Promptic GmbH
Data Processing Addendum
Effective date: May 15, 2026
1. Scope and incorporation
This Data Processing Addendum ("DPA") forms part of the agreement between Promptic GmbH ("Promptic") and the customer or organization using Promptic ("Customer") to the extent the agreement references this DPA, Customer accepts this DPA, or Customer uses Promptic to process personal data on behalf of Customer. This DPA applies only to personal data that Promptic processes as a processor or sub-processor for Customer ("Customer Personal Data").
If there is a conflict between this DPA and the agreement, this DPA controls for the processing of Customer Personal Data. If Standard Contractual Clauses apply, they control over this DPA for the relevant international transfer.
2. Roles
Customer is the controller or processor of Customer Personal Data. Promptic is a processor or sub-processor, as applicable. Customer is responsible for the lawfulness of Customer Personal Data, the accuracy of Customer's instructions, and the rights and notices needed for Customer's own users, employees, contractors, and end users.
Promptic processes Customer Personal Data only to provide, secure, support, and improve the Promptic service, to comply with Customer's documented instructions, and as required by applicable law. The agreement, product configuration, API calls, support requests, and this DPA are Customer's documented instructions.
3. Processing details
| Item | Details |
|---|---|
| Subject matter | Provision of Promptic's prompt optimization, evaluation, tracing, workspace, collaboration, billing, support, and security services. |
| Duration | For the term of the agreement and any post-termination period needed for deletion, return, backup expiry, legal preservation, or dispute handling. |
| Nature and purpose | Hosting, storing, transmitting, retrieving, analyzing, displaying, evaluating, optimizing, securing, logging, backing up, deleting, and otherwise processing Customer Personal Data to provide Promptic. |
| Data subjects | Customer users and admins; Customer employees, contractors, collaborators, and invitees; and Customer end users or other individuals whose data Customer includes in prompts, datasets, traces, evaluations, outputs, or metadata. |
| Categories of data | Account and contact data, authentication data, organization and workspace data, prompts, chat messages, input variables, datasets, observations, expected outputs, schemas, traces, spans, events, session IDs, user IDs provided by Customer, model inputs and outputs, evaluator results, metadata, usage records, support content, and security logs. |
| Sensitive data | Promptic is not designed for special category data, criminal-offence data, protected health information, payment card numbers, government identifiers, secrets, or other highly sensitive data unless Promptic has agreed to that processing in writing. |
| Frequency | Continuous while Customer uses the service. |
4. Customer obligations
- Customer will provide all notices, obtain all consents, and establish all legal bases required for Customer Personal Data.
- Customer will not submit prohibited or highly sensitive data unless Promptic has agreed to that processing in writing.
- Customer will configure model providers, API keys, workspaces, access permissions, retention, and integrations in a lawful and secure manner.
- Customer remains responsible for optional AI routing and customer-selected AI providers, including OpenRouter routing where Customer enables it, BYOK providers, Google, Azure OpenAI, custom OpenAI-compatible endpoints, and any provider chosen by Customer.
5. Promptic obligations
- Promptic will ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
- Promptic will implement and maintain appropriate technical and organizational measures as described in the Security and TOMs page.
- Promptic will not sell Customer Personal Data or share it for cross-context behavioral advertising.
- Promptic will not use Customer Personal Data to train foundation models or build generalized model datasets.
- Promptic will inform Customer if, in Promptic's reasonable opinion, an instruction infringes applicable data protection law, unless prohibited by law.
6. Subprocessors
Customer grants Promptic general authorization to engage subprocessors necessary to provide the service. Promptic's current subprocessor list is available at /subprocessors. Promptic will impose written data protection obligations on subprocessors that are materially equivalent to the obligations in this DPA.
Promptic may update subprocessors from time to time. Unless the agreement states otherwise, Customer may object to a new subprocessor on reasonable data protection grounds by contacting hello@promptic.eu within 30 calendar days after the update. Promptic will use commercially reasonable efforts to resolve the objection. If the objection cannot be resolved, Customer may stop using the affected service feature or terminate the affected service as permitted by the agreement.
7. AI model providers
Customer instructs Promptic to transmit Customer Personal Data to AI model providers when necessary to perform model calls selected, configured, or requested by Customer. Platform OpenAI processing uses Promptic's OpenAI project configured for Europe and OpenAI API data controls, including no default training on API inputs and outputs and Modified Abuse Monitoring for eligible API processing. Optional OpenRouter routing is disabled unless Customer enables it for a workspace or model call. If Customer enables OpenRouter routing, configures its own provider, or adds an API key, Customer is responsible for that provider selection and the provider's data protection terms, retention settings, transfer safeguards, and lawful basis.
8. Data subject requests and assistance
Taking into account the nature of processing, Promptic will reasonably assist Customer in responding to data subject requests, data protection impact assessments, consultations with authorities, and other Customer obligations under applicable data protection law. Promptic may provide assistance through product functionality, documentation, support, exports, deletion tools, or reasonable written support.
If Promptic receives a data subject request relating to Customer Personal Data, Promptic will either direct the requester to Customer or notify Customer, unless legally prohibited.
9. Personal data breaches
Promptic will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Where feasible, Promptic will provide notice within 72 hours after confirmation of the breach. Notice will include information reasonably available to Promptic, taking into account the nature of the incident and the need to preserve security, confidentiality, and any investigation.
10. Return and deletion
Upon Customer's written request or termination of the agreement, Promptic will delete or return Customer Personal Data in accordance with the agreement, product functionality, and applicable law. Active-system deletion is processed promptly. Encrypted backups, disaster-recovery copies, and provider-controlled logs are isolated and targeted for expiry within 90 days unless legal preservation, security investigation, or statutory retention is required.
11. International transfers
Promptic configures core production infrastructure with a strong EU focus where available. Where Customer Personal Data is transferred outside the EEA, Switzerland, or the UK and no adequacy decision applies, Promptic relies on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Data Privacy Framework certifications where applicable, and supplementary safeguards such as encryption, access controls, and vendor due diligence.
For controller-to-processor transfers, the EU SCCs Module 2 apply. For processor-to-processor transfers, Module 3 applies. The processing details in this DPA and the technical and organizational measures on the Security and TOMs page complete the relevant SCC annexes unless the parties execute different annexes.
12. Audit information
Promptic will make available information reasonably necessary to demonstrate compliance with this DPA. This may include security documentation, subprocessors, transfer safeguards, written responses, and summaries of technical and organizational measures. On-site audits require prior written agreement, reasonable notice, confidentiality protections, scope limits, and scheduling that does not compromise the security or availability of Promptic or other customers.
13. Contact
DPA requests, privacy requests, and security review questions can be sent to hello@promptic.eu.
Promptic GmbHOstbahnhofstraße 11
60314 Frankfurt am Main
Germany