Data Processing Addendum
This Data Processing Addendum (“DPA”) applies to Team and Enterprise customers whose use of PromptWake Pro involves the processing of personal data. It forms part of, and is governed by, our Terms of Service, and is designed to support your obligations under the GDPR, the EU AI Act, and SOC 2.
01Roles of the parties
For personal data processed through the Pro cloud service on your behalf, you (the “Customer”) act as the data controller and PromptWake acts as the data processor. Where you process personal data on behalf of your own customers, you may be a processor and PromptWake a sub-processor; in that case, this DPA applies accordingly. Each party will comply with its obligations under applicable data protection law.
02Scope & subject matter
The subject matter of the processing is the provision of the PromptWake Pro cloud service — storing and syncing captured AI coding interactions across your team’s devices. Processing continues for the duration of the subscription and this DPA governs it. This DPA complements PromptWake’s audit-trail and compliance features, which help you evidence how AI-generated code enters your codebase.
03Details of processing
- Nature & purpose: hosting, storage, and cross-device synchronization of captured interactions; authentication; and billing support.
- Categories of data subjects: the Customer’s developers and authorized users.
- Types of personal data: account identifiers (name, email), and synced prompts, AI responses, and file diffs — with detected secrets redacted before storage.
- Special categories: not intentionally processed; the Service is not designed for sensitive-category data.
04Processor obligations
PromptWake will:
- process personal data only on your documented instructions, including as set out in the Terms and this DPA;
- ensure personnel authorized to process data are bound by confidentiality;
- implement the technical and organizational measures described below;
- assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations; and
- not sell personal data or use captured content to train machine-learning models.
05Sub-processors
You authorize PromptWake to engage the following sub-processors to deliver the cloud service:
- MongoDB Atlas — cloud storage and hosting of workspace data.
- Dodo Payments — subscription and billing processing.
- Google & GitHub — OAuth authentication, where selected by users.
We will maintain an up-to-date list and give you reasonable prior notice of any new sub-processor, along with the opportunity to object on reasonable data protection grounds. Each sub-processor is bound by terms no less protective than those in this DPA.
06Security measures
PromptWake maintains technical and organizational measures appropriate to the risk, including:
- Secret redaction of API keys, tokens, passwords, and private keys before any data is persisted;
- Encryption in transit for all synced data;
- access controls, least-privilege permissions, and authentication on cloud infrastructure;
- logging and monitoring aligned with our SOC 2 program; and
- a local-first architecture that minimizes the personal data leaving Customer devices.
07Data subject requests
Taking into account the nature of the processing, PromptWake will assist you by appropriate technical and organizational measures — including self-service access, export, and deletion tools within the workspace — to fulfill your obligation to respond to requests from data subjects exercising their rights.
08Personal data breach notification
PromptWake will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably available to help you meet your own notification obligations to supervisory authorities and data subjects.
09Audit rights
PromptWake will make available information reasonably necessary to demonstrate compliance with this DPA, including our SOC 2 report and security documentation under NDA. Where required by applicable law, and subject to reasonable notice and confidentiality, you may conduct or mandate an audit of the relevant processing activities.
10Return & deletion of data
Upon termination or expiry of the subscription, and at your choice, PromptWake will return or delete the personal data processed on your behalf, unless retention is required by law. Deleting a workspace removes the associated synced data from active systems within a reasonable period, subject to short-lived backups. Local data on Customer devices remains under the Customer’s sole control at all times.
11International transfers
Where processing involves the transfer of personal data outside the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties incorporate the applicable EU Standard Contractual Clauses (and UK Addendum, as relevant), which are deemed executed by entering into this DPA.
12Regulatory alignment
This DPA is structured to support Customer compliance with the GDPR and UK GDPR, to accommodate obligations arising under the EU AI Act (with provisions taking effect from 2 August 2026), and to align with PromptWake’s SOC 2 controls. It should be read together with our Privacy Policy and Terms of Service. In case of conflict on data protection matters, this DPA prevails.
For a countersigned DPA, security documentation, or SCCs, contact our legal team.
