Data Processing Agreement

1. Scope & Roles

This DPA governs PromptFluent's processing of Personal Data on behalf of the Customer in connection with the Service. For Personal Data contained in Customer Content (prompts, workspaces, uploaded materials, team activity), the Customer is the Controller and PromptFluent is the Processor and will process such Personal Data only on the Customer's documented instructions, including as set out in the Terms, the Privacy Policy, and this DPA.

2. Definitions

• Personal Data, Controller, Processor, Processing, and Data Subject have the meanings given under applicable data protection law (e.g., GDPR, UK GDPR, CCPA/CPRA).
• Customer Content means the prompts, prompt libraries, workflows, uploaded materials, team workspaces, and outputs that Customer or its users create or store in the Service.
• Sub-processor means a third party engaged by PromptFluent to process Personal Data.
• Aggregated / De-identified Data means platform-usage and AI-execution telemetry that has been aggregated and/or stripped of identifiers so it does not identify any individual or Customer.

3. Nature & Purpose of Processing

PromptFluent processes Personal Data to provide, secure, maintain, and support the Service; to enable the features the Customer uses (including governance, review/approval, collections, analytics, and recommendations); and as otherwise instructed by the Customer. Categories of Data Subjects and Personal Data are determined by the Customer and typically include Customer's authorized users (account and profile data) and any Personal Data the Customer chooses to include in Customer Content.

4. Data Use & Platform Intelligence (Boundaries)

PromptFluent does not use Customer Content — private prompt libraries, proprietary business content, uploaded materials, team workspaces, or customer-specific outputs — to train public AI models, and does not share, publish, or sell customer-identifiable content to or with other customers.

PromptFluent may use Aggregated / De-identified Data to operate and improve the Service — including recommendations, analytics, benchmarks, and research into AI-execution trends — provided such data does not identify any individual or Customer and does not expose Customer Content. Any external research, benchmarks, or publications are released only in aggregated, de-identified, anonymized, or otherwise non-customer-identifiable form. See the Privacy Policy for details on what may be analyzed and what is never shared.

5. PromptFluent Obligations

• Process Personal Data only on the Customer's documented instructions, unless required by law.
• Ensure personnel authorized to process Personal Data are bound by confidentiality.
• Implement and maintain appropriate technical and organizational security measures (Section 7).
• Assist the Customer, taking into account the nature of processing, with data-subject requests and with the Customer's obligations regarding security, breach notification, and impact assessments.

6. Sub-processors

The Customer authorizes PromptFluent to engage Sub-processors to provide the Service. Each Sub-processor is bound by written terms providing a level of data protection consistent with this DPA. Current Sub-processor categories include:

• Application hosting & edge delivery (e.g., Vercel)
• Database & storage infrastructure (e.g., Supabase, on AWS/GCP)
• Payment processing (e.g., Stripe)
• AI model providers used to power in-product execution features (processing limited to delivering the requested feature; not used to train public models on Customer Content)

PromptFluent will give notice of intended changes to Sub-processors and provide a reasonable opportunity to object. A current list is available on request at privacy@promptfluent.com.

7. Security Measures

PromptFluent maintains technical and organizational measures designed to protect Personal Data, including encryption in transit and at rest, role-based and tenant-isolated access controls, least-privilege administrative access, logging and monitoring, and a documented incident-response process. PromptFluent is pursuing SOC 2 Type II certification; see the Security page for current status and details.

8. Data-Subject Requests

Taking into account the nature of the processing, PromptFluent will assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights (access, correction, deletion, portability, objection) under applicable law.

9. Personal Data Breach Notification

PromptFluent will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably available to assist the Customer in meeting its own notification obligations.

10. Return & Deletion

Upon termination or expiry of the Service, or upon request, the Customer may export its data for a 30-day window. After that window, PromptFluent will delete or anonymize Customer Personal Data, except where retention is required by law. Written confirmation of deletion is available on request.

11. International Transfers

Where processing involves transferring Personal Data across borders, PromptFluent relies on an appropriate transfer mechanism (such as the Standard Contractual Clauses) where required by applicable law.

12. Audit

Upon reasonable written request, and subject to confidentiality, PromptFluent will make available information necessary to demonstrate compliance with this DPA, which may be satisfied through third-party audit reports (e.g., a SOC 2 report when available) and completed security questionnaires.

13. Executing this DPA

Enterprise customers who require a signed DPA (and, where applicable, Standard Contractual Clauses) can request one from enterprise@promptfluent.com. This page describes PromptFluent's standard data-processing terms and is provided for transparency; the executed agreement between the parties governs.