NEW: Now monitoring 9 AI platforms including ChatGPT, Claude, Gemini, and Perplexity
PromptEden Logo

Data Processing Agreement

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Yulan Ventures, LLC, doing business as PromptEden ("Processor," "we," or "us"), and the entity agreeing to this DPA ("Controller," "Customer," or "you") for the use of PromptEden's AI search monitoring services (the "Services").

This DPA applies where and to the extent that PromptEden processes Personal Data on behalf of the Customer in the course of providing the Services under the Terms of Service or any applicable order form or enterprise agreement (the "Agreement").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that PromptEden processes on behalf of the Customer in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Data Protection Laws" means all applicable data protection and privacy legislation, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any implementing or supplementary legislation.
  • "Subprocessor" means any third party engaged by PromptEden to process Personal Data on behalf of the Customer.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Roles

The Customer is the Controller of Personal Data. PromptEden is the Processor. PromptEden processes Personal Data only as necessary to provide the Services and as instructed by the Customer, except where otherwise required by applicable law.

2.1 Categories of Data Subjects

End users of the Customer's PromptEden account and individuals whose data may appear in AI-generated search responses monitored through the Services.

2.2 Types of Personal Data

  • Account information (name, email address)
  • Workspace configuration (monitored domains, brand terms, custom prompts)
  • AI monitoring results (search responses, citations, brand mentions)
  • Usage and analytics data
  • Billing metadata (plan, transaction timestamps)

2.3 Processing Activities

Hosting and storage of Customer Data; executing AI search monitoring queries on behalf of the Customer; generating analytics and reports; processing billing and subscription management; sending transactional communications.

3. Customer Obligations

The Customer represents, warrants, and covenants that:

  • It has a lawful basis for processing Personal Data and for instructing PromptEden to process it.
  • It has provided all necessary notices and obtained all required consents from data subjects before submitting Personal Data to the Services.
  • Its processing instructions comply with all applicable Data Protection Laws, and it will not instruct PromptEden to process Personal Data in a manner that would violate applicable law.
  • It is solely responsible for the accuracy, quality, and legality of Personal Data submitted to the Services and the means by which it was obtained.

The Customer shall indemnify and hold harmless PromptEden from any claims, losses, or damages arising from the Customer's breach of its obligations under this Section 3, including any regulatory fines or penalties imposed on PromptEden as a result of the Customer's failure to comply with Data Protection Laws.

4. Processor Obligations

PromptEden shall:

  • Process Personal Data only on documented instructions from the Customer, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Assist the Customer in responding to data subject rights requests, to the extent PromptEden is able and as required by Data Protection Laws.
  • Assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to PromptEden.
  • At the Customer's choice, delete or return all Personal Data upon termination of the Services, unless retention is required by applicable law.
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer, subject to reasonable confidentiality obligations and advance notice.

5. Subprocessors

5.1 Authorization

The Customer provides general written authorization for PromptEden to engage Subprocessors to process Personal Data. A current list of Subprocessors is maintained at /legal/subprocessors.

5.2 Notification of Changes

PromptEden will notify the Customer at least 14 days before adding or replacing a Subprocessor by updating the Subprocessors page and, where feasible, notifying the Customer by email. If the Customer objects to a new Subprocessor on reasonable data protection grounds, the Customer may notify PromptEden in writing within 14 days of receiving notice. The parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected Services without penalty.

5.3 Subprocessor Obligations

PromptEden imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA. PromptEden remains responsible for the acts and omissions of its Subprocessors.

6. Security Measures

PromptEden implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest
  • Access controls and authentication (role-based access, multi-factor authentication for internal systems)
  • Regular security testing and vulnerability management
  • Logging and monitoring of access to Personal Data
  • Employee confidentiality obligations and security training
  • Incident response procedures

7. Security Incidents

PromptEden will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data. The notification will include:

  • The nature of the incident, including categories and approximate number of data subjects affected
  • The likely consequences of the incident
  • The measures taken or proposed to address and mitigate the incident
  • A contact point for further information

8. International Data Transfers

PromptEden processes Personal Data primarily in the United States. Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that does not provide an adequate level of data protection, PromptEden relies on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.

For transfers from the UK, the International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) applies. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

9. Data Retention and Deletion

PromptEden retains Personal Data for as long as necessary to provide the Services and as described in our Privacy Policy. Upon termination of the Agreement, PromptEden will delete or anonymize Personal Data within 90 days, unless retention is required by applicable law or the Customer requests return of data in a portable format.

10. Audits

Upon reasonable written request (no more than once per calendar year and with at least 30 days' advance written notice), PromptEden will make available information reasonably necessary to demonstrate compliance with this DPA. PromptEden may satisfy audit requests by providing a summary report, SOC 2 report, or equivalent third-party certification in lieu of direct inspection, at PromptEden's sole discretion.

If the Customer requires an on-site audit beyond what can be satisfied by documentation, it shall be conducted during normal business hours, at the Customer's sole expense (including reimbursement of PromptEden's reasonable costs for staff time), subject to reasonable confidentiality obligations, and limited in scope to the processing activities covered by this DPA. PromptEden may require the Customer's auditor to execute a separate non-disclosure agreement before any inspection. Audit findings are confidential and may not be disclosed to third parties without PromptEden's prior written consent.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (including the Terms of Service). In no event shall PromptEden's aggregate liability under this DPA exceed the amounts actually paid by the Customer to PromptEden under the Agreement during the three (3) months preceding the event giving rise to the claim. This DPA does not create any independent right of action beyond those in the Agreement. To the extent permitted by applicable law, the Customer waives any claim for indirect, incidental, special, consequential, or punitive damages under this DPA.

12. Term and Termination

This DPA takes effect when the Customer begins using the Services and remains in effect for the duration of PromptEden's processing of Personal Data on behalf of the Customer. Either party may terminate this DPA by terminating the Agreement in accordance with its terms. PromptEden may suspend processing if the Customer fails to comply with its obligations under this DPA. Provisions that by their nature should survive termination (including confidentiality, data deletion, liability, and audit) will survive.

13. Governing Law

This DPA is governed by the laws of the State of Delaware, consistent with the governing law of the Agreement. Where Data Protection Laws require application of the laws of another jurisdiction for specific provisions (such as the SCCs), those provisions are governed by the applicable law.

14. Contact

For questions or requests related to this DPA, contact:

  • Email: [email protected]
  • Mailing address: Yulan Ventures, LLC, 1211 W 6th St, Ste #600-188, Austin, TX 78703