Data Processing Agreement
This Data Processing Agreement (the "DPA") forms part of the Terms of Service between PromptSpotter ("Processor", "we") and the Customer ("Controller", "you") and sets out the terms on which we process Personal Data on your behalf in connection with the Service. It reflects the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection.
This DPA is published online and applies automatically to all customers in the EEA, the UK, and Switzerland from the effective date. Customers may request a counter-signed copy by emailing info@promptspotter.com.
1. Definitions
Capitalised terms used but not defined here have the meanings given in the EU GDPR and UK GDPR.
- "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given in Article 4 GDPR.
- "Customer Personal Data" means Personal Data that we process on your behalf in providing the Service.
- "Sub-processor" means a third party engaged by us to process Customer Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914.
- "UK Addendum" means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
2. Roles and scope
You are the Controller of Customer Personal Data and we are the Processor. Each party will comply with its respective obligations under applicable data protection law. This DPA applies for as long as we process Customer Personal Data on your behalf.
3. Subject matter, nature, purpose, and duration
- Subject matter: our processing of Customer Personal Data to provide the Service.
- Nature and purpose: hosting, transmitting, storing, securing, and reporting on event metadata generated by the PromptSpotter browser extension; authenticating administrators; processing billing data; sending transactional email.
- Duration: for the term of the Terms of Service, plus any retention period set out in the Privacy Policy, plus any period during which we are legally required to retain the data.
4. Categories of Personal Data and Data Subjects
The following categories of Personal Data are processed under this DPA:
| Category | Description |
|---|---|
| Administrator account data | Email address, last sign-in timestamp, role, audit log entries for admin actions. |
| End-user identifiers | Opaque per-installation IDs; protected_users email addresses are stored encrypted at rest where the Customer chooses to enrol users by email. |
| Event metadata | AI tool name, detection rule IDs, severity, action taken, timestamps. No prompt content is ever transmitted or stored. |
| Billing data | Billing contact, billing address, payment instrument tokens (held by our payment processor Stripe; we do not store card numbers). |
The categories of Data Subjects are:
- The Customer's administrators (people with sign-in access to the admin console).
- The Customer's employees, contractors, and other personnel whose browsers the PromptSpotter extension protects.
- The Customer's billing contact(s).
5. Customer instructions
We will process Customer Personal Data only on documented instructions from you, including with regard to transfers, as set out in the Terms of Service, this DPA, and the configuration choices you make in the admin console. We will inform you if, in our opinion, an instruction infringes data protection law (and may suspend that instruction until resolved).
6. Confidentiality
We ensure that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and receive appropriate training.
7. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as relevant:
- Encryption in transit — TLS 1.2+ enforced on all endpoints.
- Encryption at rest — AES-256 at our database and hosting providers; protected_users email addresses additionally encrypted at application layer.
- Role-based access control (RBAC) — per-row tenant isolation; principle of least privilege for staff access to production systems.
- Access logging — all access to Customer Personal Data is logged and retained for 12 months.
- Append-only event log — the event log table is structurally append-only; no API or interface can modify or delete events after they are written.
- Authentication — passwordless magic-link sign-in for administrators; per-company bearer tokens for the extension, with revocation as a first-class admin action.
- Vulnerability management — automated dependency scanning; critical CVEs patched within 7 days.
- Backups — encrypted daily backups with point-in-time recovery.
- Personnel — background-screened staff; MFA on all production access.
A more detailed summary is published at /security.
8. Personal Data Breach notification
We will notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures we have taken or propose to take. Notifications will be sent to the primary administrator email on the account; please keep it current.
We will assist you in meeting your own notification obligations to Supervisory Authorities and Data Subjects.
9. Sub-processors
You provide general authorisation for us to engage Sub-processors to process Customer Personal Data, subject to the conditions in this section. The current list of authorised Sub-processors is published at /subprocessors.
We will:
- Impose written contractual obligations on each Sub-processor that are no less protective than those in this DPA.
- Remain liable to you for the acts and omissions of each Sub-processor as if they were our own.
- Give you at least 30 days' notice (by email to administrators and update to the published list) before adding or replacing a Sub-processor.
You may object on reasonable grounds to a proposed change by writing to info@promptspotter.com within the notice period. If we cannot reasonably accommodate your objection, you may terminate the affected subscription on written notice without penalty.
10. International data transfers
Where we transfer Customer Personal Data out of the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module 2 — Controller to Processor, or Module 3 — Processor to Processor, as applicable). For UK transfers, the SCCs are read with the UK International Data Transfer Addendum in place. For Swiss transfers, references to the EU GDPR are read as references to the Swiss Federal Act on Data Protection, and references to the EU Supervisory Authority are read as references to the Swiss Federal Data Protection and Information Commissioner.
By accepting this DPA you are deemed to have entered into the relevant SCCs (and UK Addendum, where applicable) with each Sub-processor that requires them.
11. Assistance with Data Subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Because we store only opaque per-installation identifiers for end users, you may need to use your own records to map a request to a specific identifier.
Requests to us should be sent to info@promptspotter.com.
12. Assistance with DPIAs and consultation
We will provide reasonable assistance to you in carrying out Data Protection Impact Assessments and prior consultations with Supervisory Authorities, taking into account the nature of the processing and the information available to us.
13. Audit rights
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. On request, we will provide:
- Our most recent third-party security assessments and certifications, once available.
- Written responses to a reasonable security questionnaire, no more than once per year (unless required more frequently by law or following a Personal Data Breach).
You may audit our compliance with this DPA once per year on at least 30 days' written notice, during normal business hours, at your own cost, and subject to reasonable confidentiality obligations. Where a recognised third-party report (e.g. SOC 2 Type II) is available, you agree to accept it in lieu of an on-site audit unless a Supervisory Authority requires otherwise. Following a confirmed Personal Data Breach, an additional audit may be conducted on shorter notice.
14. Deletion or return of Personal Data
At your choice, on termination of the Service we will either delete or return all Customer Personal Data, and delete existing copies, unless retention is required by law. Deletion will be completed within 30 days of termination, except for backups, which will be deleted in line with our backup rotation cycle (no more than 90 days). The retention rules in the Privacy Policy apply during the term of the Service.
15. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except where applicable data protection law does not permit such limitation.
16. Order of precedence
If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters. If there is a conflict between this DPA and the SCCs (or UK Addendum), the SCCs (or UK Addendum) prevail.
17. Changes
We may update this DPA from time to time. We will give administrators at least 30 days' notice by email of any material change before it takes effect. The current version is always available at this URL.
18. Contact
Privacy queries: info@promptspotter.com
DPA counter-signing and audit requests: info@promptspotter.com
Security incidents: info@promptspotter.com