Porter

Data Processing Agreement

Effective Date: 29.4.2026

Last Updated: 29.4.2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service, Order Form, Subscription Agreement, or other agreement governing the use of Porter services (the “Agreement”) between:

Customer, and

Jaagon Oy (“Porter”, “Processor”, “we”, “us”, or “our”).

This DPA applies where Porter processes Personal Data on behalf of Customer in connection with the Services.

By accepting the Agreement or using the Services, Customer enters into this DPA where applicable.

If there is a conflict between this DPA and the Agreement regarding Personal Data processing obligations, this DPA prevails to that extent.

1. Definitions

Terms such as Controller, Processor, Data Subject, Personal Data, Processing, and Supervisory Authority have the meanings given under applicable data protection law, including the GDPR where applicable.

2. Roles of the Parties

To the extent Porter processes Personal Data contained in Customer Data on behalf of Customer:

  • Customer acts as Controller, or processor acting on behalf of a controller; and
  • Porter acts as Processor.

Customer is responsible for ensuring that Personal Data is collected and disclosed lawfully and that Customer has appropriate rights and legal bases for use of the Services.

3. Subject Matter and Duration

The subject matter of processing is the provision of Porter SaaS services, including document remediation, generation, hosting, workflow automation, support, and related services.

Processing continues for the duration of the Agreement and any applicable retention or deletion periods.

4. Nature and Purpose of Processing

Porter may process Personal Data only as necessary to provide the Services, including:

  • receiving uploaded files and data;
  • transforming, remediating, generating, or analysing documents;
  • storing and hosting Customer Data;
  • support and troubleshooting;
  • security, fraud prevention, and reliability operations;
  • backup and recovery;
  • complying with documented Customer instructions.

5. Categories of Data Subjects and Data

Because Porter is a platform service, categories of Personal Data and Data Subjects are determined by Customer use of the Services and may include employees, customers, contractors, website users, and individuals referenced in uploaded documents.

6. Customer Instructions

Porter shall process Personal Data only on documented instructions from Customer, unless otherwise required by law.

The Agreement, Customer settings, API requests, support requests, and written communications may constitute documented instructions.

If Porter believes an instruction violates applicable law, Porter may notify Customer.

7. Confidentiality

Porter shall ensure that persons authorised to process Personal Data are subject to confidentiality obligations and that access is limited to those with a legitimate operational need.

8. Security Measures

Porter shall implement appropriate technical and organisational measures designed to protect Personal Data, taking into account the nature of processing and associated risks.

Measures may include:

  • encryption in transit using TLS/HTTPS;
  • encryption at rest for production databases and stored files where applicable;
  • role-based access controls;
  • restricted staff access;
  • logging and monitoring;
  • backup and disaster recovery measures;
  • vulnerability management and operational safeguards.

No measure can guarantee absolute security.

9. Subprocessors

Customer authorises Porter to engage subprocessors to support delivery of the Services.

A current list of subprocessors may be provided upon request or made available separately by Porter.

Porter shall ensure subprocessors are bound by data protection obligations appropriate to the services they provide.

Porter remains responsible for subprocessors to the extent required by applicable law.

10. International Transfers

Where Personal Data is transferred outside the EU/EEA, Porter shall use lawful safeguards as required by applicable law, including Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms.

11. Assistance

Taking into account the nature of processing, Porter shall provide reasonable assistance to Customer in responding to:

  • Data Subject rights requests;
  • security obligations;
  • data protection impact assessments;
  • regulator enquiries,

where required by law and reasonably feasible.

Porter may charge reasonable costs for substantial non-standard assistance.

12. Personal Data Breach

Porter shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data processed under this DPA.

13. Deletion and Return

Upon termination of the Agreement or Customer request, Porter shall delete or return Personal Data unless retention is required by law.

Unless otherwise agreed:

  • cancelled accounts may remain for up to 90 days;
  • uploaded files are retained according to service settings, with a default of 14 days unless Customer chooses longer retention;
  • backup copies may remain until overwritten in normal cycles.

14. Audit and Information Rights

Porter shall make available information reasonably necessary to demonstrate compliance with this DPA.

Where legally required and where reasonable documentation is insufficient, Customer may request an audit no more than once per year, subject to:

  • reasonable notice;
  • confidentiality protections;
  • no disruption to other customers;
  • proportionate scope;
  • reimbursement of reasonable costs where permitted.

Independent certifications or reports may satisfy audit obligations where appropriate.

15. Liability

Liability under this DPA is subject to the limitations of liability set out in the Agreement, to the extent permitted by law.

16. Governing Law

This DPA is governed by the laws governing the Agreement, or if none are specified, the laws of Finland.

Contact

Jaagon Oy

Helsinki, Finland

support@porter.fi