Porcia
Back to Terms & Policies

Data Processing Addendum (DPA)

Effective Date: March 2, 2026
Last Updated: March 2, 2026
Version: 1.0

1. Introduction

This Data Processing Addendum forms part of the Terms of Service between Arunkumar Chaubey, an individual resident of India, doing business as Porcia (Processor), and the Customer (Controller).

This DPA governs the processing of Personal Data by Porcia on behalf of the Customer in connection with the Service.

This DPA applies when:

  • Customer connects email integrations (Gmail, Outlook)
  • Customer connects SSO integrations (Google Workspace, Azure AD, Okta)
  • Customer uploads contracts or vendor documents
  • Customer uses the browser extension (when available)
  • Any other situation where Porcia processes Personal Data on Customer's behalf

2. Definitions

  • Controller means the Customer, who determines the purposes and means of processing Personal Data
  • Processor means Porcia, who processes Personal Data on behalf of the Controller
  • Personal Data means any information relating to an identified or identifiable natural person
  • Processing means any operation performed on Personal Data
  • Data Subject means an individual whose Personal Data is processed
  • Subprocessor means a third-party service provider engaged by Porcia
  • GDPR means the EU General Data Protection Regulation (2016/679)
  • Supervisory Authority means a data protection authority under GDPR

3. Roles and Scope

3.1 Processor Role

Porcia acts as a Processor when processing:

  • Employee directory data from SSO integrations
  • Email content and metadata from email integrations
  • Browser extension usage data
  • Uploaded contracts and vendor documents
  • Any other Customer Data submitted through the Service

3.2 Controller Responsibilities

As Controller, Customer:

  • Determines what Personal Data is submitted to Porcia
  • Ensures lawful basis for processing
  • Provides necessary notices to Data Subjects (employees, users)
  • Obtains required consents
  • Responds to Data Subject requests
  • Ensures compliance with applicable data protection laws

3.3 Processor Obligations

As Processor, Porcia:

  • Processes Personal Data only on documented instructions from Controller
  • Ensures confidentiality of processing personnel
  • Implements appropriate technical and organizational measures
  • Assists Controller with Data Subject requests
  • Notifies Controller of Personal Data breaches
  • Deletes or returns Personal Data upon termination

4. Processing Instructions

4.1 Documented Instructions

Porcia will process Personal Data only on the Controller's documented instructions, which include:

  • These Terms of Service and this DPA
  • Configuration settings in the Porcia application
  • Email forwarding to Porcia addresses
  • OAuth authorization for email and SSO integrations
  • Browser extension installation and configuration
  • Support requests and communications

4.2 Additional Instructions

Controller may issue additional written instructions. Porcia will:

  • Confirm feasibility within 10 business days
  • Implement if technically feasible
  • Notify Controller if instructions violate applicable law

4.3 Unlawful Instructions

If Porcia believes an instruction violates GDPR or other data protection law, Porcia will immediately inform Controller and may suspend processing until the instruction is confirmed or withdrawn.

5. Data Security

5.1 Technical and Organizational Measures

Porcia implements the following security measures:

Encryption:

  • TLS 1.2+ for data in transit
  • AES-256 encryption for data at rest
  • Encrypted storage of OAuth tokens and credentials

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication for administrative access
  • Workspace-level data isolation
  • Principle of least privilege

Authentication:

  • bcrypt password hashing
  • Secure session management
  • Automatic session timeout

Network Security:

  • AWS VPC isolation
  • Security groups and firewall rules
  • Private subnets for databases
  • DDoS protection via AWS Shield

Monitoring and Logging:

  • Real-time error tracking (Sentry)
  • Security monitoring (AWS GuardDuty)
  • Audit logs for sensitive operations
  • CloudTrail logging of infrastructure changes

Incident Response:

  • 24/7 monitoring for security incidents
  • Documented incident response procedures
  • Breach notification within 72 hours

Backup and Recovery:

  • Automated daily backups
  • 90-day backup retention
  • Disaster recovery procedures

5.2 Security Updates

Porcia will regularly review and update security measures to address evolving threats and maintain compliance with industry standards.

6. Subprocessors

6.1 Authorization

Controller authorizes Porcia to engage Subprocessors to assist in providing the Service.

6.2 Current Subprocessors

The current list of Subprocessors is available at: /legal/subprocessors

Key Subprocessors:

SubprocessorServiceLocationData Processed
Amazon Web Services (AWS)Cloud hostingUnited StatesAll Customer Data
Microsoft Azure OpenAIAI processingUnited StatesEmail content, contracts
PineconeVector databaseUnited StatesVendor data (no PII)
BrevoEmail deliveryEU / United StatesEmail addresses, names
Dodo PaymentsPayment processingVariesBilling information
PostHogAnalyticsUnited States / EUUsage data
SentryError trackingUnited StatesError logs, user context

6.3 Subprocessor Obligations

Porcia ensures that each Subprocessor:

  • Is bound by data protection obligations equivalent to this DPA
  • Implements appropriate technical and organizational measures
  • Processes Personal Data only as instructed
  • Maintains confidentiality

6.4 Changes to Subprocessors

Notification: Porcia will notify Controller at least 30 days before adding or replacing a Subprocessor by:

  • Email to the account administrator
  • Update to the Subprocessor list at /legal/subprocessors
  • In-app notification

Objection: Controller may object to a new Subprocessor within 30 days if the Subprocessor does not meet Controller's data protection requirements. If Controller objects:

  • Controller must provide reasonable grounds
  • Porcia will work with Controller to address concerns
  • If no resolution, Controller may terminate the Service without penalty

7. Data Subject Rights

7.1 Assistance with Requests

Porcia will assist Controller in responding to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

7.2 Request Handling

For Authorized Users (account holders):

  • Data Subjects may exercise rights directly through Account Settings
  • Porcia will respond within 30 days (GDPR) or 45 days (CCPA)

For Employees (SSO data):

  • Data Subjects must direct requests to Controller (their employer)
  • Controller will instruct Porcia to fulfill the request
  • Porcia will comply within 10 business days of receiving Controller's instruction

7.3 Data Export

Controller may export Customer Data at any time through:

  • In-app export functionality (Account Settings → Data Export)
  • API access (if available)
  • Request to support@porcia.org

Data will be provided in JSON or CSV format.

8. Data Breach Notification

8.1 Notification Obligation

If Porcia becomes aware of a Personal Data breach, Porcia will:

  • Notify Controller without undue delay and within 72 hours of becoming aware
  • Provide available information about the breach
  • Assist Controller in meeting breach notification obligations

8.2 Breach Information

Notification will include (to the extent available):

  • Nature of the breach (type of data, number of Data Subjects affected)
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

8.3 Investigation and Remediation

Porcia will:

  • Investigate the breach promptly
  • Take reasonable steps to mitigate harm
  • Preserve evidence for forensic analysis
  • Cooperate with Controller and Supervisory Authorities

9. Data Transfers

9.1 International Transfers

Personal Data may be transferred to and processed in the United States and other countries where Subprocessors operate.

9.2 Transfer Mechanisms

For transfers from the EU/EEA/UK to third countries, Porcia relies on:

Standard Contractual Clauses (SCCs):

  • Porcia incorporates the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor)
  • SCCs are available upon request: legal@porcia.org

Supplementary Measures:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Contractual commitments from Subprocessors
  • Regular security audits

9.3 Government Access

Porcia will:

  • Challenge unlawful government data requests where legally permitted
  • Notify Controller of government requests unless legally prohibited
  • Provide only the minimum data required by law

10. Audits and Compliance

10.1 Audit Rights

Controller may audit Porcia's compliance with this DPA by:

  • Reviewing Porcia's security documentation
  • Requesting completion of security questionnaires
  • Reviewing third-party audit reports (when available)

10.2 On-Site Audits

Controller may conduct on-site audits:

  • With 30 days' advance written notice
  • No more than once per year (unless required by Supervisory Authority)
  • During business hours
  • At Controller's expense
  • Subject to confidentiality obligations

10.3 Compliance Certifications

Porcia is working toward:

  • SOC 2 Type II certification (planned)
  • ISO 27001 certification (planned)

Certifications will be shared when available.

11. Data Retention and Deletion

11.1 Retention

Porcia retains Personal Data:

  • While the Service is active
  • As required by law (e.g., billing records for 7 years)
  • As specified in the Privacy Policy

11.2 Deletion Upon Termination

Upon termination of the Service, Porcia will:

  • Retain Customer Data for 30 days to allow export
  • Delete or return all Personal Data within 30 days of termination
  • Delete all backup copies within 90 days

11.3 Deletion Exceptions

Porcia may retain Personal Data longer if:

  • Required by law (e.g., tax records)
  • Necessary for legal claims or disputes
  • Fully anonymized (no longer Personal Data)

12. Confidentiality

12.1 Personnel

Porcia ensures that all personnel with access to Personal Data:

  • Are bound by confidentiality obligations
  • Receive appropriate data protection training
  • Have access only as necessary for their role

12.2 Confidentiality Obligations

Porcia will:

  • Treat all Customer Data as confidential
  • Not disclose Personal Data except as authorized by this DPA
  • Implement access controls to limit internal access

13. Liability and Indemnification

13.1 Liability Allocation

Each party is liable to the other for damages caused by its breach of this DPA, subject to the limitations in the Terms of Service.

13.2 Regulatory Fines

If a Supervisory Authority imposes a fine due to:

  • Porcia's breach: Porcia is responsible
  • Controller's breach: Controller is responsible
  • Joint breach: Liability allocated based on responsibility

14. Term and Termination

14.1 Term

This DPA takes effect on the Effective Date and continues while the Service is active.

14.2 Survival

Sections 5 (Data Security), 8 (Data Breach), 11 (Data Deletion), and 12 (Confidentiality) survive termination.

15. Governing Law

This DPA is governed by the laws of India, except where GDPR or other data protection laws require otherwise.

16. Contact Information

Data Protection Inquiries:

Arunkumar Chaubey
Doing business as Porcia
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India
Phone: +91 8097907763

Appendix A: Standard Contractual Clauses

The European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated by reference and available upon request.

To request SCCs: Email legal@porcia.org

Appendix B: Data Processing Details

Categories of Data Subjects

  • Authorized Users (employees of Customer)
  • Employees whose data is accessed via SSO
  • Contacts in forwarded emails

Types of Personal Data

  • Names, email addresses, job titles
  • Email content and metadata
  • SSO directory data (users, groups, app assignments)
  • Browser usage data (when extension is active)
  • Contract documents and vendor information

Sensitive Data

Porcia does not intentionally process sensitive Personal Data (health, biometric, racial/ethnic origin, etc.). Controller must not submit sensitive data without prior written agreement.

Processing Operations

  • Collection, storage, analysis, extraction
  • AI-powered classification and analysis
  • Display in dashboards and reports
  • Backup and disaster recovery

Processing Purpose

To provide the Porcia SaaS management platform as described in the Terms of Service.

Version History:

  • v1.0 (March 2, 2026) - Initial release