Data Processing Addendum

01Background and scope

This Data Processing Addendum (the DPA) forms part of the Terms of Service between you, acting on behalf of your organization (Customer, the controller), and PROM (we, us, the processor), and applies whenever we process personal data on Customer's behalf in connection with the Service.

Where there is a conflict between this DPA and the Terms of Service on the subject of personal data processing, this DPA prevails. Capitalized terms not defined here have the meaning given in the Terms of Service.

This DPA is provided for the private beta and is being finalized for the public release. A countersigned copy is available on request for procurement.

02Definitions

Controller, processor, data subject, personal data, processing, and supervisory authority have the meanings given in applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Applicable Data Protection Law means all laws and regulations applicable to the processing of personal data under this DPA, including the GDPR, the UK GDPR, and applicable United States state privacy laws.

Customer Personal Data means personal data contained within Customer Content or otherwise processed by us on Customer's behalf under the Terms of Service.

Subprocessor means a third party engaged by us to process Customer Personal Data.

03Roles of the parties

As between the parties, Customer is the controller and we are the processor of Customer Personal Data. Where Customer is itself a processor acting for a third party controller, Customer warrants that its instructions and authorizations reflect that controller's requirements.

Each party will comply with its obligations under Applicable Data Protection Law. Customer is responsible for the lawfulness of the personal data it provides and the instructions it gives.

04Processing instructions

We will process Customer Personal Data only on documented instructions from Customer, including as set out in the Terms of Service, this DPA, and Customer's use and configuration of the Service, unless required to act otherwise by law, in which case we will inform Customer unless that law prohibits it.

We will promptly inform Customer if, in our opinion, an instruction infringes Applicable Data Protection Law. We are not obliged to monitor the legality of Customer's instructions generally.

The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex A.

05Confidentiality of personnel

We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on their data protection responsibilities. Access is limited to personnel who need it to provide, secure, or support the Service.

06Security measures

We implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing.

A description of these measures is set out in Annex B. We may update the measures provided the level of protection is not materially reduced.

07Subprocessors

Customer provides general authorization for us to engage Subprocessors to process Customer Personal Data. A current list of Subprocessors is set out in Annex C and is available on request.

We impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for each Subprocessor's performance.

We will give Customer reasonable notice of the addition or replacement of a Subprocessor. Customer may object on reasonable data protection grounds, and the parties will work in good faith to resolve the objection; if it cannot be resolved, Customer may terminate the affected part of the Service.

08Assistance with data subject rights

Taking into account the nature of the processing, we will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects to exercise their rights under Applicable Data Protection Law.

If we receive a request from a data subject relating to Customer Personal Data, we will, unless legally prohibited, direct the data subject to Customer and not respond to the request ourselves except on Customer's instructions.

09Personal data breach notification

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to us to help Customer meet its own notification obligations.

Our notification is not an acknowledgment of fault or liability. We will take reasonable steps to mitigate the effects of and to minimize any damage resulting from the breach.

10Data protection impact assessments

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, where Customer is required to carry these out under Applicable Data Protection Law.

11International transfers

Where processing of Customer Personal Data involves a transfer to a country that does not provide an adequate level of protection, the parties will rely on an appropriate transfer mechanism, such as the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum, which are incorporated by reference and completed by reference to Annexes A and B.

If a transfer mechanism is invalidated or changed, the parties will work in good faith to implement an alternative lawful mechanism.

12Return and deletion of data

On termination or expiry of the Service, and at Customer's choice, we will delete or return Customer Personal Data, and delete existing copies, unless retention is required by law.

Customer may export Customer Content through the Service during the term and for a limited period after termination where reasonably practicable. Residual copies in routine backups are deleted in the ordinary backup cycle.

13Audits and demonstrating compliance

We will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, which may include third party audit reports, certifications, or a security overview where available.

Where Customer reasonably requires further information to satisfy an audit obligation under Applicable Data Protection Law, the parties will agree in advance on the scope, timing, and reasonable cost of any audit, conducted so as not to disrupt the Service or compromise the security of other customers.

14Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA does not limit any rights a data subject may have under Applicable Data Protection Law.

15Term

This DPA takes effect when Customer begins using the Service and continues until we have ceased all processing of Customer Personal Data and completed deletion or return in accordance with this DPA. Provisions that by their nature should survive termination will survive.

16Annex A: Details of processing

Subject matter: provision of the PROM Service to Customer.

Duration: for the term of the Terms of Service and until deletion or return of Customer Personal Data.

Nature and purpose: hosting, storage, processing, transmission, display, and AI assisted drafting of Customer Content in order to operate, secure, support, and improve the Service for Customer.

Types of personal data: account identifiers such as name and email, profile details, organization and role information, usage and log data, and any personal data Customer chooses to include within Customer Content.

Categories of data subjects: Customer's authorized users and administrators, and any individuals referenced within Customer Content such as colleagues, research participants, or customers of Customer.

Special category data: not requested or required. Customer should not submit special category data unless expressly agreed in writing.

17Annex B: Technical and organizational measures

Encryption: personal data is encrypted in transit using current protocols, and encrypted at rest where supported by our infrastructure providers.

Access control: role based access control, least privilege, unique accounts, and authentication controls for personnel and for the Service.

Auditability: audit logging of access and significant changes, with monitoring and alerting for anomalous activity.

Resilience: backups, recovery procedures, and infrastructure designed for availability and integrity.

Segregation: logical separation of customer data within multi tenant infrastructure.

Organizational measures: confidentiality obligations for personnel, security training, vendor due diligence, and an incident response process.

Data minimization: we limit personal data processed and retained to what is necessary to provide the Service.

18Annex C: Subprocessors

We engage Subprocessors in the following categories: cloud hosting and infrastructure, database and storage, transactional email and communications, product analytics and error monitoring, and AI model inference providers used to deliver AI features.

AI model inference providers process content only to return the requested output and are contractually restricted from training on Customer Personal Data, to the extent offered by the provider.

A current, named list of Subprocessors, including entity and processing location, is available on request through the contact page and will be published here before general availability.

19Contact

To request a countersigned DPA, the current Subprocessor list, or a security overview, reach us through the contact page.