Data Processing Addendum

1. Scope and roles

Customer is the Controller of the Personal Data it submits to the Service. PromptAssay is the Processor, acting on Customer's documented instructions, which consist of (a) the Terms of Service, (b) this DPA, and (c) Customer's reasonable use of the Service's features and settings. PromptAssay will immediately inform Customer if, in its opinion, an instruction infringes applicable data protection law.

2. Categories of data subjects and Personal Data

Data subjects: Customer's authorized users of the Service (administrators, members) and individuals whose Personal Data may appear incidentally in Customer Content despite the prohibitions in the Acceptable Use Policy.

Categories of Personal Data: account identifiers (email, display name, authentication identifiers), workspace and membership metadata, Customer Content (prompts, versions, fragments, test cases, annotations), usage metadata (AI call records — tokens, model, timestamps; no prompt or response content), billing identifiers, and support communications.

Sensitive data: The Service is not designed to process special categories of data under Article 9 GDPR or equivalent categories under other laws. Customer is required by the Acceptable Use Policy not to submit such data. No special-category processing is intentionally performed by PromptAssay.

3. Duration and subject matter of processing

Processing continues for the duration of the Customer's subscription to the Service, plus the retention periods specified in the Privacy Policy and this DPA. The subject matter is the provision of a prompt engineering and evaluation workbench as described in the Terms of Service.

4. Sub-processors

Customer grants PromptAssay a general authorization to engage sub-processors to deliver the Service. PromptAssay's current sub-processors are listed in the Privacy Policy. PromptAssay will impose on each sub-processor data protection obligations substantially the same as those in this DPA, and remains liable for the acts and omissions of its sub-processors to the same extent as if performed by PromptAssay itself.

Change notice. PromptAssay will provide at least 30 days' advance notice of any new sub-processor that will process Customer Personal Data, by email to the primary account contact and by updating the sub-processor list in the Privacy Policy. Customer may object in writing on reasonable data-protection grounds within the notice period. PromptAssay will work in good faith to address the objection; if no reasonable accommodation is feasible, either party may terminate the affected Service without penalty for the unused portion of the prepaid term.

5. Security measures

PromptAssay implements and maintains the following technical and organizational measures (TOMs) to protect Personal Data:

• Encryption in transit: TLS 1.2 or higher for all connections between clients and the Service and between the Service and its sub-processors.
• Encryption at rest: AES-256 at the managed database layer for all Customer data. Customer-supplied Upstream Provider API keys are additionally encrypted using Supabase Vault or AES-256-GCM with authenticated additional data binding the ciphertext to the originating workspace, organization, provider, label, and key version, preventing ciphertext transplant or replay into a different tenant context.
• Tenant isolation: row-level security at the database layer scopes queries to the caller's organization; application code additionally enforces explicit organization-id filters on every query as defense in depth.
• Access control: role-based access within Customer workspaces (owner, admin, member); principle of least privilege for PromptAssay personnel; platform administrator access restricted and logged.
• Authentication: strong password requirements, OAuth via Google or GitHub, and optional multi-factor authentication (planned for an upcoming release).
• Audit logging: append-only audit log of platform administrator actions; usage logging for AI feature calls (metadata only).
• Secure software development: code review, typed language, linting, dependency monitoring, and infrastructure-as-code review.
• Incident response: documented procedures for detection, containment, eradication, recovery, and notification.
• Backups: automated backups and point-in-time recovery via the managed database provider.
• Personnel: confidentiality obligations, security training, and need-to-know access controls for all PromptAssay personnel with access to Customer data.

PromptAssay may update its TOMs from time to time, provided that the updates do not materially diminish the overall level of security.

6. Confidentiality

PromptAssay will ensure that all personnel authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Data subject requests

The Service provides Customer's authorized users with self-service access, correction, export, and deletion tools in Account settings. Customer is responsible for responding to data subject requests from its end users using those tools and its own administrative workflows. Where a data subject contacts PromptAssay directly, PromptAssay will redirect the request to Customer unless PromptAssay is legally required to respond. Upon reasonable request and at Customer's expense, PromptAssay will provide reasonable assistance to enable Customer to respond to data subject requests that cannot be fulfilled through the self-service tools.

8. Assistance with Customer's obligations

Taking into account the nature of the processing and the information available to PromptAssay, PromptAssay will provide reasonable assistance to Customer in meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), at Customer's expense for work beyond what is already provided by the Service's standard features and documentation.

9. International transfers

PromptAssay processes Personal Data in the United States. To the extent Customer transfers Personal Data of individuals in the European Economic Area, the United Kingdom, or Switzerland to PromptAssay, the parties agree that the European Commission's Standard Contractual Clauses of 4 June 2021 (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum to the EU SCCs, and, for Switzerland, the Swiss FDPIC-approved SCC adaptation are hereby incorporated by reference and completed as follows:

• Module: Controller (Customer) to Processor (PromptAssay).
• Clause 7 (docking): applied.
• Clause 9 (sub-processors): option 2 (general written authorization) with 30 days' advance notice, as provided in Section 4.
• Clause 11 (redress): optional independent dispute resolution not selected.
• Clause 17 (governing law): law of Ireland.
• Clause 18 (forum): courts of Ireland.
• Annex I.A (parties): Customer as Data Exporter, PromptAssay as Data Importer.
• Annex I.B (description of transfer): as described in Sections 2 and 3 of this DPA.
• Annex I.C (supervisory authority): the competent supervisory authority of Customer's EU establishment.
• Annex II (TOMs): the security measures set out in Section 5 of this DPA.
• Annex III (sub-processors): the sub-processor list maintained in the Privacy Policy.

PromptAssay will conduct a transfer impact assessment on reasonable request by Customer where required by applicable law.

10. Breach notification

PromptAssay will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data, by email to the primary administrative contact on record. The notification will describe the nature of the breach, the categories and approximate number of affected data subjects and records (to the extent known), the likely consequences, and the measures taken or proposed to address it.

11. Audit rights

PromptAssay will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports and certifications held by PromptAssay or its sub-processors where available. On reasonable prior written notice (no more often than once per year, except in the case of a documented suspicion of non-compliance or a requirement by a supervisory authority), Customer or its mandated auditor may conduct an audit of PromptAssay's compliance with this DPA, subject to reasonable confidentiality and security safeguards and during business hours. PromptAssay may, at its discretion, satisfy an audit request by providing a recent independent audit report where one exists.

12. Return or deletion of data

On termination of the Service and at Customer's election, PromptAssay will, within 30 days, (a) return Customer Personal Data to Customer in the standard export format provided by the Service or (b) delete the Personal Data. In the absence of an instruction within 30 days of termination, PromptAssay will delete the data in accordance with the retention schedule in the Privacy Policy. PromptAssay may retain Personal Data to the extent required by applicable law, in which case it will continue to protect it under the security measures in Section 5.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of the Terms of Service.

14. Order of precedence

In the event of conflict between the terms of this DPA, the Standard Contractual Clauses (where applicable), and the Terms of Service, the following order of precedence applies with respect to data protection matters: (1) the Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.

15. Contact

Questions about this DPA or to request a countersigned copy: legal@promptassay.ai [PLACEHOLDER: confirm legal alias]

See also: Privacy Policy · Terms of Service · Acceptable Use Policy · Cookie Policy.