Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between PromptJuggler and the customer regarding the processing of personal data.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Processor: Szigeti Tamás EV, 2484 Gárdony, Mikszáth Kálmán utca 29 ("PromptJuggler", "we", "us")

and

Controller: the Customer who has entered into an agreement to use the PromptJuggler Service ("Customer", "you").

2. Subject Matter and Duration

Subject matter: We process personal data solely as necessary to operate and provide the PromptJuggler Service.

Duration: This DPA remains in effect for as long as the Customer uses the Service.

3. Nature and Purpose of Processing

The processing of personal data is carried out solely for providing the Service as described in the agreement between the parties.

4. Types of Personal Data and Categories of Data Subjects

Types of personal data: We process the following broad categories of personal data:

  • account data;
  • usage and operational data generated through use of the Service;
  • content submitted or uploaded by the Customer;
  • support communications;
  • billing-related identifiers.

Categories of data subjects:

  • individuals who create or use a Customer account;
  • individuals whose personal data the Customer submits to the Service.

5. Obligations of the Processor (PromptJuggler)

We shall:

  • process personal data only on documented instructions from the Customer;
  • ensure that persons authorised to process personal data are bound by confidentiality obligations;
  • implement security measures appropriate to the risk, as described in this DPA;
  • assist the Customer, to the extent necessary, with fulfilling obligations relating to data subject requests and security incidents;
  • notify the Customer without undue delay after becoming aware of a personal data breach;
  • make available information necessary to demonstrate compliance and allow for reasonable audits.

6. Obligations of the Controller (Customer)

The Customer shall:

  • ensure that it has a valid legal basis for all personal data it submits to the Service;
  • ensure that data subjects are informed about the processing carried out through the Service;
  • ensure that its use of the Service complies with applicable laws and third‑party terms;
  • keep its account credentials and API keys secure and confidential;
  • not submit personal data that it is not permitted to process.

7. Sub-processing

The Customer authorises us to engage sub-processors as necessary to operate the Service. Current sub-processors are listed in our Sub-processor List, which is available on our website. We will notify the Customer of any intended changes to sub-processors and allow the Customer to object where required by law.

We shall ensure that any sub-processor is bound by data protection obligations equivalent to those set out in this DPA.

8. International Transfers

If personal data is transferred outside the European Economic Area by us or our sub‑processors, such transfers will be made in compliance with applicable data protection law, including the use of the European Commission’s Standard Contractual Clauses or other appropriate safeguards.

9. Security Measures

We implement technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit and at rest;
  • access controls restricting production access to authorised personnel only;
  • use of secure authentication mechanisms;
  • hosting on infrastructure with built-in security features and automatic backups;
  • logging and monitoring necessary to maintain service stability and security.

10. Data Subject Requests

We shall assist the Customer, to the extent necessary and reasonably possible, in responding to requests from data subjects to exercise their rights under applicable data protection law.

The Customer is responsible for handling and responding to such requests and for determining whether they are valid.

11. Deletion and Return of Data

During the provision of the Service, personal data is automatically deleted in accordance with the applicable retention periods described in the Privacy Policy.

At the end of the provision of the Service, or upon the Customer’s request, we shall delete personal data stored through the Service, unless retention is required by law.

We are not required to return data to the Customer unless agreed separately. The Customer is responsible for exporting any data before termination of the Service.

12. Audits

The Customer may conduct audits as required by applicable law. Any such audit must be reasonable in scope and timing and must not disrupt the operation of the Service. We may satisfy audit obligations by providing existing attestations, documentation, or reports where appropriate.

13. Miscellaneous

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

This DPA forms part of the agreement between the parties and prevails over conflicting terms related to the processing of personal data. Changes to this DPA must be agreed in writing unless otherwise required by law.

This DPA is governed by the same law and jurisdiction as the underlying agreement between the parties.