal’s routing and provider composition are confidential, public documents may identify Subprocessors by category. Where individual Subprocessor names are required by applicable Data Protection Laws, SCCs, enterprise procurement, or a counter-signed DPA, Portal will provide a named schedule under NDA or written schedule. That schedule should identify, as applicable, legal entity name, role, processing location, processing activity, transfer mechanism, data categories, retention/no-training commitment, notice period, objection deadline, and unresolved-objection remedy.
Contact
Privacy and data requests, DPA questions, or counter-signed copies: privacy@portal.ai