Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Protoperfect Labs ("Processor," "we," "us") and you ("Controller," "Customer") and governs the processing of personal data in connection with our services.

This DPA applies when we process personal data on your behalf as a data processor. It ensures compliance with GDPR, CCPA, and other applicable data protection laws.

1. Definitions

2. Scope and Applicability

This DPA applies when:

• You use our services to process personal data of individuals
• We act as a data processor on your behalf
• The processing involves personal data subject to applicable data protection laws

You remain the Controller of all personal data you submit to our services. We process such data only as your Processor, following your documented instructions.

3. Data Processing Details

3.1 Subject Matter and Duration

We process personal data for the duration of your subscription to provide our AI-powered services as described in your service agreement.

3.2 Nature and Purpose

Processing includes:

• Receiving, storing, and processing prompts and content you submit
• Generating AI-assisted outputs based on your inputs
• Maintaining account and usage records
• Providing customer support

3.3 Categories of Data Subjects

• Your employees and contractors
• Your customers and end users
• Other individuals whose data you submit to our services

3.4 Types of Personal Data

• Contact information (names, email addresses)
• Account credentials
• Content and prompts submitted to our services
• Usage and interaction data

4. Processor Obligations

We shall:

• Process personal data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage sub-processors only with prior authorization and under written contracts
• Assist you in responding to data subject requests
• Delete or return personal data upon termination (at your election)
• Make available information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by you or your auditor

5. Security Measures

We implement the following technical and organizational measures:

5.1 Technical Measures

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
• Access Control: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection
• Logging: Comprehensive audit logs with integrity protection
• Backup: Encrypted backups with geographic redundancy

5.2 Organizational Measures

• Security policies and procedures documented and regularly reviewed
• Employee security training and background checks
• Incident response procedures
• Regular security assessments and penetration testing
• Vendor security evaluations

6. Sub-processors

6.1 Current Sub-processors

6.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to a new sub-processor by notifying us within 14 days. If we cannot accommodate your objection, you may terminate affected services.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including:

• Access requests
• Rectification requests
• Erasure requests ("right to be forgotten")
• Data portability requests
• Objection and restriction requests

We will notify you promptly if we receive a request directly from a data subject.

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (within 72 hours where feasible)
• Provide details of the breach, affected data, and remediation steps
• Cooperate with your investigation and notification obligations
• Document all breaches and remediation actions

9. Data Transfers

9.1 Primary Data Residency

Personal data is primarily processed and stored in the United States.

9.2 International Transfer Mechanisms

For transfers outside your jurisdiction, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses for EU-US transfers
• UK International Data Transfer Agreement: For UK data transfers
• Transfer Impact Assessments: Documented assessments of destination country protections

9.3 Additional Safeguards

• Encryption of data in transit and at rest
• Access controls limiting data access to authorized personnel
• Contractual commitments with all sub-processors

10. Audit Rights

You may audit our compliance with this DPA by:

• Requesting our SOC 2 Type II report (available upon request under NDA)
• Submitting written audit questions (we will respond within 30 days)
• Conducting on-site audits with 30 days' notice (at your expense, during business hours)

We may charge reasonable fees for audits exceeding one per year.

11. Term and Termination

This DPA remains in effect for the duration of your service agreement. Upon termination:

• We will delete your personal data within 30 days, unless retention is required by law
• Upon request, we will provide data export in a structured, machine-readable format
• Provisions regarding confidentiality, liability, and audit survive termination

12. Liability

Our liability under this DPA is subject to the limitations in our Terms of Service. We are liable for damages caused by processing that violates this DPA or applicable data protection law.

13. Governing Law

This DPA is governed by the same law as our Terms of Service (Delaware, United States), except that:

• GDPR-specific provisions are governed by EU law
• UK GDPR provisions are governed by UK law

14. Contact

For DPA-related inquiries:

By using our services, you acknowledge this DPA. Enterprise customers may request a countersigned version.