This Data Processing Agreement ("DPA") supplements the Promptev Master Subscription Agreement ("MSA") between Promptev Inc. ("Processor" or "Company") and the customer identified in the applicable Order Form ("Controller" or "Customer"). Terms not defined herein have the meanings set forth in the MSA.
Customer is the Controller of Personal Data. Promptev acts as Processor, processing Personal Data solely on behalf of and under the documented instructions of Customer to provide the Services described in the MSA. The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of data subjects, are described in Annex I of this DPA.
Processor will process Personal Data only in accordance with Controller’s documented instructions, including as set forth in the MSA, applicable Order Forms, and this DPA. If Processor believes an instruction infringes Data Protection Laws, Processor will promptly notify Controller. Processor will not process Personal Data for any purpose other than as necessary to provide the Services unless required by applicable law, in which case Processor will inform Controller of that legal requirement before processing (unless prohibited by law).
Processor will ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations, whether contractual or statutory. Access to Personal Data is restricted to personnel who require such access to perform the Services.
Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at a minimum:
Processor maintains a SOC 2 Type II certification. The most recent audit report is available to Controller upon written request subject to confidentiality obligations.
Controller authorizes Processor to engage Sub-Processors to assist in providing the Services. Processor will:
If Controller reasonably objects to a new Sub-Processor within fifteen (15) days of notice, the parties will work in good faith to resolve the objection. If no resolution is reached within thirty (30) days, Controller may terminate the affected Order Form without penalty.
Processor will assist Controller in responding to requests from data subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection). Processor will promptly notify Controller if it receives a request directly from a data subject and will not respond to such request without Controller’s prior written authorization, unless required by applicable law.
Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach. The notification will include:
Processor will cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach.
Personal Data is primarily hosted on Amazon Web Services (AWS) in the United States (region: us-east-1). To the extent Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not provide an adequate level of data protection, such transfers will be governed by:
For Enterprise plan customers, Processor may offer data residency options in specific regions as set forth in the applicable Order Form.
Upon termination of the MSA, Processor will:
Processor may retain Personal Data to the extent required by applicable law, provided such retention is limited to the minimum extent and duration necessary and remains subject to the security obligations of this DPA.
Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or a third-party auditor mandated by Controller, subject to reasonable advance notice (no less than thirty (30) days), scope limitations, and confidentiality obligations. Audits will be conducted no more than once per twelve (12) month period unless required by a supervisory authority or in response to a Personal Data breach.
Processor will provide reasonable assistance to Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and to the extent such assessments relate to the processing of Personal Data by Processor under this DPA.
Where Customer provides its own API keys for third-party AI model providers:
This DPA will remain in effect for the duration of the MSA and will automatically terminate upon termination of the MSA, subject to the data deletion obligations in Section 10.
| Subject matter | Processing of Personal Data to provide the Promptev platform Services as described in the MSA |
| Duration | The term of the MSA plus the Retrieval Period |
| Nature and purpose | Storage, retrieval, indexing, and AI-assisted processing of Customer Content to power context-aware AI workflows, tool execution, and agent orchestration |
| Types of Personal Data | As determined by Customer; may include names, contact information, identifiers, and any Personal Data included in documents, prompts, or integration data uploaded or connected by Customer |
| Categories of data subjects | Customer employees, contractors, end users, and any individuals whose data is included in Customer Content |
For transfers of Personal Data from the EEA to the United States, the Parties agree to the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission Implementing Decision (EU) 2021/914. The SCCs are incorporated by reference and form an integral part of this DPA. The completed appendices to the SCCs are as follows:
For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner) is incorporated by reference.