Portchain

GDPR policy

By logging in or otherwise use our Services, you agree to this GDPR Policy and have the legal authority to enter into this agreement.

If a valid and active agreement already exists between Portchain ApS and the company you represent, the existing agreement shall supersede this GDPR Policy.

1. GDPR Policy preamble

  1. ”Data Controller” refers to the entity that agrees to the Terms by accessing and using the Services, including Authorised Users within an entity.

  1. ”Data Processor” refers Portchain ApS, the Danish company, Pilestræde, 52, 1, 1112, København K, CVR 38 40 56 40.

  2. This GDPR Policy (the “GDPR Policy”) sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.

  3. This Agreement has been designed to ensure the Parties’ compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) as amended, supplemented and/or modified from time to time (the “General Data Protection Regulation”), which among other things sets out specific requirements for the content of GDPR Policys.

  4. The Data Processor’s processing of personal data shall take place for the purposes of providing the Software and Subscription Services provided by the Data Processor as provider to the Data Controller.

  5. This GDPR Policy, the Terms of Service and the Privacy Policy shall be interdependent and cannot be terminated separately. The GDPR Policy may however be replaced by an alternative valid GDPR Policy.

  6. The Data Processor’s liabilities, warranties and indemnity cannot exceed the limitations in the Terms of Service, as set out in Section 12 of this GDPR Policy.

  7. Three appendices are attached to this GDPR Policy. The Appendices form an integral part of this GDPR Policy.

  8. Appendix A of the GDPR Policy contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

  9. Appendix B of the GDPR Policy contains the Data Controller’s terms and conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub-Processors approved by the Data Controller.

  10. Appendix C of the GDPR Policy contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject of the processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.

  11. This GDPR Policy shall not exempt the Data Processor from obligations to which the Data Processor is subject pursuant to the General Data Protection Regulation or other legislation.

2. The rights and obligations of the Data Controller

  1. The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the German Privacy Act (BDSG).

  2. The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.

  3. The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.

3. The Data Processor acts according to instructions

  1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under European Union rules and regulation or mandatory Member State law to which the Data Processor is subject. In this case, the Data Processor must notify the Data Controller of such legal requirement prior to processing, unless the relevant law prohibits such notification on important grounds of public interest.

  2. The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other European Union rules and regulation or mandatory Member State law.

4. Confidentiality

  1. The Data Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.

  2. Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation.

  3. The Data Processor shall ensure that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.

  4. The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.

5. Security of processing

  1. The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

  2. The above obligation means that the Data Processor shall perform a risk assessment and thereafter implement measures to counter the identified risk.

  3. The Data Processor shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this GDPR Policy.

  4. The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ Terms of Service.

6. Use of Sub-Processors

  1. The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).

  2. The Data Processor shall therefore not engage another processor (Sub-Processor) for the fulfilment of this GDPR Policy without the prior specific or general written consent of the Data Controller.

  3. In the event of general written consent, the Data Processor shall inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.

  4. The Data Controller’s requirements for the Data Processor’s engagement of other sub-processors shall be specified in Appendix B to this GDPR Policy.

  5. The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this GDPR Policy.

  6. When the Data Processor has the Data Controller’s authorisation to use a sub-processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those specified in this GDPR Policy on the basis of a contract or other legal document under European Union law and regulation or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.

  7. The Data Processor shall therefore be responsible – on the basis of a sub-processor agreement – for requiring that the sub-processor at least comply with the obligations to which the Data Processor is subject pursuant to the requirements of the General Data Protection Regulation and this GDPR Policy and its associated Appendices.

  8. Data Processor shall ensure that the sub-processing is lawful and that any and all Sub-Processors undertake and are subject to the same terms and obligations as Data Processor as set out herein.

7. Transfer of data to third countries or international organisations

  1. By signing this GDPR Policy, Data Controller accepts that Data Processor may transfer personal data to a third country, i.e. a country outside the EEA. Data Processor will be required to ensure that such transfer is at all times lawful, including i.e. that there is an adequate level of protection of the transfer of the personal data. The list of third countries is set out in Appendix C to this GDPR Policy.

8. Assistance to the Data Controller

  1. The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.

    This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:

    1. notification obligation when collecting personal data from the data subject

    2. notification obligation if personal data have not been obtained from the data subject

    3. right of access by the data subject

    4. the right to rectification

    5. the right to erasure (‘the right to be forgotten’)

    6. the right to restrict processing

    7. notification obligation regarding rectification or erasure of personal data or restriction of processing

    8. the right to data portability

    9. the right to object

    10. the right to object to the result of automated individual decision-making, including profiling

  2. The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28, sub-section 3, para f.

    This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:

    1. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing

    2. the obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

    3. the obligation – without undue delay – to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons

    4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons

    5. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk

  3. The Data Processor shall assist the Data Controller without separate compensation.

9. Notification of personal data breach

  1. On discovery of personal data breach at the Data Processor’s facilities or a sub-processor’s facilities, the Data Processor shall without undue delay notify the Data Controller.

  2. Data Processor shall notify Data Controller without undue delay after becoming aware of a personal data breach. Furthermore, Data Processor shall assist Data Controller in ensuring compliance with Data Controller’s obligations (i) to document any personal data breach, (ii) to notify the applicable supervisory authorit(y/ies) of any personal data breach, and (iii) to communicate such personal data breaches to the applicable data subjects in accordance with Articles 33 and 34 of the General Data Protection Regulation.

10. Erasure and return of data

  1. On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless European Union law and regulation or Member State law requires storage of the personal data.

11. Inspection and audit

  1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this GDPR Policy, and allow for and contribute to audits, including inspections performed by the Data Controller or another auditor mandated by the Data Controller.

  2. The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this GDPR Policy.

  3. The Data Controller’s inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this GDPR Policy.

  4. The Data Processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Data Processor’s physical facilities on presentation of appropriate identification.

12. The Parties’ agreement on other terms

  1. The Data Processor shall only be liable for the damage caused by processing of personal data where the Data Processor has not complied with obligations of the Data Protection Legislation that are specifically directed to data processors or where the Data Processor has acted outside or contrary to lawful instructions of the Data Controller. The Data Processors’s liabilities, warranties and indemnity cannot exceed the limitations specified in the Terms of Service

  2. The Data Processor shall not be liable for any indirect or consequential damages, including damages for lost profits.

13. Commencement and termination

  1. By logging in or otherwise using our Services, this GDPR Policy shall become effective.

  2. Both Parties shall be entitled to require this GDPR Policy renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.

  3. This GDPR Policy may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the Terms of Service.

  4. This GDPR Policy shall apply as long as the processing is performed. Irrespective of the termination of the Terms of Service, the GDPR Policy shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.

14. Data Controller and Data Processor contacts/contact points

The Parties may contact each other using the following contacts/contact points:

For the Data Controller

Email provided by user

For the Data Processor

support@portchain.com

The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.

15. Jurisdiction and choice of law

  1. This GDPR Policy shall be governed by Danish Law. Any disputes arising out of or in connection with the provisions of this GDPR Policy shall be resolved in the manner set out in the Terms of Service.

 

Appendix A: Information about the processing 

A.1 The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:

That the Data Controller’s employees and partners use the Data Processor’s Software and Subscription Services in order to improve reliability and reduce costs by limiting the effects of disruption regarding the operation of sea going vessels. This includes, but is not limited to, the ability to view, plan, and optimize the operation and schedules of sea going vessels, as well as enable users of the Software to collaborate internally in the Data Controller’s organization, and collaboration with external 3rd parties. 

A.2 The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):

  • Make the Software and its features available to the Data Controller

  • Ensure good performance of the Software and Subscription Services, therefore storing the data geographically close to the users of the Software and the Subscription Services

  • Facilitate communication and collaboration among Data Subjects (users)

A.3 The processing includes the following types of personal data about data subjects:

  • Full names

  • Professional email address(es)

  • Professional phone number(s) 

  • Role and geographical location

  • IP address(es)

  • Content of comments and communications made through the Data Processor services

A.4 Processing includes the following categories of data subject:

  • Employees from the Data Controller

  • Sub-contractors from the Data Controller

  • Selected partners and their employees from the Data Controller

A.5 The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when this GDPR Policy commences. Processing has the following duration:

  • Processing shall not be time-limited and shall be performed until this GDPR Policy is terminated or cancelled by one of the Parties.

Appendix B: Terms of the Data Processor’s use of sub-processors and list of approved sub-processors 

B.1 Terms of the Data Processor’s use of sub-processors, if applicable

The Data Processor has the Data Controller’s general consent for the engagement of sub-processors. The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller a minimum of 21 days prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 14 days of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.

B.2 Approved sub-processors

The Data Controller shall on commencement of this GDPR Policy approve the engagement of the following sub-processors:

Name Address Description of processing

Heroku

Salesforce.com, Inc. & affiliates

The Landmark @ One Market,
Suite 300, San Francisco
California, 94105, USA

Hosts Portchain applications that process Controller’s personal and operational data. Processing occurs strictly under documented Controller instructions.

Amazon

Amazon Web Services, Inc.

P.O. Box 81226, Seattle,
Washington, 98108-1226, USA

Provides infrastructure for application hosting, backups, and storage of personal and system data in line with Controller’s documented instructions.

Google Cloud

Google Cloud Platform (Google LLC)

1600 Amphitheatre Parkway,
Mountain View,
California, 94043, USA

Hosts core applications and data workflows under Controller direction; processes data in compliance with GDPR standards.

Data Dog

Datadog, Inc.

620 8th Ave,
9th Floor, New York,
New York, 10018, USA

Provides monitoring, observability, and logging infrastructure for Portchain’s applications. May process log data, telemetry, IP addresses, and traces. All processing is based on Portchain’s configurations and instructions.

Mailgun

Mailgun Technologies, Inc.

112 E Pecan St 1135,
San Antonio,
Texas, 78205, USA

Email delivery service used to send system-generated and transactional emails; processes recipient identifiers, message metadata, and timestamps strictly per Controller instruction.

Auth0

Auth0, Inc.

101 2nd Street,
Unit 203, San Francisco,
California, 94105, USA

Identity and access management service used for authenticating users in Portchain applications.

LaunchDarkly

LaunchDarkly, Inc.

410 Townsend Street,
San Francisco,
California, 94107, USA

Feature flag management system; stores user IDs and metadata to manage feature rollouts.

Amplitude

Amplitude, Inc.

6301 San Mateo Blvd NE,
Suite 110, Albuquerque,
New Mexico, 87109, USA

Product analytics platform; processes behavioral data such as clicks, sessions, and usage flows from authenticated users.

Appcues

Appcues, Inc.

275 Battery Street,
6th Floor, San Francisco,
California, 94111, USA

In-product messaging and onboarding tool; collects user actions and NPS data.

Freshworks

Freshdesk

2950 S. Delaware Street,
San Mateo,
California, 94403, USA

Customer support platform; processes ticket data, requester emails, metadata. 

Hotjar

Hotjar LTD

Dragonara Business Centre, 5th Floor,
Dragonara Road, Paceville,
St. Julian’s, STJ 3141, Malta

User behavior analytics (heatmaps, etc.); collects IP address and country; data retained up to 365 days.
     

The Data Controller shall, on the commencement of this GDPR Policy, specifically approve the use of the above sub-processors for the processing described for that party. The Data Processor shall not be entitled – without the Data Controller’s explicit written consent – to engage a sub-processor for ‘different’ processing than the one that has been agreed or have another sub-processor perform the described processing.

Appendix C: Instruction pertaining to the use of personal data 

C.1 The subject of/instruction for the processing

The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:

  • To deliver the Software and Subscription Services as defined in the Terms of Service. 

C.2 Security of processing

The level of security shall reflect:

  • That the data processed pertains to the professional activity of employees and partners of the Data Controller

  • That the data processed identifies the current employer of the Data Subjects

The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.    

The Data Processor shall implement the following measures:

  • Ensure that reasonable effort is taken to protect the confidentiality of personal data from non-approved actors. This includes securing access to the data by requiring authentication of users and systems. Additionally, access controls must be in place to prevent authenticated users and systems from gaining access to unauthorized data.

  • Ensure that any access from any Data Subject to web services provided by the Data Processor must be done through encrypted channels. This is typically done by tunneling HyperText Transfer Protocol (HTTP) communications through Transport Layer Security (TLS). 

  • Ensure that personal data at rest must be encrypted.

  • Ensure that system logs are retained for a maximum duration of 2 years and that these logs contain no other personal information than the IP addresses used by Data Subjects to connect to the Data Processor services. Storing IP addresses is key to ensuring the security and auditability of personal information.

  • Ensure that adequate and regular backups are maintained in order to allow a timely restoration of access.

C.3 Storage period/erasure procedures 

Personal data is stored with the Data Processor until the Data Controller requests that the data is erased or returned.

C.4 Processing location

Processing of the personal data under this GDPR Policy cannot be performed at other locations than the following without the Data Controller’s prior written consent:

  • in Europe, through the data processors listed in B.2

  • In the United States, through the data processors listed in B.2

  • In Brazil, through the data processors listed in B.2

  • In Singapore, through the data processors listed in B.2

C.5 Instruction for or approval of the transfer of personal data to third countries

The Data Processor has the Data Controller’s general consent for processing data in locations listed in section C.4. 

The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other processing location and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller a minimum of 21 days prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 14 days of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.

Subscribe
to our Newsletter

mbl-bg