ENG
PL
DE
ES
Login
Monitor visibility in AI
ENG
PL
DE
ES
Login
Monitor visibility in AI

DPA

1. Parties and Roles

1.1. This Data Processing Agreement (“DPA”) forms an integral part of the PromptEye Service Agreement.

1.2. To the extent that the Client enters personal data into the Service, the parties agree that:

    • the Client acts as the controller of personal data within the meaning of the GDPR,
    • PromptEye acts as the processor.

1.3. With respect to personal data of Account Users, billing data, contact data, and marketing data, PromptEye acts as controller — on the terms set out in the Privacy Policy.

2. Subject Matter, Nature and Purpose of Processing

2.1. The subject matter of this DPA is to set out the terms on which PromptEye processes personal data on behalf of the Client in connection with the provision of the Service.

2.2. Processing covers in particular:

    • Account data: first name, surname (if provided), business email address, company name and details, User role,
    • Technical data: IP address, device and browser data, session identifiers, technical logs,
    • Business data: prompts, brand names, analytical content, and other data entered into the Service by the Client or Users, to the extent that it contains personal data.

2.3. The nature of processing operations includes, among others: collection, organisation, storage, modification, analysis, use for Report generation, disclosure to the Client, erasure, and anonymisation.

2.4. The purpose of processing is for PromptEye to provide the Service to the Client, including ensuring security, billing, technical support, and Service development, in accordance with the Agreement.

2.5. Personal data will be processed solely on documented instructions from the Client, unless processing is required by European Union law or Member State law — in which case PromptEye will inform the Client of that requirement before processing, unless the law prohibits such information.

3. Duration of Processing

3.1. Personal data is processed by PromptEye for the duration of the Agreement and for any additional period necessary to:

    • fulfil obligations relating to the deletion or return of data,
    • secure claims,
    • fulfil legal obligations (e.g. accounting, tax),

in accordance with the Privacy Policy.

3.2. As a general rule, Client Data is deleted from PromptEye’s production systems within 30 days of the termination of the Agreement, and copies in backup systems may be retained for up to 60 days from the date of deletion from production systems.

4. Categories of Data Subjects, Data and Legal Basis

4.1. The Service is not, as a general rule, intended for the large-scale processing of personal data of third parties (e.g. mass data of end customers), unless the parties expressly agree otherwise in the Agreement and Service configuration.

Categories of data subjects whose data may be processed:

    • employees, associates, and other representatives of the Client,
    • other individuals whose data the Client enters into the Service.

4.2. Categories of data:

    • identification and contact data (e.g. first name, surname, email address, job title, company details),
    • data relating to use of the Platform (logs, account identifiers, settings),
    • data contained in prompts, reports, and content submitted by the Client (depending on the Client’s use of the Service, this may include personal data).

4.3. The Client declares that it has an appropriate legal basis for processing personal data and entrusting it to PromptEye, in accordance with the GDPR.

5. Obligations of PromptEye as Processor

5.1. PromptEye undertakes to:

    • process personal data solely on documented instructions from the Client,
    • ensure that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality,
    • implement appropriate technical and organisational measures in accordance with Article 32 GDPR,
    • assist the Client in fulfilling its obligations towards data subjects, within the scope set out in section 7,
    • assist the Client in complying with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), to a reasonable extent and taking into account the nature of processing and information available to PromptEye,
    • upon termination of processing services, at the Client’s choice, delete or return all personal data to the Client and delete existing copies, subject to legal obligations,
    • make available to the Client all information necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 GDPR.

6. Security Measures

6.1. PromptEye implements and maintains technical and organisational measures ensuring a level of security appropriate to the risk, including at minimum:

    • encryption of personal data in transit (TLS) and at rest,
    • role-based access control (RBAC),
    • strong password requirements and the ability to enable multi-factor authentication (MFA),
    • backups and disaster recovery procedures,
    • monitoring and logging of security-relevant events,
    • infrastructure access controls (networks, data centres, cloud environments),
    • regular software and dependency updates.

6.2. A detailed description of current security measures may be made available to the Client in a separate document or on the PromptEye website.

7. Rights of Data Subjects

7.1. Taking into account the nature of the processing, PromptEye, to the extent technically and organisationally possible, assists the Client in fulfilling its obligations to respond to requests from data subjects, in particular regarding:

    • access to data,
    • rectification,
    • erasure (“right to be forgotten”),
    • restriction of processing,
    • data portability,
    • objection,
    • rights related to profiling and automated decision-making.

7.2. If PromptEye receives a request relating to data processed on behalf of the Client, PromptEye, where able to identify the relevant controller, will promptly forward that request to the Client, unless separate legal provisions require PromptEye to respond independently.

7.3. PromptEye’s assistance in fulfilling the rights of data subjects may involve additional costs for the Client if requests are excessive or go beyond the standard scope of support.

8. Sub-processors

8.1. The Client grants PromptEye general authorisation to engage sub-processors for the purpose of providing the Service. The current list of key sub-processors includes in particular providers of artificial intelligence models (LLMs) and cloud infrastructure and tools, such as providers of language models (e.g. OpenAI – GPT models, Perplexity, DeepSeek, providers of AI Overview-type response aggregation layers) and providers of infrastructure and tools supporting the provision of the Service (e.g. cloud providers, database services, communication tools, and marketing automation). The list of sub-processors may change and also includes other AI model and infrastructure providers used within the Service, in accordance with the notification procedure described in this DPA.

8.2. PromptEye ensures that each sub-processor is bound by an agreement imposing obligations no less stringent than those arising from this DPA, in particular with respect to security and confidentiality.

8.3. PromptEye will notify the Client (e.g. via the website or email) of the addition, replacement, or removal of a sub-processor. The Client may raise a reasoned objection to the engagement of a specific sub-processor within a reasonable period of receiving such notice.

8.4. In the event of a valid objection, the parties will negotiate in good faith to find a solution (e.g. disabling a specific functionality, engaging an alternative sub-processor). If this is not possible, the Client may terminate the Agreement with respect to the functionalities dependent on that sub-processor, or, if that is not possible, the entire Agreement with effect at the end of the current billing period.

9. Transfers of Data Outside the EEA

9.1. Personal data may be transferred to third countries (outside the European Economic Area), in particular to the United States, in connection with the use of sub-processors such as LLM model and infrastructure providers (e.g. OpenAI, Perplexity, DeepSeek, AI Overview-type response aggregation layer providers, cloud providers, and marketing automation tools).

9.2. In such cases, PromptEye will ensure that data transfers take place with appropriate legal safeguards in accordance with Chapter V GDPR, in particular by:

    • concluding Standard Contractual Clauses (SCCs) adopted by the European Commission, and/or
    • using providers participating in the EU–US Data Privacy Framework (DPF), where applicable.

9.3. Upon the Client’s request, PromptEye may provide general information about the transfer safeguards applied (without disclosing content that constitutes a trade secret or is subject to an NDA).

10. Personal Data Breach Notification

10.1. PromptEye will notify the Client without undue delay upon becoming aware of a personal data breach affecting data processed on behalf of the Client.

10.2. The notification will contain — to the extent available — the information required by Article 33(3) GDPR, in particular:

    • a description of the nature of the breach,
    • the categories and approximate number of data subjects concerned,
    • the categories and approximate number of data records concerned,
    • a description of the likely consequences of the breach,
    • a description of the measures taken or proposed to address the breach.

10.3. PromptEye will cooperate with the Client in fulfilling its obligations towards the supervisory authority and data subjects, to a reasonable extent, taking into account the nature of the breach and the relevant legal obligations of the parties.

11. Audits and Inspections

11.1. Upon the Client’s request, PromptEye will make available information necessary to demonstrate compliance with this DPA and Article 28 GDPR, in particular in the form of:

    • responses to security/GDPR questionnaires,
    • summaries of external audit reports or certifications (where available),
    • descriptions of technical and organisational measures.

11.2. In justified cases, the Client may carry out (or commission an independent auditor to carry out) an on-site audit or inspection, following prior written agreement on the scope, timing, and conditions of the audit and the signing of an NDA.

11.3. On-site audits may take place no more than once every 12 months, unless a material personal data breach has occurred. Audit costs are borne by the Client, unless otherwise required by law.

12. Termination of Processing, Erasure and Return of Data

12.1. Upon termination of data processing services for the Client, PromptEye — in accordance with the Client’s choice communicated before the termination of the Agreement — shall:

    • delete personal data from its own systems, or
    • provide the Client with a copy of the data in an agreed format (e.g. CSV/JSON export) and then delete the data from its systems,

subject to section 12.2.

12.2. PromptEye may retain personal data to the extent and for the period necessary to:

    • fulfil legal obligations (e.g. tax, accounting regulations),
    • establish, pursue, or defend against claims.

12.3. After the retention period referred to in section 3.2, personal data is permanently deleted or anonymised from backup systems, to the extent permitted by law and technically feasible.

13. Liability and Relationship to the Agreement

13.1. The liability of the parties in connection with this DPA is governed by the Agreement and the Terms of Service, subject to mandatory provisions of law.

13.2. To the extent that the provisions of this DPA are more specific than the Terms of Service, the DPA takes precedence in matters relating to the processing of personal data by PromptEye as processor.