Encryption, isolation, audit history, and the kind of operational discipline that lets you put your client’s work in our hands without a second thought. Here’s exactly how it works.
Last updated: 8 May 2026
Everything that travels between your browser and our servers is encrypted with TLS. Everything written to disk is encrypted on AWS infrastructure. Passwords are never stored in plain text; they’re hashed with PBKDF2 at high iteration counts so even we can’t read them back.
Each organisation lives in its own isolated database space, not just a row in a shared table. Your data is physically separated from every other customer’s. Cross-tenant access isn’t blocked by a permission check, it’s blocked by the structure of the system itself.
Sessions use secure HTTP-only cookies with cross-site request protection. Magic-link sign-in is available for passwordless login (single-use, 15-minute tokens). Repeated failed login attempts trigger temporary account lockout with automatic recovery. Multi-factor authentication is on the near-term roadmap; until then, use a strong unique password and protect the email inbox tied to your account.
Sign-ins, account changes, administrative actions and other significant security events are logged with the IP address and browser they came from. Records are retained for 365 days so when an audit question comes up, the answer is already there.
Hosted on Amazon Web Services with managed PostgreSQL databases, S3 file storage delivered via CloudFront, and automated backups. AWS infrastructure underneath us holds SOC 2, ISO 27001 and other industry compliance certifications. Your data sits inside that perimeter.
Sensitive endpoints are rate-limited to stop brute-force attacks before they start. Failed login attempts are capped with automatic lockout. Account creation is throttled per IP. Outbound email is throttled per workspace.
Portal Worx is operated by SM Worx Group Ltd, a UK company registered with the Information Commissioner’s Office. The Service is built around UK GDPR, EU GDPR for users in the European Economic Area, and POPIA for users in South Africa.
Full support for data subject rights including access, rectification, erasure (right to be forgotten), and data portability. Erasure requests can be submitted directly through the platform.
We process personal information lawfully, minimise what we collect, register an Information Officer with the South African Information Regulator, and stay transparent about how data is used.
Every uploaded file gets a UUID-based filename so the file itself carries no personally identifiable information. Storage paths are workspace-prefixed to keep one organisation’s files structurally separate from the next.
Deleted projects, documents, images and reports stay in a 30-day recovery window before permanent deletion. Account data is preserved during subscription lapses and trial expiry so you can resume without losing anything.
In the event of a data breach, we notify the relevant supervisory authority within 72 hours as GDPR requires, and notify affected users without undue delay. Full process is in our Privacy Policy.
If your organisation needs a formal DPA as part of your own GDPR or POPIA obligations, we have one ready. View our Data Processing Agreement.
The platform handles a lot, but the strongest setup is the one your team commits to as well. Five habits worth building in.
At least 8 characters, mix of letters and numbers, and never reused across other services. A password manager makes this effortless.
Every team member should have their own account. Shared logins make it impossible to know who did what, and they survive long after the original person leaves.
Workspace admins should periodically check who’s on the team and remove access for anyone who no longer needs it. Quarterly is a sensible cadence.
Document categories support per-folder visibility. Use private folders for sensitive contracts, financial records, and anything else that shouldn’t be visible to the whole team.
Spot a sign-in you don’t recognise, an action you didn’t take, or anything that feels off? Email security@portal-worx.com immediately.
We welcome responsible disclosure of security vulnerabilities. When you report one, we ask that you:
For more on how we handle your data, see our Privacy Policy, Cookie Policy, and Data Processing Agreement.
