Data Protection Addendum (DPA)

1. Definitions

For the purposes of this Data Protection Addendum, the following terms shall have the meanings set forth below:

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Customer is the Controller.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In the context of this DPA, Prompt Manage LLC is the Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR (EU Regulation 2016/679) and other applicable data protection laws.
• "Processing" means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Sub-processor" means any third-party service provider engaged by Prompt Manage to process Personal Data on behalf of the Customer.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Services" means the Prompt Manage platform and associated services as described in the Terms of Service.

2. Scope and Applicability

2.1 Application of this DPA

This DPA applies to all Processing of Personal Data by Prompt Manage on behalf of the Customer in the course of providing the Services. This includes:

• User account information (names, email addresses, authentication data)
• Prompt content and metadata that may contain Personal Data
• Usage analytics and activity logs
• Team member information and collaboration data

2.2 Roles and Responsibilities

The parties acknowledge and agree that with respect to the Processing of Personal Data:

• The Customer is the Controller and determines the purposes and means of Processing Personal Data.
• Prompt Manage is the Processor and processes Personal Data only on behalf of and in accordance with the Customer's documented instructions.
• Each party shall comply with its respective obligations under applicable data protection laws, including GDPR, CCPA, and other relevant legislation.

3. Data Processing and Sub-processing

3.1 Processing Instructions

Prompt Manage shall process Personal Data only on documented instructions from the Customer, except where required to do so by applicable law. The Customer's instructions are initially set out in this DPA and the Terms of Service, and may be amended, amplified, or replaced by the Customer from time to time through written notice.

3.2 Lawful Basis for Processing

The Customer warrants that it has established a lawful basis for Processing Personal Data under applicable data protection laws, and that its instructions to Prompt Manage comply with all applicable laws.

3.3 Sub-processors

The Customer grants Prompt Manage general authorization to engage Sub-processors to process Personal Data, subject to the following conditions:

• Prompt Manage shall maintain a current list of all Sub-processors at promptmanage.com/legal-center/subprocessors.
• Prompt Manage shall notify the Customer at least 30 days in advance of any intended changes concerning the addition or replacement of Sub-processors.
• The Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to data protection by notifying Prompt Manage within 30 days of receiving notice.
• Prompt Manage shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.

3.4 Current Sub-processors

As of the Effective Date, Prompt Manage engages the following Sub-processors:

• Supabase Inc. (United States) — Database hosting and authentication services
• Vercel Inc. (United States) — Application hosting and content delivery
• OpenAI LLC (United States) — AI model API services (when Customer elects to use AI features)

4. Security Measures

4.1 Technical and Organizational Measures

Prompt Manage shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

Technical Measures:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) and authentication via OAuth 2.0
• Network Security: Firewall protection, DDoS mitigation, and intrusion detection systems
• Vulnerability Management: Regular security assessments, penetration testing, and patch management

Organizational Measures:

• Personnel Security: Background checks and confidentiality agreements for employees with access to Personal Data
• Security Awareness Training: Regular training for staff on data protection and security best practices
• Incident Response: Documented procedures for identifying, responding to, and recovering from security incidents
• Data Minimization: Collection and retention of only the minimum Personal Data necessary to provide the Services

4.2 Data Breach Notification

In the event of a Personal Data breach, Prompt Manage shall:

• Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the breach under applicable data protection laws
• Take reasonable measures to remediate the breach and prevent future occurrences
• Cooperate with the Customer in investigating and mitigating the breach

5. Data Subject Rights

5.1 Assistance with Data Subject Requests

Prompt Manage shall, to the extent legally permitted and taking into account the nature of the Processing, assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making and profiling

5.2 Customer Responsibilities

The Customer is responsible for responding to Data Subject requests directly. Prompt Manage will provide reasonable assistance as requested by the Customer, and the Customer shall reimburse Prompt Manage for any costs arising from such assistance if it requires significant additional effort.

6. International Data Transfers

6.1 Data Processing Locations

Prompt Manage processes Personal Data primarily in data centers located in the United States. EU customers may request data processing within the European Economic Area (EEA) subject to availability and additional fees (Enterprise plan only).

6.2 Transfer Mechanisms

Where Personal Data is transferred from the EEA to countries that have not been deemed to provide an adequate level of protection by the European Commission, Prompt Manage relies on the following mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission (available upon request for Enterprise customers)
• Supplementary measures to ensure the security and confidentiality of transferred data, including encryption and access controls

6.3 Data Residency Options

Enterprise customers may elect to store their data exclusively within the EEA by contacting legal@promptmanage.com. Additional fees may apply.

7. Deletion and Return of Data

7.1 Data Deletion Upon Termination

Upon termination or expiration of the Customer's subscription to the Services, Prompt Manage shall:

• Provide the Customer with the option to export all Personal Data within 30 days of termination
• Delete or anonymize all Personal Data in Prompt Manage's possession or control within 90 days of termination, except as required by applicable law
• Certify in writing to the Customer that such deletion has been completed upon request

7.2 Customer-Initiated Deletion

Customers may request deletion of their account and all associated Personal Data at any time by following the process outlined in the Data Erasure Policy. Prompt Manage will complete such deletion within 30 days of receiving a valid request.

7.3 Retention for Legal Compliance

Notwithstanding the above, Prompt Manage may retain Personal Data to the extent required by applicable law, including for tax, accounting, fraud prevention, or legal compliance purposes. Any such retained data will continue to be protected in accordance with this DPA.

8. Contact for Compliance Requests

8.1 Data Protection Officer Contact

For all compliance-related requests, including Data Processing Agreements, Standard Contractual Clauses, data subject access requests, breach notifications, or questions about this DPA, please contact:

8.2 Response Times

Prompt Manage commits to the following response times for compliance requests:

• Data breach notifications: Within 72 hours of discovery
• Data subject access requests: Within 30 days of receipt
• DPA or SCC requests: Within 10 business days of receipt
• General compliance inquiries: Within 5 business days of receipt

9. Amendments and Updates

Prompt Manage reserves the right to update this DPA from time to time to reflect changes in legal requirements, industry standards, or our data processing practices. Material changes will be communicated to Customers at least 30 days in advance via email to the account owner. Continued use of the Services after the effective date of such changes constitutes acceptance of the updated DPA.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, United States, without regard to its conflict of law provisions. To the extent this DPA conflicts with the Terms of Service, this DPA shall prevail with respect to data protection matters.