Data Processing Agreement
Last updated: January 8, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between The Prompt Fixer™ ("Processor", "we", "us") and the organization or individual using our services ("Controller", "you") for the processing of personal data in connection with The Prompt Fixer™ service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "Zero Data Retention (ZDR)" means processing where data is not stored or retained after the immediate processing operation is complete.
- "Encryption at Rest" means data encrypted when stored on disk or in databases.
3. Scope of Processing
3.1 Categories of Data Subjects
- Users of the Controller's organization who access The Prompt Fixer™
- Individuals whose information may be included in prompts submitted by users
3.2 Types of Personal Data
- Account information (email address)
- Usage data (feature usage, timestamps)
- Content data (prompts and outputs, if stored)
- Technical data (IP address, device information, user agent)
- Authentication data (hashed passwords, encrypted MFA secrets)
- Session data (active sessions, device fingerprints)
- Audit logs (authentication events, security-related actions)
3.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing The Prompt Fixer™ service, including prompt optimization, account management, security monitoring, and service improvement.
4. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage Sub-processors without prior authorization (see Section 6)
- Assist the Controller in responding to Data Subject requests
- Delete or return all Personal Data upon termination, at the Controller's choice
- Make available information necessary to demonstrate compliance
- Maintain audit logs of data processing activities for 90 days
- Implement and maintain encryption for sensitive data at rest and in transit
5. Security Measures
The Processor implements the following security measures:
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest (AES-256)
- Additional AES-256-GCM encryption for sensitive user data with per-user key derivation (PBKDF2)
- Access controls and authentication (Supabase Auth)
- Multi-Factor Authentication (TOTP-based) support
- Row Level Security (RLS) for data isolation on all database tables
- Account lockout after failed login attempts
- Session management with device tracking and remote revocation
- Redis-based rate limiting to prevent abuse
- Input validation and sanitization (XSS, SQL injection prevention)
- Regular security assessments
- Incident response procedures
- Comprehensive audit logging
6. Sub-processors
The Controller authorizes the use of the following Sub-processors:
Database hosting, authentication, and prompt history storage for logged-in users. SOC 2 Type II certified. Location: United States/EU.
Application hosting, content delivery, and AI Gateway services. SOC 2 Type II + ISO 27001 certified. Location: Global (edge network).
Payment processing. PCI DSS Level 1 certified. Location: United States.
AI processing via Anthropic Claude 4.5 Haiku through Vercel AI Gateway with Zero Data Retention (ZDR) enabled. Anthropic is a verified ZDR provider - data is processed transiently and not retained after response generation. Anthropic does not use ZDR-enabled API data for model training. SOC 2 Type II certified. Location: United States.
Redis-based rate limiting, session caching, and temporary data storage. SOC 2 Type II certified. Data is ephemeral and automatically expires. Location: Global (serverless edge).
The Processor will notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling Data Subject requests including: access, rectification, erasure, restriction, portability, and objection. Requests should be submitted to privacy@thepromptfixer.com.
Self-Service Options: Users can manage their data directly through account settings, including viewing active sessions, enabling/disabling MFA, and deleting their account.
8. Data Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
9. International Transfers
Personal Data may be transferred to countries outside the European Economic Area. Such transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms.
10. Data Retention
Personal Data is retained only for as long as necessary to provide the service:
- Prompts: Not retained (Zero Data Retention via AI Gateway)
- Account Data: Retained while account is active, deleted within 30 days of account closure
- Audit Logs: 90 days for security and compliance purposes
- Session Data: Active sessions retained while logged in, inactive sessions expire after 30 days
- Rate Limit Data: Temporary, expires within 60 seconds to 1 month depending on type
- Failed Login Attempts: Cleared after 15-minute lockout period
11. Audit Rights
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, either directly or through an appointed third-party auditor, with reasonable notice and during normal business hours.
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law or for gross negligence or willful misconduct.
13. Term and Termination
This DPA remains in effect for the duration of the Controller's use of The Prompt Fixer™ services. Upon termination, the Processor will delete all Personal Data within 30 days unless instructed otherwise or required by law to retain it.
14. Contact
For questions about this DPA or to request a signed copy, contact: privacy@thepromptfixer.com