Skip to main content
byosportal
← Home

Data Processing Agreement

This is byosportal’s standard Data Processing Agreement. It governs the limited personal data we process on your behalf as your processor — never the contents of your files, which travel directly from your own cloud bucket to your client and are never stored on our servers. It forms part of our Terms of Service.

Version 1.0, effective 1 June 2026. If you require a countersigned or negotiated copy, write to us at privacy@byosportal.dev.

1. Parties and definitions

This Data Processing Agreement (the DPA) records how byosportal processes personal data on behalf of the customer in connection with the byosportal bring-your-own-storage file-sharing service. It forms part of, and is subject to, the main byosportal Terms of Service; where this DPA and the Terms of Service conflict on the subject of data protection, this DPA prevails for that subject.

The two parties to this DPA are:

  • The Customer — the organisation or individual that has entered into the Terms of Service. The Customer acts as the controller (under UK GDPR and the EU GDPR) and as the business (under the CCPA/CPRA). The Customer determines the purposes and means of the processing and controls the cloud storage bucket from which files are served.
  • byosportal — the operator of the service. byosportal acts as the processor (under UK GDPR and the EU GDPR) and as a service provider or contractor (under the CCPA/CPRA). byosportal processes personal data only on the documented instructions of the Customer, as set out in this DPA and the Terms of Service.

byosportal is a bring-your-own-storage service: the contents of Customer’s files never traverse or persist on byosportal servers, and bytes travel directly from the Customer’s own cloud bucket to the recipient. The only personal data byosportal processes is operational metadata — file names, sizes and object paths; per-access timestamps and success or failure; an approximate region (country) derived from the accessor IP; a salted, non-reversible SHA-256 hash of the accessor IP; the browser User-Agent; for identity-required upload links, the uploader-provided name and email; and the Customer’s encrypted cloud credentials.

The following terms carry the meanings given to them in the UK GDPR, the EU GDPR (Regulation 2016/679) and the Data Protection Act 2018, with their nearest CCPA/CPRA equivalents noted for reference:

  • Controller — the party that determines the purposes and means of processing. The CCPA/CPRA equivalent is the business.
  • Processor — the party that processes personal data on behalf of the controller. The CCPA/CPRA equivalents are the service provider and the contractor.
  • Personal data — any information relating to an identified or identifiable natural person. The CCPA/CPRA equivalent is personal information.
  • Processing — any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure and erasure.
  • Data subject — the identified or identifiable natural person to whom personal data relates. The CCPA/CPRA equivalent is the consumer.
  • Sub-processor — a third party engaged by the processor to carry out specific processing activities on behalf of the controller.
  • Personal data breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Supervisory authority — the competent independent public authority responsible for monitoring the application of data protection law. For processing subject to UK law, this is the Information Commissioner’s Office (the ICO).

Terms used in this DPA that are not defined here take the meaning given to them in the UK GDPR, the EU GDPR, the Data Protection Act 2018 or the CCPA/CPRA, as the context requires. The obligations and definitions in this DPA apply in addition to, and do not limit, the rights and obligations of the parties under the Terms of Service.

2. Roles of the parties

For the purposes of this Agreement, and of the UK GDPR, the Data Protection Act 2018, and (where applicable) the EU GDPR, the Customer is the controller and byosportal is the processor. The Customer determines the purposes and means of the processing carried out under the service; byosportal acts solely as a processor on behalf of the Customer and only in respect of the limited operational metadata described in this Agreement.

byosportal is a bring-your-own-storage service. The contents of the Customer’s files never traverse or persist on byosportal systems; the bytes travel directly from the Customer’s own cloud bucket to the recipient. byosportal is therefore never the controller, nor a processor, of those file contents, because the contents never reach byosportal systems. The only personal data byosportal processes as a processor is the operational metadata defined in this Agreement: file names, sizes, and object paths; per-access timestamps and success or failure; an approximate region (country) derived from the accessor IP; a salted, non-reversible SHA-256 hash of the accessor IP; the browser User-Agent; for identity-required upload links, the uploader-provided name and email; and the Customer’s encrypted cloud credentials.

As processor, byosportal undertakes that it will:

  • (a) process the operational metadata only on the documented instructions of the Customer, including those set out in this Agreement and in the contract, save where required to do otherwise by applicable law;
  • (b) ensure that the persons authorised to process the personal data are bound by an appropriate obligation of confidentiality;
  • (c) implement appropriate technical and organisational measures to secure the personal data, including the measures set out elsewhere in this Agreement;
  • (d) engage sub-processors only on terms consistent with this Agreement, binding each sub-processor to data-protection obligations equivalent to those imposed on byosportal before any personal data is disclosed to it;
  • (e) assist the Customer, so far as the nature of the processing allows, in responding to requests from data subjects exercising their rights;
  • (f) assist the Customer with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation;
  • (g) delete the personal data at the end of the service in accordance with the retention terms of this Agreement, and delete existing copies save where applicable law requires storage; and
  • (h) make available to the Customer the information necessary to demonstrate compliance with these obligations, and allow for and contribute to audits and inspections conducted by the Customer or its mandated auditor.

byosportal will not sell or share the personal data, and will not retain, use, or disclose it, for any purpose other than performing the service or as otherwise permitted by applicable law. byosportal will not combine the personal data it receives with data from any other source or context outside the business relationship, and will promptly notify the Customer if it determines that it can no longer meet its obligations under applicable data-protection law.

Each party complies with the data-protection law applicable to its role. Where the Information Commissioner’s Office is the competent supervisory authority, the parties recognise it as such, and any restricted transfer is made under the UK adequacy regulations or, failing that, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, in each case relying on the transfer gateway in Articles 44 to 49 of the UK GDPR.

3. Scope and details of processing

The subject-matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex I. byosportal processes personal data only on the documented instructions of the Customer, including the instructions recorded in this Agreement and in Annex I, and solely for the purposes described there.

The duration of the processing is the term of the Customer’s account. The nature and purpose of the processing is operating the portal on behalf of the Customer: minting time-limited access links, recording the access audit, sending notifications, and administering billing.

The Customer is the data controller and byosportal is the processor. byosportal does not sell or share personal data, does not retain, use, or disclose it outside the business relationship described in this Agreement, and does not combine it with data obtained from any other source or context.

The only personal data byosportal processes is operational metadata. Because byosportal is a bring-your-own-storage service, the contents of the Customer’s files never traverse or persist on byosportal systems; bytes travel directly from the Customer’s own cloud bucket to the recipient. File contents are therefore excluded from the scope of this processing. The operational metadata comprises:

  • File metadata — file names, sizes, and object paths.
  • Access records — per-access timestamps and success or failure outcomes.
  • Approximate region — a country derived from the accessor IP and stored on the audit record.
  • Hashed IP — a salted, non-reversible SHA-256 hash of the accessor IP; the raw IP is never stored.
  • Browser User-Agent — recorded on the access.
  • Uploader identity — for identity-required upload links only, the uploader-provided name and email.
  • Cloud credentials — the Customer’s encrypted cloud storage credentials.

Further detail on the technical and organisational security measures, the engagement of sub-processors, assistance with data subject rights and the Customer’s security, breach-notification and data-protection-impact-assessment obligations, and the deletion of personal data at the end of the service is set out in the clauses that follow and in Annex I.

4. Processing on documented instructions

byosportal processes personal data only on the documented instructions of the Customer, who acts as the data controller while byosportal acts as the processor. This obligation extends to any transfer of personal data to a third country or international organisation: byosportal makes no such transfer except on the documented instructions of the Customer, unless required to do so by applicable law.

The documented instructions of the Customer comprise this DPA, the Terms, and the configuration and use of the service by the Customer — including the cloud buckets the Customer connects, the share and upload links the Customer creates, the expiry and password settings the Customer applies, and the plan the Customer selects. byosportal does not process personal data for any purpose outside that scope, does not retain, use, or disclose it beyond the business relationship, does not combine it with data from other sources, and does not sell or share it with any third party.

The processing covers only operational metadata, never file content. The bytes of Customer’s files never traverse or persist on byosportal systems; they travel directly from the cloud bucket of the Customer to the recipient over a signed URL that expires within five minutes. The only personal data byosportal processes is metadata about those transfers — file names, sizes, and object paths; per-access timestamps and success or failure outcomes; an approximate region (country) derived transiently from the accessor IP; a salted, non-reversible SHA-256 hash of that IP (never the raw IP); the browser User-Agent; for identity-required upload links, the uploader-provided name and email; and the encrypted cloud credentials of the Customer.

  • Infringing instructions. byosportal informs the Customer if, in the opinion of byosportal, an instruction infringes applicable data-protection law.
  • Processing required by law. Where applicable law requires byosportal to process personal data otherwise than on the documented instructions of the Customer, byosportal informs the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

Because file content never reaches byosportal systems, the documented instructions of the Customer govern only this narrow set of operational metadata and the encrypted credentials needed to mint signed URLs against the Customer’s own bucket — nothing more.

5. Confidentiality

byosportal ensures that any person it authorises to process personal data on behalf of the Customer is bound by an appropriate duty of confidentiality, whether under a contractual obligation or a statutory one. That duty covers all of the operational metadata processed under this Agreement — including file names, sizes and object paths, per-access timestamps and outcomes, the approximate accessor region, the salted SHA-256 accessor IP hash, the browser User-Agent, any uploader-provided name and email for identity-required upload links, and the Customer’s encrypted cloud credentials — and survives the end of the individual engagement of the relevant person.

Access to personal data is limited to those personnel who genuinely need it to provide, operate or support the service, and is granted on a least-privilege basis. byosportal does not sell or share personal data with third parties, does not use or disclose personal data outside the scope of providing the service, and does not combine the personal data it processes for the Customer with data drawn from any other source or context.

  • Binding obligation: authorised persons commit to confidentiality before they are given access to personal data.
  • Need-to-know access: access is restricted to personnel supporting the service and is removed when no longer required.
  • Credential protection: the Customer’s cloud credentials are encrypted with AES-256-GCM, decrypted only in memory, and are never logged.
  • Sub-processors: the sub-processors engaged by byosportal and identified in Annex III are bound by confidentiality and data-protection obligations no less protective than those set out here before any personal data is made available to them.

These confidentiality commitments operate alongside the technical and organisational security measures described elsewhere in this Agreement, and apply equally under the UK General Data Protection Regulation and the Data Protection Act 2018.

6. Security of processing

byosportal implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32. These measures are described in further detail in Annex II and are kept under review to reflect the state of the art, the limited nature of the processing, and the limited risk that follows from the fact that the contents of Customer’s files are never held on byosportal systems.

The measures include, in particular:

  • Encryption of stored credentials. Cloud storage credentials are encrypted at rest using AES-256-GCM, decrypted in memory only at the point of use, and never written to logs.
  • Encryption in transit. All connections are protected using TLS version 1.2 or higher.
  • Password protection. Share-link passwords are hashed using bcrypt with a cost factor of 12 or higher, and are never stored or processed in plaintext.
  • Pseudonymisation of accessor identifiers. Accessor IP addresses are recorded only as a salted, non-reversible SHA-256 hash; the raw IP address is never stored.
  • Signed, short-lived access URLs. Download URLs are cryptographically signed and expire within five minutes of issue; upload URLs are likewise signed and expire within fifteen minutes.

Taking into account the nature of the processing and the information available to it, byosportal also assists the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 of the UK GDPR — security of processing, notification of a personal data breach, data protection impact assessments, and prior consultation with the supervisory authority.

Because file contents travel directly from the Customer’s own cloud bucket to the recipient and are never received, stored, or processed by byosportal, the residual risk to the rights and freedoms of data subjects is correspondingly limited, and the measures set out above are appropriate to that risk.

7. Sub-processors

The Customer authorises byosportal to engage the sub-processors listed below to process personal data on the Customer’s behalf. Each is bound by data-protection terms no less protective than this Agreement, and file contents never reach any of them.

  • VercelApplication hosting (metadata only — never file bytes).
  • Managed PostgreSQLMetadata database — file names, sizes, access audit; never file contents.
  • HankoManaged authentication (sign-in, account identity).
  • ResendTransactional email (download notifications, account email).
  • StripeSubscription billing.

byosportal gives the Customer advance notice of any intended addition or replacement of a sub-processor and a reasonable opportunity to object on data-protection grounds. If byosportal cannot accommodate a reasonable objection, the Customer may terminate the affected service.

8. Assisting with data subject rights

Taking into account the nature of the processing, byosportal assists the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer’s obligation to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction of processing, data portability, and objection. Because the Customer is the controller and byosportal acts only on documented instructions, byosportal will not respond to a data subject directly but will route any such request it receives to the Customer.

byosportal processes only a limited set of operational metadata on the Customer’s behalf — file names, sizes, and object paths; per-access timestamps and success or failure outcomes; an approximate region (country) derived transiently from the accessor IP; a salted, non-reversible SHA-256 hash of the accessor IP; the browser User-Agent; and, for identity-required upload links, the uploader-provided name and email. The contents of the Customer’s files never traverse or persist on byosportal servers, so requests concerning file contents are addressed by the Customer within its own cloud storage. For the metadata described above, the following practical levers are available to the Customer:

  • Revoke or delete individual links — the Customer can revoke or delete any individual share link or upload link at any time. A terminated link (revoked, expired, or cap-exhausted) is permanently purged 30 days after termination.
  • Delete the account — deleting the account permanently purges every row associated with the Customer, removing all of the operational metadata processed on the Customer’s behalf.

Where the salted SHA-256 hash of the accessor IP is concerned, it is non-reversible and the raw IP is never written to durable storage or logs, which constrains what can be linked back to an individual data subject. byosportal will provide the Customer with the information reasonably necessary to identify and act upon the metadata it holds so that the Customer can meet the applicable response deadline.

9. Personal data breach

On confirming a personal data breach affecting personal data byosportal processes on the Customer’s behalf, byosportal notifies the Customer without undue delay and in any event within 72 hours of confirmation. The notice describes, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

byosportal provides reasonable assistance to help the Customer meet its own obligations to notify supervisory authorities and data subjects under Articles 33 and 34 of the UK GDPR (and the EU GDPR equivalents). Because file contents never reach byosportal systems, the personal data exposed by any breach on the byosportal side is limited to the operational metadata described in Annex I.

10. Return and deletion of data

At the choice of the Customer, byosportal deletes or returns all personal data processed on behalf of the Customer after the end of the provision of the services, and deletes existing copies, unless storage of the personal data is required by Union or Member State law. Because byosportal operates a bring-your-own-storage model, the contents of the Customer’s files never traverse or persist on byosportal servers; this clause concerns only the operational metadata that byosportal processes as processor.

Deletion and return operate through the following product mechanics:

  • Account deletion. When the Customer deletes the account, byosportal permanently purges every database row associated with the Customer, including the access-audit history and the encrypted cloud credentials. This is irreversible and leaves no residual copy on byosportal systems.
  • Terminated share and upload links. Links that have reached a terminal state — revoked, expired, or download-cap exhausted — are purged 30 days after termination.
  • Access-audit records. Access-audit rows are retained according to the plan of the Customer: 7 days on Free, 30 days on Pro, and 365 days on Business. Records older than the applicable window are removed automatically.

Return of the metadata, where the Customer elects return rather than deletion, is provided in a structured, machine-readable export before the corresponding rows are purged. The raw accessor IP is never written to durable storage or logs in the first place; the audit record retains only a salted, non-reversible SHA-256 hash and an approximate region, so deletion of an audit row removes the only personal data held for that access event.

Where Union or Member State law requires byosportal to retain particular personal data beyond the periods above, byosportal retains only the data so required, for the period so required, and continues to protect it under the technical and organisational measures described in this Agreement until it may lawfully be deleted.

11. Audits and demonstrating compliance

byosportal makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations of a processor under Article 28 of the UK GDPR, and allows for and contributes to audits, including inspections, conducted by the Customer or by an independent auditor it mandates, in accordance with this clause.

byosportal may discharge these obligations primarily by providing relevant documentation and by responding to reasonable security questionnaires. The documentation byosportal can make available describes, among other things, the technical and organisational measures summarised in this Agreement, including AES-256-GCM encryption of the Customer’s cloud credentials (decrypted in memory only and never logged), TLS 1.2 or higher in transit, bcrypt at a cost factor of 12 or greater for share-link passwords, salted SHA-256 hashing of accessor IP addresses, and signed download URLs that expire within five minutes and signed upload URLs that expire within fifteen minutes.

Where documentation and questionnaire responses do not reasonably satisfy the Customer’s audit rights, the Customer or its mandated auditor may carry out an inspection, subject to the following conditions:

  • Notice. The Customer gives byosportal reasonable advance written notice of any requested audit or inspection.
  • Frequency. Audits and inspections are limited to once per twelve-month period, save where an inspection is required by a competent supervisory authority, such as the Information Commissioner’s Office, or where the Customer reasonably believes a personal data breach affecting its data has occurred.
  • Confidentiality. The Customer and any mandated auditor are bound by obligations of confidentiality at least as protective as those in this Agreement, and any auditor must not be a competitor of byosportal.
  • Scope and conduct. Audits and inspections are limited to information and systems relevant to the processing of the Customer’s personal data, are conducted during normal business hours, and are carried out so as to cause minimal disruption to byosportal operations and not to compromise the confidentiality, security, or integrity of data belonging to other customers.

Because the contents of the Customer’s files never traverse or persist on byosportal servers and travel directly from the Customer’s cloud bucket to the recipient, an audit covers only the operational metadata that byosportal processes as described in this Agreement, together with the related security measures, sub-processor arrangements, retention behaviour, and breach-handling procedures.

byosportal informs the Customer without undue delay if, in its opinion, an instruction relating to an audit or inspection infringes the UK GDPR, the Data Protection Act 2018, or other applicable data protection law, and contributes to such audits and inspections on the basis set out above.

12. International transfers

Where the processing involves transferring personal data outside the EEA or the UK, byosportal relies on an adequacy decision or, in the absence of one, on appropriate safeguards. For EEA-origin transfers this means the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914). For UK-origin transfers this means the UK International Data Transfer Agreement (in force 21 March 2022) or the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018.

These mechanisms operate under the transfer gateway in Articles 44 to 49 of the EU GDPR and the parallel provisions of the UK GDPR. Where an adequacy decision or UK adequacy regulations made under Article 45 of the UK GDPR cover the destination, byosportal may rely on that decision in place of the contractual safeguards. Where a transfer is UK-origin only, no conflicting EU Standard Contractual Clauses obligation overrides the applicable UK instrument.

The location of hosting and of the sub-processors engaged by byosportal is set out in Annex III. The personal data potentially in scope of a transfer is limited to the operational metadata described in this Agreement; the contents of the Customer’s files never traverse or persist on byosportal servers, since bytes travel directly from the Customer’s cloud bucket to the recipient.

The Customer authorises such transfers to the extent they are necessary to provide the service. byosportal does not sell or share personal data, does not combine the personal data received with data from other sources, and binds each sub-processor to the same transfer restrictions before any personal data is shared. byosportal will notify the Customer promptly if it can no longer give effect to an applicable transfer mechanism.

13. United Kingdom addendum

This section applies to the extent that personal data processed by byosportal under this Agreement is subject to the law of the United Kingdom. Where it applies, it supplements and, where necessary, modifies the other sections of this Agreement for UK-origin personal data.

  • Applicable law. References in this Agreement to the GDPR are read as references to the UK GDPR and the Data Protection Act 2018, as retained, amended, or replaced in UK law. References to the EEA are read as references to the United Kingdom, or are taken to include the United Kingdom where a transfer covers both.
  • Supervisory authority. The Information Commissioner (the Information Commissioner’s Office, or ICO) is the competent supervisory authority for UK personal data, in place of the EU lead supervisory authority.
  • Restricted transfers. Any transfer of UK personal data to a country outside the United Kingdom that is not the subject of UK adequacy regulations made under Article 45 of the UK GDPR is made under the UK International Data Transfer Agreement (the IDTA, in force 21 March 2022) or under the UK Addendum to the EU Standard Contractual Clauses issued by the ICO under section 119A of the Data Protection Act 2018, in each case as the restricted-transfer gateway under Articles 44 to 49 of the UK GDPR in place of the EU Standard Contractual Clauses.
  • Mandatory Clauses. Where the parties rely on the UK Addendum, the ICO Table 1 to Table 4 format applies and the Mandatory Clauses are incorporated without modification; only the Optional Clauses may be agreed between the parties.
  • Governing law and jurisdiction. For UK-origin transfers under this section, the governing law is the law of England and Wales and the courts of England and Wales have jurisdiction over disputes, in place of any EU member-state law or EU court.

Where a transfer is UK-origin only, the UK instrument identified above governs and no conflicting obligation under the EU Standard Contractual Clauses overrides it. The obligations byosportal undertakes elsewhere in this Agreement as processor — processing only on the documented instructions of the Customer, binding authorised personnel to confidentiality, maintaining the technical and organisational measures described in this Agreement, engaging the named sub-processors under equivalent terms, assisting the Customer with data subject requests and with breach, assessment, and consultation obligations, notifying the Customer within 72 hours of confirming an incident, purging data on the retention schedule and on account deletion, and providing the information needed to demonstrate compliance — apply equally to UK personal data under the UK GDPR and the Data Protection Act 2018.

14. United States state privacy laws

This section applies where personal information processed under this Agreement is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the CCPA/CPRA) or to comparable United States state privacy laws. With respect to such personal information, the Customer is the business and byosportal acts as a service provider (or contractor) processing the personal information on behalf of the Customer.

byosportal makes the following commitments in respect of the personal information disclosed to it by, or collected by it for, the Customer:

  • No sale or sharing. byosportal does not sell the personal information and does not share it for cross-context behavioural advertising or for any other purpose, in each case as those terms are defined under the CCPA/CPRA.
  • Limited business purpose. byosportal processes the personal information solely to provide the byosportal service to the Customer under this Agreement, which is the specified business purpose, and for no other purpose. The personal information byosportal processes is limited to operational metadata (file names, sizes and object paths; per-access timestamps and success or failure; an approximate region derived from the accessor IP and stored on the audit record; a salted, non-reversible SHA-256 hash of the accessor IP; the browser User-Agent; for identity-required upload links, the uploader-provided name and email; and the Customer’s encrypted cloud credentials). The contents of the Customer’s files never traverse or persist on byosportal servers.
  • No use outside the relationship. byosportal does not retain, use or disclose the personal information for any purpose other than the business purpose described above, nor outside the direct business relationship between the parties, except where retention, use or disclosure is permitted by applicable law.
  • No combining. byosportal does not combine the personal information it receives under this Agreement with personal information that it receives from, or on behalf of, any other person, or that it collects from its own interaction with any individual, except as permitted by the CCPA/CPRA.
  • Sub-processors bound. byosportal engages only the sub-processors identified in Annex III to this Agreement and binds each of them by written contract to the same restrictions that apply to byosportal under this section before any personal information is made available to them.
  • Certification. byosportal certifies that it understands the restrictions set out in this section and will comply with them.

byosportal will notify the Customer without undue delay if it determines that it can no longer meet its obligations under the CCPA/CPRA or comparable United States state privacy laws. The Customer may take reasonable and appropriate steps to stop and remediate any unauthorised use of the personal information. byosportal grants the Customer the right to take such steps as are reasonably necessary to ensure that byosportal uses the personal information in a manner consistent with the Customer’s obligations under those laws.

15. Liability and order of precedence

In the event of a conflict or inconsistency between this Data Processing Agreement and the Terms, this Data Processing Agreement prevails with respect to data-protection matters. For all other matters, the Terms prevail.

The liability of each party under this Data Processing Agreement is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this Data Processing Agreement increases or extends the liability of either party beyond what the Terms provide.

  • Order of precedence. For data-protection matters, this Data Processing Agreement takes priority over the Terms; for all other matters, the Terms take priority.
  • Liability. Each party’s liability under this Data Processing Agreement remains subject to the limitations and exclusions of liability agreed in the Terms.
  • Annexes. The Annexes to this Data Processing Agreement form an integral part of it and are to be read together with it.

Save as expressly amended or supplemented by this Data Processing Agreement, the Terms remain in full force and effect.

16. Changes, term, and contact

This Data Processing Agreement takes effect on the date the Customer accepts the Terms and remains in force for as long as byosportal processes personal data on the Customer’s behalf. When that processing ends — on account deletion or termination of the service relationship — byosportal deletes the relevant personal data in line with the retention rules set out above.

byosportal may update this standard-form DPA from time to time. The version and effective date shown at the top of this page reflect the current text. byosportal notifies Customers of material changes to this DPA through the service or by email.

If you have questions about this DPA, or if you require a countersigned or separately negotiated copy, you can reach byosportal at the privacy contact linked in the introduction to this page.

Annex I — Details of processing

The following details describe the processing carried out by byosportal as processor on behalf of the Customer as controller. The contents of the Customer’s files never traverse or persist on byosportal servers; bytes travel directly from the Customer’s cloud bucket to the recipient, so byosportal processes only the operational metadata listed below.

  • Subject matter: the provision of the byosportal portal to the Customer.
  • Duration: for the term of the Customer’s account or of the agreement, whichever ends later.
  • Nature and purpose: minting time-limited download and upload links, recording the access audit, sending notification email, and billing the Customer for the service.
  • Categories of data subjects: the Customer’s clients and recipients who access download links; uploaders who use file-request links; and the Customer’s own account users.
  • Categories of personal data: file names, sizes, and object paths; per-access timestamps and success or failure; the approximate region (country) derived from the accessor IP and stored on the audit record; a salted, non-reversible SHA-256 hash of the accessor IP, never the raw IP; the browser User-Agent; for identity-required upload links, the uploader-provided name and email; and the Customer’s encrypted cloud credentials.

The raw accessor IP is processed transiently only to derive the approximate region and is never written to durable storage or logs. Cloud credentials are encrypted with AES-256-GCM, decrypted in memory only, and never logged.

Annex II — Technical and organisational measures

byosportal implements the following technical and organisational measures to protect personal data, in accordance with Article 32. Because byosportal operates a bring-your-own-storage model, the contents of the Customer’s files never traverse or persist on byosportal systems, which materially reduces the surface to which these measures apply.

  • Encryption of stored credentials. The Customer’s cloud credentials are encrypted at rest using AES-256-GCM, decrypted in memory only at the point of use, and never written to logs.
  • Encryption in transit. All connections to byosportal are protected with TLS version 1.2 or higher.
  • Password hashing. Share-link passwords are hashed with bcrypt at a cost factor of 12 or higher; the raw password is never stored.
  • IP pseudonymisation. Accessor IP addresses are pseudonymised through salted, non-reversible SHA-256 hashing; the raw IP address is never stored.
  • Signed, short-lived URLs. Download URLs are cryptographically signed and short-lived, expiring within five minutes of issue; upload URLs are likewise signed and expire within fifteen minutes.
  • Access control. Access to systems and data is restricted to authorised personnel on a need-to-know basis.
  • Direct-transfer architecture. Under the bring-your-own-storage architecture, file contents travel directly between the Customer’s bucket and the recipient and never reach byosportal systems.
  • Audit logging. Access events are logged to support auditing and accountability.

These measures are reviewed and applied to the operational metadata that byosportal processes as part of providing the service.

Annex III — Sub-processors

byosportal engages the following sub-processors to process operational metadata in providing the service. File contents never reach any of them, and each is bound by data-protection terms no less protective than this Agreement.

  • VercelApplication hosting (metadata only — never file bytes). Processing location: [location — to be completed before launch]
  • Managed PostgreSQLMetadata database — file names, sizes, access audit; never file contents. Processing location: [location — to be completed before launch]
  • HankoManaged authentication (sign-in, account identity). Processing location: Frankfurt, Germany (EU)
  • ResendTransactional email (download notifications, account email). Processing location: [location — to be completed before launch]
  • StripeSubscription billing. Processing location: [location — to be completed before launch]