Data Processing Agreement

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data (you, the Customer).
• "Processor" means PromptDuty Ltd, processing Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Sub-processor" means any third party engaged by PromptDuty to process Personal Data.

2. Scope of Processing

Nature and Purpose

PromptDuty processes Personal Data solely to provide the Service, including:

• Real-time analysis of prompts for sensitive data detection
• Generation of compliance reports and audit logs
• Account management and billing

Categories of Data Subjects

• Customer employees using AI tools
• Customer administrators

Types of Personal Data

• Account information (email, name)
• Usage metadata (anonymized)
• Prompt content is NOT stored (zero data retention)

3. Zero Data Retention

PromptDuty implements a strict zero data retention policy for prompt content:

• Prompts are analyzed in real-time within the user's browser
• Sensitive data patterns are detected but never transmitted to our servers
• Only anonymized metadata (counts, categories) is logged
• No prompt content is ever stored, cached, or retained

4. Controller Obligations

The Controller shall:

• Ensure lawful basis for processing Personal Data
• Inform data subjects about processing activities
• Respond to data subject requests
• Ensure data accuracy and completeness

5. Processor Obligations

PromptDuty shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Delete or return Personal Data upon termination
• Make available information necessary to demonstrate compliance

6. Security Measures

PromptDuty implements the following security measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: Role-based access, MFA required
• Monitoring: 24/7 security monitoring and alerting
• Auditing: Annual SOC 2 Type II audits
• Incident Response: Documented incident response procedures
• Business Continuity: Redundant infrastructure, regular backups

7. Sub-processors

Current sub-processors:

• Amazon Web Services (AWS) — Infrastructure hosting (EU-West-1)
• Stripe — Payment processing
• Plausible Analytics — Privacy-focused analytics (EU)

We will notify you of new sub-processors with 30 days notice. You may object to new sub-processors within 14 days.

8. Data Transfers

Personal Data is processed within the European Economic Area (EEA). For any transfers outside the EEA, we rely on:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable

9. Data Subject Rights

PromptDuty will assist the Controller in responding to requests from data subjects exercising their rights under GDPR:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

10. Data Breach Notification

In the event of a Personal Data breach, PromptDuty will:

• Notify the Controller within 48 hours of becoming aware
• Provide details of the breach, affected data, and remedial actions
• Cooperate with the Controller's breach response

11. Audit Rights

The Controller may:

• Request and review our SOC 2 Type II audit report
• Request additional compliance documentation
• Conduct or commission an audit with 30 days notice (at Controller's expense)

12. Term and Termination

This DPA remains in effect for the duration of the Service Agreement. Upon termination:

• Account data will be deleted within 30 days
• Compliance reports can be exported before deletion
• Aggregated, anonymized data may be retained for analytics

13. Contact

For DPA-related inquiries:

• Email: legal@promptduty.com