Data Processing

Every record stored in the Service is scoped to the Customer organisation that created it. Data isolation is enforced at the database layer using row-level security.

In most scenarios the Customer organisation acts as the data controller for personal data it uploads, and Purchase Order Centre acts as the data processor handling that data on the Customer's behalf in order to operate the Service.

Customers retain full ownership of all organisational data they upload. We do not sell Customer Data and we do not use Customer Data to train third-party systems.

Customer Data is stored on managed cloud infrastructure with encryption in transit and at-rest protections provided by the underlying platform.

We collect only the data required to deliver the Service: authentication, identity, organisational structure, and the operational records Customers choose to create.

Operational data is retained for as long as the Customer organisation maintains an active workspace. After termination, data may be exported within a reasonable period before deletion in accordance with our retention principles.

Customers may request deletion of personal data at any time, subject to legal retention obligations. Requests can be submitted to support@purchaseorderhub.com.

Customers can request a structured export of their organisational data through the support team. We aim to fulfil reasonable export requests promptly.

Managed database backups are performed by our cloud infrastructure provider to support disaster recovery. Backup data is subject to the same access controls and retention policies as production data.

In the event of a confirmed security incident affecting personal data, we will investigate, take reasonable steps to contain and remediate, and notify affected Customers and supervisory authorities where required by applicable law.

For data processing enquiries, contact support@purchaseorderhub.com.