Data Processing Agreement
Last Updated: May 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SAR Portal (powered by Sekhon IT Consultants Ltd.) (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) using our Service.
Processor Details:
- Legal Name: Sekhon IT Consultants Ltd. (trading as SAR Portal)
- Company Registration: Ireland
- Registered Address: 1 Beaufield Crescent, Maynooth, Co. Kildare, Republic of Ireland
- Data Protection Officer: dpo@sarportal.com
This DPA governs the processing of personal data by SAR Portal on behalf of the Controller in accordance with GDPR (Regulation (EU) 2016/679).
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data
- Data Subject: The individual whose personal data is processed
- Sub-processor: Third parties engaged by SAR Portal to process personal data
- Data Breach: Security incident leading to unauthorized access, loss, or disclosure of personal data
3. Scope and Purpose
3.1 Subject Matter
SAR Portal processes personal data on behalf of the Controller for the purpose of providing DSAR management services.
3.2 Categories of Data Subjects
- Data subjects submitting DSARs
- Employees and staff of the Controller
- Third parties mentioned in documents
3.3 Categories of Personal Data
- Contact information (names, email addresses, phone numbers)
- Documents uploaded by the Controller
- Case notes and communications
- Identity verification data
3.4 Duration
Processing continues for the duration of the subscription agreement plus data retention periods specified in our Terms.
4. Processor Obligations
SAR Portal agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure staff are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject rights requests
- Support the Controller in meeting GDPR obligations (security, breach notification, DPIAs)
- Delete or return all personal data at the end of the service relationship
- Make available information necessary to demonstrate compliance
4.1 Scope of Instructions
The Controller’s documented instructions are limited to:
- Configuration of the Service via the user interface
- Requests submitted via our support channels
- Instructions documented in this DPA
SAR Portal is not obligated to follow instructions that would violate GDPR or other applicable laws. We will promptly notify the Controller if we believe an instruction infringes data protection law.
5. Sub-processors
5.1 Authorized Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location | DPA in Place |
|---|---|---|---|
| Microsoft Azure (Cosmos DB, Blob Storage) | Data storage | EEA — West Europe (Netherlands) | Yes |
| Microsoft Azure Entra External ID | Authentication | EEA — West Europe | Yes |
| Azure OpenAI Service | AI features (not used for training) | EEA — Sweden Central | Yes |
| Azure AI Document Intelligence | PDF text extraction | EEA — Sweden Central | Yes |
| Azure AI Language Service | PII entity detection (no data retained) | EEA — Sweden Central | Yes |
| Microsoft Graph API | User provisioning (email + display name for invitations) | Global (covered by Microsoft SCCs) | Yes |
| Stripe (Stripe Payments Europe) | Billing and payments (no card data held by us) | EEA — Ireland / Netherlands | Yes |
| Twilio SendGrid | Email delivery (EU SMTP endpoint) | EEA | Yes |
| Google reCAPTCHA Enterprise | Bot protection (browser signals only, no case data) | Global (Enterprise DPA) | Yes |
5.1.1 Development Tooling Sub-Processors
The following sub-processors are engaged for internal development tooling only. They do not process customer personal data in the delivery of the SAR Portal SaaS service. Production credential access from the development tooling path is blocked at the technical level by deny rules and a PreToolUse hook.
| Sub-processor | Purpose | Location | Transfer Basis | DPA in Place |
|---|---|---|---|---|
| Anthropic, Inc. (via Microsoft Azure AI Foundry) | LLM inference (Claude models) for development sessions that may involve production data context | EEA — Sweden Central | Azure DPA Article 28; EU data residency (no international transfer) | Yes |
| Anthropic, Inc. (direct — Max plan) | LLM inference for development, documentation and non-production work | United States | EU–US Data Privacy Framework (Commission Decision 2023/1795); Anthropic is DPF-certified | Yes |
5.2 Changes to Sub-processors
We will notify the Controller 30 days before adding new sub-processors. The Controller may object within 14 days.
6. Security Measures
SAR Portal implements the following technical and organisational measures:
- Encryption at rest (AES-256) and in transit (TLS 1.2+, HTTPS enforced with HSTS)
- Authentication via Azure Entra External ID (OAuth 2.0 / OpenID Connect) with MFA support
- Role-based access control (RBAC) with four defined roles (Admin, Case Manager, Reviewer, Read Only)
- Secrets management via Azure Key Vault (HSM-backed)
- Multi-tenant data isolation at the database level
- Automated dependency scanning and mandatory code review
- Rate limiting on all public-facing endpoints
- PII sanitisation in application logs (personal data is masked, not stored in plaintext)
- Geo-redundant database backups and disaster recovery
- Security headers (CSP, HSTS, and others)
7. Data Breach Notification
In the event of a data breach, SAR Portal will:
- Notify the Controller within 24 hours of becoming aware (Processor → Controller notification window, faster than the 72-hour Controller → DPC obligation under GDPR Article 33, to give Controllers time to fulfil their onward obligations)
- Provide details of the breach, affected data, and remediation steps
- Cooperate with the Controller’s investigation and notification obligations
- Document all breaches and actions taken
8. Data Subject Rights
SAR Portal will assist the Controller in responding to data subject requests for:
- Access to personal data
- Rectification of inaccurate data
- Erasure of personal data
- Restriction of processing
- Data portability
- Objection to processing
9. International Transfers
All customer data is stored in EU data centers. Any transfers outside the EU are protected by:
- Standard Contractual Clauses (SCCs): We use the European Commission’s 2021 SCCs (Decision 2021/914) for any transfers to third countries
- Microsoft’s EU Data Boundary: Microsoft Azure services operate under their EU Data Boundary commitment
- Adequacy Decisions: Where applicable, transfers may rely on adequacy decisions (e.g., UK, Switzerland)
9.1 Sub-Processor Transfers
All our sub-processors either:
- Process data exclusively within the EU/EEA, or
- Have signed SCCs with us and implement supplementary measures where required
You may request copies of relevant SCCs by contacting dpo@sarportal.com.
10. Data Retention and Deletion
Upon termination:
- Customer data available for export for 90 days
- All tenant data permanently deleted after 90 days
- Audit logs retained for 7 years (legal requirement)
- Billing records retained for 7 years (tax requirement)
11. Audits
The Controller may audit SAR Portal’s compliance with this DPA. We will provide:
- Access to relevant documentation
- Responses to compliance questionnaires
- Third-party audit reports upon request
12. Liability
Liability for data protection breaches is governed by the Terms of Service and applicable law, including GDPR Article 82.
13. Contact
For DPA-related inquiries:
- Data Protection Officer: dpo@sarportal.com
- Legal: legal@sarportal.com