PortalPilot

Data Processing Agreement

Version 1.3 — Effective: March 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NordScope, a Finnish sole trader (toiminimi), Y-tunnus 3148476-5, owner-operator Peter Sterkenburg ("Processor", "we", "us"), and the customer ("Controller", "you") who uses the PortalPilot service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Supervisory Authority" means an independent public authority responsible for monitoring GDPR application.

2. Roles and responsibilities

Controller: You (the customer) are the Controller of the Personal Data processed through PortalPilot. You determine the purposes and means of processing your HubSpot portal data.

Processor: NordScope acts as a Processor on your behalf, processing your data only according to your instructions and this DPA.

3. Scope of processing

3.1 Data categories

  • Account information: Email addresses, names, authentication data
  • HubSpot portal metadata: Property names, types, descriptions, usage statistics
  • Record sample data: During analysis, we transiently process a sample of property values (up to 1,000 records per object type — contacts, companies, deals, tickets) to compute fill rates, value distributions, and data quality scores. This data is processed in memory and not stored beyond the analysis session. Only aggregate statistics are retained.
  • Analysis data: Health scores, recommendations, action history (aggregate only)

3.2 Processing purposes

  • Provide the PortalPilot analysis service
  • Generate property health reports and data quality scores
  • Enable property creation, update, and deletion operations
  • Generate AI-powered property suggestions and descriptions
  • Maintain audit trails of write operations
  • Send service-related communications

3.3 Data minimization

  • Record samples are processed transiently in memory and discarded after analysis
  • Only aggregate statistics (fill rates, distributions, scores) are stored
  • AI processing sends only property metadata (names, descriptions, types), not individual record values
  • OAuth scopes are limited to the minimum necessary for service functionality

3.4 Records of processing

NordScope maintains records of processing activities carried out on behalf of the Controller in accordance with GDPR Article 30(2). These records are available to the Controller and supervisory authorities upon request.

4. Sub-processors

4.1 Authorised sub-processors

Sub-processorPurposeLocationData processed
Hetzner Online GmbHInfrastructure hosting (self-hosted Supabase)EU (Finland)Account data, analysis data, audit logs
Mollie B.V.Payment processingEU (Netherlands, PCI DSS)Payment details (not stored by us)
Mistral AIAI-powered suggestions, descriptions, embeddingsEU (Paris, France)Property metadata — anonymized names/descriptions (not stored)
Lettermint B.V.Transactional email delivery (account notifications, analysis reports, team invitations, authentication emails)EU (Netherlands)Email addresses, email template content

4.2 Sub-processor changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object in writing within 14 days. If we cannot accommodate your objection, you may terminate the service.

4.3 Third-party platforms accessed on your behalf

PortalPilot connects to your HubSpot portal via OAuth 2.0 as your authorised integration. HubSpot is your own platform — not a sub-processor engaged by NordScope. We access it solely on your instruction to provide the analysis service.

  • Data flows: PortalPilot reads property metadata and record samples from your portal for analysis, and writes property changes back to your portal on your instruction.
  • Data residency: Where HubSpot processes API requests depends on your portal's data residency setting. If your portal uses HubSpot's EU data hosting (Frankfurt), API traffic may remain within the EEA. If your portal is hosted in the US, see Section 10 (International transfers).
  • Your responsibility: You are responsible for ensuring your use of HubSpot complies with your own data protection obligations. PortalPilot accesses only the data you authorise through the OAuth consent flow.

4.4 Sub-processor agreements

All sub-processors are bound by data processing agreements that provide protection at least equivalent to this DPA.

5. Security measures

5.1 Technical measures

  • Encryption in transit: All data transmitted via TLS 1.2+
  • Encryption at rest: Database encryption using AES-256
  • Access control: Role-based access, principle of least privilege
  • Authentication: Multi-factor authentication for admin access
  • API security: OAuth 2.0, token encryption, secure storage
  • Network security: Firewall protection, DDoS mitigation
  • Audit logging: Comprehensive logs of all write operations

5.2 Organizational measures

  • Regular security training for personnel
  • Access limited to authorized personnel only
  • Confidentiality agreements with all staff
  • Regular security assessments and penetration testing
  • Incident response procedures documented and tested

5.3 Data center security

Our primary infrastructure is hosted in EU data centers (Hetzner, Finland) with ISO 27001 certification, physical access controls, and 24/7 monitoring. AI processing is handled by Mistral AI (Paris, France) — no data leaves the EU for AI processing.

6. Data subject rights

We will assist you in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. We will respond to your assistance requests within 5 business days.

If a Data Subject contacts us directly, we will promptly redirect them to you unless legally required to respond directly.

7. Data breach notification

In the event of a Personal Data breach, we will notify you without undue delay and in any case within 72 hours of becoming aware. Our notification will include the nature of the breach, affected data categories, likely consequences, and remedial measures.

We will cooperate with you and any Supervisory Authority in investigating and remediating the breach. We maintain records of all breaches, including facts, effects, and remedial actions taken.

8. Audit rights

Upon reasonable request, we will provide information necessary to demonstrate compliance. You may conduct audits with 30 days' notice, during business hours, maximum once per 12-month period (unless a breach has occurred). Our infrastructure providers maintain ISO 27001 certification.

9. Data retention and deletion

Data typeRetention period
Account dataDuration of service + 30 days
Analysis data12 months from last analysis
Record sample dataNot stored — processed transiently only
Audit logs90 days
Payment records7 years (tax law)

Upon termination, we delete all Personal Data within 30 days. Backup copies within 90 days. You can request a certificate of deletion. Self-service deletion is available via dashboard, portal disconnection, or email to privacy@portalpilot.io.

10. International transfers

10.1 EU-based infrastructure

All core infrastructure and processing occurs within the EEA:

  • Application and database: Hetzner, Finland (EU)
  • AI processing: Mistral AI, Paris, France (EU)
  • Payments: Mollie B.V., Netherlands (EU)

10.2 HubSpot API access

PortalPilot accesses your HubSpot portal via API on your instruction (see Section 4.3). Whether this constitutes an international transfer depends on your portal's data residency:

  • EU-hosted portals: If your HubSpot portal uses EU data residency (Frankfurt), API traffic may remain within the EEA. No international transfer occurs in this case.
  • US-hosted portals: If your portal is hosted in the US, API requests constitute a transfer to HubSpot, Inc. (US). This transfer is covered by the EU-US Data Privacy Framework, under which HubSpot is certified.

We conduct Transfer Impact Assessments for transfers outside the EEA and implement supplementary measures where necessary. NordScope is prepared to execute Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) as a supplementary transfer mechanism should the DPF adequacy decision be invalidated or suspended.

11. Confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations. We will not disclose Personal Data except as instructed by you, to authorized sub-processors, or as required by law (with advance notice where permitted).

12. Termination

Upon termination of this DPA or the underlying service agreement, we will cease all processing and delete data per Section 9. Upon request within 30 days of termination, we will provide a copy of your data in JSON format.

13. Liability

Each party shall indemnify the other for damages arising from breach of this DPA, GDPR, or applicable data protection laws. Our total liability shall not exceed the amounts paid by you for the service in the 12 months preceding the claim.

14. Amendments

We may update this DPA to reflect changes in law or our practices. Material changes will be notified 30 days in advance. Continued use of the service after the effective date constitutes acceptance.

15. Governing law

This DPA is governed by the laws of Finland. Disputes shall be resolved in Finnish courts, without prejudice to Data Subject rights to bring claims in their jurisdiction of residence.

16. Contact

For questions about this DPA or data protection matters:
NordScope Data Protection
Email: privacy@portalpilot.io
Address: Finland

Annex I — Processing details

Categories of data subjects

  • Customer users: Individuals who create a PortalPilot account and connect a HubSpot portal
  • Team members: Individuals invited by a customer user to collaborate on a portal
  • HubSpot portal contacts: Individuals whose metadata (property definitions, aggregate statistics) is processed during analysis. No directly identifying personal data of these contacts is stored.

Categories of personal data

  • Email addresses and names (account holders and team members)
  • Authentication data (encrypted OAuth tokens, session identifiers)
  • HubSpot portal metadata (property definitions, not individual records)
  • Aggregated analysis scores, health metrics, and recommendations
  • Payment transaction records (processed by Mollie; card details not stored by NordScope)
  • Audit log entries (user actions, timestamps, IP addresses)

Purpose and lawful basis

Processing is performed for the purpose of providing the PortalPilot CRM health analysis service under the Terms of Service. The lawful basis is performance of a contract (GDPR Article 6(1)(b)). Duration of processing is as specified in Section 9 (Data retention and deletion).

Annex II — Technical and organisational measures

The following measures are implemented by NordScope in accordance with GDPR Article 32:

Encryption

  • AES-256-GCM encryption for OAuth tokens at rest, with PBKDF2 key derivation (100,000 iterations) and random 16-byte salt per operation
  • TLS 1.2 or higher for all data in transit
  • Filesystem-level encryption on database storage
  • GPG-encrypted (AES-256) database backups stored off-server

Access control

  • Passphrase-protected SSH key authentication for server access
  • Multi-factor authentication for infrastructure access
  • Principle of least privilege — scoped service roles for database access
  • Role-based access control within the application
  • Minimal team — no third-party contractors with production access

Network security

  • Firewall rules restricting inbound traffic
  • Docker network isolation — services communicate via internal network only
  • DDoS protection via Hetzner infrastructure
  • CORS origin validation on all API endpoints

Application security

  • JWT validation on every API request
  • Row-Level Security (RLS) on all database tables
  • Portal ownership verification before processing any request
  • Rate limiting and idempotency controls on sensitive operations
  • AI prompt sanitisation to prevent injection attacks

Data minimisation

  • Record samples processed in memory only — not stored beyond the analysis session
  • AI receives property metadata only — not individual record values
  • OAuth scopes limited to the minimum required for functionality

Logging and monitoring

  • Comprehensive audit logging on write operations and data access
  • 90-day log retention
  • PII masking in log output (email addresses replaced with hashed values)
  • Security event monitoring on authentication and API access

Backup and recovery

  • Daily automated database backups
  • Encrypted off-server storage
  • Tested restoration procedures

Personnel

  • Confidentiality obligations for all personnel with data access
  • Security awareness practices
  • Access limited to authorised personnel only

Incident management

  • Documented incident response procedure (detection, assessment, notification, remediation)
  • 72-hour breach notification to Controller and supervisory authority
  • Breach records maintained per GDPR Article 33(5)

By using PortalPilot services, you acknowledge and agree to this Data Processing Agreement.

Controller (Customer): Accepted upon account creation and service use
Processor (NordScope): NordScope — Effective: March 24, 2026

We use local storage to save your preferences and keep you signed in. No tracking cookies are set. Read our privacy policy