Data Processing Addendum

1. Scope and roles

Customer is the Controller of the Personal Data it submits to the Service. Prompt Assay is the Processor, acting on Customer's documented instructions, which consist of (a) the Terms of Service, (b) this DPA, and (c) Customer's reasonable use of the Service's features and settings. Prompt Assay will immediately inform Customer if, in its opinion, an instruction infringes applicable data protection law.

2. Categories of data subjects and Personal Data

Data subjects:Customer's authorized users of the Service (administrators, members) and individuals whose Personal Data may appear incidentally in Customer Content despite the prohibitions in the Acceptable Use Policy.

Categories of Personal Data: account identifiers (email, display name, authentication identifiers), workspace and membership metadata, Customer Content (prompts, versions, fragments, test cases, annotations), usage metadata (AI call records — tokens, model, timestamps; no prompt or response content), billing identifiers, and support communications.

Sensitive data: The Service is not designed to process special categories of data under Article 9 GDPR or equivalent categories under other laws. Customer is required by the Acceptable Use Policy not to submit such data. No special-category processing is intentionally performed by Prompt Assay.

3. Duration and subject matter of processing

Processing continues for the duration of the Customer's subscription to the Service, plus the retention periods specified in the Privacy Policy and this DPA. The subject matter is the provision of a prompt engineering and evaluation workbench as described in the Terms of Service.

4. Sub-processors

Customer grants Prompt Assay a general authorization to engage sub-processors to deliver the Service. Prompt Assay's current sub-processors are listed in the Privacy Policy. Prompt Assay will impose on each sub-processor data protection obligations substantially the same as those in this DPA, and remains liable for the acts and omissions of its sub-processors to the same extent as if performed by Prompt Assay itself.

Change notice.Prompt Assay will provide at least 30 days' advance notice of any new sub-processor that will process Customer Personal Data, by email to the primary account contact and by updating the sub-processor list in the Privacy Policy. Customer may object in writing on reasonable data-protection grounds within the notice period. Prompt Assay will work in good faith to address the objection; if no reasonable accommodation is feasible, either party may terminate the affected Service without penalty for the unused portion of the prepaid term.

5. Security measures

Prompt Assay implements and maintains the following technical and organizational measures (TOMs) to protect Personal Data:

• Encryption in transit: TLS 1.2 or higher for all connections between clients and the Service and between the Service and its sub-processors.
• Encryption at rest: AES-256 at the managed database layer for all Customer data. Customer-supplied Upstream Provider API keys are additionally encrypted using Supabase Vault or AES-256-GCM with authenticated additional data binding the ciphertext to the originating workspace, organization, provider, label, and key version, preventing ciphertext transplant or replay into a different tenant context.
• Tenant isolation:row-level security at the database layer scopes queries to the caller's organization; application code additionally enforces explicit organization-id filters on every query as defense in depth.
• Access control: role-based access within Customer workspaces (owner, admin, member); principle of least privilege for Prompt Assay personnel; platform administrator access restricted and logged.
• Authentication: strong password requirements, OAuth via Google or GitHub, and optional multi-factor authentication (planned for an upcoming release).
• Audit logging: append-only audit log of platform administrator actions; usage logging for AI feature calls (metadata only).
• Secure software development: code review, typed language, linting, dependency monitoring, and infrastructure-as-code review.
• Incident response: documented procedures for detection, containment, eradication, recovery, and notification.
• Backups: automated backups and point-in-time recovery via the managed database provider.
• Personnel: confidentiality obligations, security training, and need-to-know access controls for all Prompt Assay personnel with access to Customer data.

Prompt Assay may update its TOMs from time to time, provided that the updates do not materially diminish the overall level of security.

6. Confidentiality

Prompt Assay will ensure that all personnel authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Data subject requests

The Service provides Customer's authorized users with self-service access, correction, export, and deletion tools in Account settings. Customer is responsible for responding to data subject requests from its end users using those tools and its own administrative workflows. Where a data subject contacts Prompt Assay directly, Prompt Assay will redirect the request to Customer unless Prompt Assay is legally required to respond. Upon reasonable request and at Customer's expense, Prompt Assay will provide reasonable assistance to enable Customer to respond to data subject requests that cannot be fulfilled through the self-service tools.

8. Assistance with Customer's obligations

Taking into account the nature of the processing and the information available to Prompt Assay, Prompt Assay will provide reasonable assistance to Customer in meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), at Customer's expense for work beyond what is already provided by the Service's standard features and documentation.

9. International transfers

Prompt Assay processes Personal Data in the United States. To the extent Customer transfers Personal Data of individuals in the European Economic Area, the United Kingdom, or Switzerland to Prompt Assay, the parties agree that the European Commission's Standard Contractual Clauses of 4 June 2021 (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum to the EU SCCs, and, for Switzerland, the Swiss FDPIC-approved SCC adaptation are hereby incorporated by reference and completed as follows:

• Module: Controller (Customer) to Processor (Prompt Assay).
• Clause 7 (docking): applied.
• Clause 9 (sub-processors):option 2 (general written authorization) with 30 days' advance notice, as provided in Section 4.
• Clause 11 (redress): optional independent dispute resolution not selected.
• Clause 17 (governing law): law of Ireland.
• Clause 18 (forum): courts of Ireland.
• Annex I.A (parties): Customer as Data Exporter, Prompt Assay as Data Importer.
• Annex I.B (description of transfer): as described in Sections 2 and 3 of this DPA.
• Annex I.C (supervisory authority):the competent supervisory authority of Customer's EU establishment.
• Annex II (TOMs): the security measures set out in Section 5 of this DPA.
• Annex III (sub-processors): the sub-processor list maintained in the Privacy Policy.

Prompt Assay will conduct a transfer impact assessment on reasonable request by Customer where required by applicable law.

10. Breach notification

Prompt Assay will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data, by email to the primary administrative contact on record. The notification will describe the nature of the breach, the categories and approximate number of affected data subjects and records (to the extent known), the likely consequences, and the measures taken or proposed to address it.

11. Audit rights

Prompt Assay will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports and certifications held by Prompt Assay or its sub-processors where available. On reasonable prior written notice (no more often than once per year, except in the case of a documented suspicion of non-compliance or a requirement by a supervisory authority), Customer or its mandated auditor may conduct an audit of Prompt Assay's compliance with this DPA, subject to reasonable confidentiality and security safeguards and during business hours. Prompt Assay may, at its discretion, satisfy an audit request by providing a recent independent audit report where one exists.

12. Return or deletion of data

On termination of the Service and at Customer's election, Prompt Assay will, within 30 days, (a) return Customer Personal Data to Customer in the standard export format provided by the Service or (b) delete the Personal Data. In the absence of an instruction within 30 days of termination, Prompt Assay will delete the data in accordance with the retention schedule in the Privacy Policy. Prompt Assay may retain Personal Data to the extent required by applicable law, in which case it will continue to protect it under the security measures in Section 5.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of the Terms of Service.

14. Order of precedence

In the event of conflict between the terms of this DPA, the Standard Contractual Clauses (where applicable), and the Terms of Service, the following order of precedence applies with respect to data protection matters: (1) the Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.

15. Contact

Questions about this DPA or to request a countersigned copy: legal@promptassay.ai

See also: Privacy Policy · Terms of Service · Acceptable Use Policy · Cookie Policy.