Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between PromptAssist ("Data Processor") and the customer ("Data Controller" or "you") for the provision of PromptAssist services. This DPA governs the processing of personal data by PromptAssist on behalf of its customers in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

For purposes of this DPA:

• "Data Controller" means the customer who determines the purposes and means of processing personal data
• "Data Processor" means PromptAssist, which processes personal data on behalf of the Data Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "Sub-processor" means any third party appointed by PromptAssist to process personal data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Supervisory Authority" means the relevant data protection authority

3. Scope and Applicability

This DPA applies to the processing of personal data by PromptAssist as Data Processor for the Data Controller in connection with the provision of PromptAssist services. This DPA is legally binding and forms an integral part of the service agreement.

4. Data Processing Details

4.1 Subject Matter

The subject matter of the data processing is the optimization and management of AI prompts and related analytics.

4.2 Duration

This DPA will remain in effect for the duration of the service agreement between PromptAssist and the Data Controller.

4.3 Nature and Purpose

PromptAssist processes personal data to provide the following services:

• AI prompt optimization and enhancement
• Quality analysis and scoring
• Workflow generation and management
• Enterprise analytics and reporting
• Account management and customer support

4.4 Categories of Personal Data

Depending on customer usage, PromptAssist may process:

• Account Data: Name, email, company information, job title
• User-Generated Content: Prompts, text inputs, uploaded documents
• Usage Data: Feature usage, log data, analytics
• Communication Data: Support tickets, chat logs, email correspondence
• Payment Data: Billing information (processed by Paddle)

4.5 Categories of Data Subjects

• Customer employees and users
• Customer contacts and collaborators
• Other individuals whose data is included in prompts or content

5. Processor Obligations

5.1 Processing Instructions

PromptAssist will process personal data only on documented instructions from the Data Controller, including with regard to international data transfers, unless required to do so by applicable law.

5.2 Confidentiality

PromptAssist ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

PromptAssist implements appropriate technical and organizational measures, including:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication, least privilege principle
• Network Security: Firewalls, intrusion detection, network segmentation
• Data Minimization: Collecting only necessary data
• Regular Audits: Security assessments and penetration testing
• Employee Training: Data protection and security awareness programs
• Incident Response: Documented procedures for security incidents

5.4 Data Subject Rights

PromptAssist assists the Data Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights.

5.5 Assistance

PromptAssist assists the Data Controller in:

• Ensuring compliance with data protection obligations
• Implementing appropriate security measures
• Conducting data protection impact assessments
• Responding to data subject rights requests

5.6 Deletion and Return

At the choice of the Data Controller, PromptAssist will delete or return all personal data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage.

6. Sub-processors

6.1 General

PromptAssist may engage sub-processors for specific processing activities. A current list of sub-processors is available below and may be updated from time to time.

6.2 Authorized Sub-processors

PromptAssist uses the following categories of sub-processors:

6.3 Sub-processor Obligations

PromptAssist ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA.

6.4 Liability

PromptAssist remains fully liable to the Data Controller for the acts and omissions of its sub-processors.

7. International Data Transfers

7.1 Transfer Mechanisms

When transferring personal data outside the EEA or UK, PromptAssist ensures adequate protection through:

• EU-U.S. Data Privacy Framework (for certified companies)
• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Binding Corporate Rules (BCRs)

7.2 Adequate Safeguards

All international transfers are conducted in accordance with applicable data protection laws and with appropriate safeguards in place.

8. Data Protection Impact Assessment and Prior Consultation

PromptAssist provides reasonable assistance to the Data Controller with data protection impact assessments and prior consultations with supervisory authorities where required by GDPR Articles 35 and 36.

9. Notification of Data Breaches

PromptAssist will notify the Data Controller without undue delay after becoming aware of a personal data breach affecting the Data Controller's data. Such notification will include:

• Nature of the breach
• Categories and approximate number of affected data subjects
• Name and contact details of the DPO
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Audits and Inspections

PromptAssist makes available to the Data Controller all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits and inspections.

11. Limitation of Liability

PromptAssist's total liability arising out of or related to this DPA shall be limited as set forth in the main service agreement. Nothing in this DPA reduces PromptAssist's liability for non-compliance with its obligations under GDPR or the Data Controller's obligations under GDPR.

12. Governing Law

This DPA is governed by the same law as the main service agreement, unless otherwise required by applicable data protection law.

13. Order of Precedence

In the event of a conflict between this DPA and the main service agreement, this DPA shall prevail with respect to the subject matter herein.

14. Termination

Upon termination of the service agreement, PromptAssist will delete or return personal data in accordance with Section 5.6 of this DPA.

15. Contact Information

For questions about this DPA or data processing:

• Data Protection Officer: dpo@promptassist.com
• Privacy Team: privacy@promptassist.com
• Legal: legal@promptassist.com

16. Appendix - Security Measures

The following security measures are implemented by PromptAssist:

Technical Measures

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2+
• Regular security updates and patches
• Vulnerability scanning and remediation
• Secure API authentication
• Database encryption
• Backup and disaster recovery procedures

Organizational Measures

• Access control policies and procedures
• Employee background checks
• Confidentiality agreements
• Data protection training
• Incident response procedures
• Vendor management program
• Regular security audits