Data Processing Agreement

Terms not defined in this Agreement have the meanings given to them in the Terms of Use and, if applicable, in the Terms and Conditions of Sale applicable to the Power Prompt Services.

This Data Processing Agreement (hereinafter the "Agreement" or "DPA") sets out the conditions under which Digital Business Services S.à r.l. acts as a Data Processor on behalf of the Customer, acting as a Data Controller, in connection with the provision of the Power Prompt Services, in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").

This Agreement constitutes a separate contractual document applicable, if any, between Digital Business Services S.à r.l. and Power Prompt's Business Customer when processing personal data is carried out by the Processor on behalf of the Customer in connection with the Services. The Client then acts as the Data Controller and Digital Business Services S.à r.l. acts as the Data Processor.

On the other hand, when Digital Business Services S.à r.l. processes personal data for its own purposes, in particular for the purposes of commercial management, contracting, invoicing, legal compliance, security of its systems, prevention of abuse, general administration of the Services or defence of its rights, it acts as a separate Data Controller. Such processing is not covered by this Agreement and is governed, where applicable, by the documentation applicable in that capacity.

This Agreement becomes effective on the date of conclusion of the applicable contract for the Power Prompt Services, including upon acceptance of the Terms of Use, the Terms and Conditions of Sale, the signing of a quote, purchase order, Special Terms or any other equivalent contractual formalization.

"Processor" means Digital Business Services S.à r.l., established at 2, rue Tresch, L-8373 Hobscheid, Luxembourg, when it processes personal data on behalf of the Customer in the context of the Power Prompt Services.

"Controller" means the Business Customer who determines the purposes and means of processing personal data processed through the Power Prompt Services for its own purposes.

"Services" means all features, subscriptions, interfaces, workspaces, APIs, integrations, modules, options, related services, support and maintenance marketed under the Power Prompt brand.

This version is applicable from 02/05/2026. For its sole purpose, this Agreement takes precedence over any other provisions relating to the processing of personal data contained in other applicable contractual documents between the parties.

1. Purpose and scope

 The purpose of this Agreement is to define the conditions under which Digital Business Services S.à r.l., when acting as a Data Processor, processes personal data on behalf of the Data Controller in connection with the access, use, administration, support, maintenance of the Power Prompt Services,  their hosting, their security and, more generally, their operation.

This Agreement applies exclusively to processing operations for which the Customer acts as a Data Controller and Digital Business Services S.à r.l. acts as a Data Processor within the meaning of the GDPR.

It does not apply to the processing that Digital Business Services S.à r.l. carries out for its own purposes as a separate Data Controller, in particular for the management of the commercial relationship, contractualization, invoicing, accounting, compliance with its legal obligations, cybersecurity, prevention of abuse, administration of its infrastructures, management of technical logs necessary for the security and operation of the Services or defense of his rights.

2. Documented Instructions and Role of the Parties

The Processor shall only process personal data on the documented instructions of the Controller, as resulting from this Agreement, the main contract, the configuration of the Services, the applicable documentation, support requests, or any additional written instructions accepted by the Processor.

The Data Controller guarantees that it has all rights, authorisations, legal bases and information necessary to collect, use, transmit and have processed the personal data concerned via the Services. It remains solely responsible for the lawfulness of the processing, the determination of the purposes pursued, the choice of data submitted to the Services and compliance with its own legal, regulatory and sectoral obligations.

The Processor shall inform the Controller if, in its opinion, an instruction constitutes a violation of the GDPR or other applicable data protection provisions. Unless otherwise required by law, the Processor may suspend the execution of the relevant instruction until clarification.

3. Nature, purpose, duration and categories of processing

The nature, purposes, categories of data subjects, categories of personal data and duration of processing are described in Annex A, which forms an integral part of this Agreement.

The processing may include, in particular, hosting, recording, organization, structuring, consultation, use, transmission, provision, comparison, versioning, testing, execution, analysis, export, deletion and, more generally, any operation strictly necessary for the provision of the Power Prompt Services and the functionalities subscribed to by the Data Controller.

The detailed description of the processing, the categories of data, the data subjects, as well as the processing operations carried out is set out in Annex A, which forms an integral part of this Agreement.

4. Obligations of the Data Controller

The Data Controller undertakes to:

• ensure that the data transmitted to the Processor is adequate, relevant and limited to what is necessary in relation to the purposes pursued;
• not to use the Services to process illegal data, prohibited content or data that it is not authorised to process or transmit;
• inform data subjects when required and respond to their requests under the conditions provided for by the GDPR;
• Determine whether a data protection impact assessment, prior consultation, or enhanced measures are necessary in light of its own uses of Power Prompt;
• refrain, except with the express consent of the Processor and appropriate safeguards have been put in place, from submitting via the Services special categories of data within the meaning of Article 9 of the GDPR, data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR, or other highly sensitive data, regulated or covered by a specific secret,  when such data is not necessary or when appropriate measures have not been taken.

5. Obligations of the Processor

The Subcontractor undertakes to:

• process personal data only to provide, secure, maintain, support and technically improve the Services, to the extent permitted by this Agreement and applicable law;
• ensure that persons authorised to process data are subject to an appropriate duty of confidentiality;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR;
• take into account the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing;
• Assist the Controller under the conditions set out in this Agreement.

6. Confidentiality

The Processor limits access to personal data to only those persons who need it for the performance of the contract, the operation of the Services, support, security, maintenance or compliance with legal obligations. These individuals are bound by an appropriate contractual, legal or statutory obligation of confidentiality.

7. Security of processing

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures may include, as appropriate and subject to what is technically and contractually applicable, access control, authentication, logging, environment segmentation, backup, recovery, encryption in transit and/or at rest where relevant, vulnerability management, privilege limitation, and reasonable testing and evaluation procedures.

Controller acknowledges that the Power Prompt Services may depend on third-party services, infrastructure, hosts, APIs, connectors, models, platforms, or providers. The Processor shall ensure, to a reasonable extent, to select service providers with appropriate guarantees with regard to data protection and security, without guaranteeing the absolute absence of risk inherent in the digital services.

8. Assistance to the Data Controller

Taking into account the nature of the processing and to the extent reasonably possible, the Processor shall assist the Controller with appropriate technical and organisational measures to enable it to respond to requests to exercise the rights of data subjects.

The Processor shall also assist the Controller, to the extent required by Article 28 of the GDPR, taking into account the nature of the processing and the information available to it, in complying with obligations relating to the security of processing, notification of personal data breaches, impact assessments and,  where appropriate, prior consultations with the supervisory authority.

Any assistance that exceeds the legal obligations of the Subcontractor or requires specific, substantial, urgent or repeated work may be subject to additional invoicing based on the applicable commercial conditions.

9. Notification of personal data breaches

The Processor shall notify the Controller, without undue delay after becoming aware of it, of any personal data breach affecting the processing covered by this Agreement.

This notification shall include, to the extent possible and available information, the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to remedy the breach and mitigate its effects.

10. Sub-processors

 The Controller generally authorizes the Processor to use sub-processors to provide all or part of the Services, including hosting, infrastructure, supervision, authentication, certain technical integrations, certain artificial intelligence services, support and maintenance, when such providers are required to process personal data on behalf of the Controller in the context of the Services. 

The Data Controller may make a written objection, substantiated and based on serious reasons related to data protection, within fifteen (15) calendar days from the date of notification of a material change of sub-processor.

The list of sub-processors known as of the date of this version is provided in Appendix B. The Processor imposes on its sub-processors, by contract, data protection obligations substantially equivalent to those provided for in this Agreement, to the extent required by Article 28 of the GDPR.

The Processor may modify or supplement this list at any time. In the event of a material change relating to a sub-processor involved in the processing covered by this Agreement, the Controller will be notified by any appropriate means. He may issue a written objection, reasoned and based on serious data protection reasons, within a reasonable period of time. The parties will then exchange in good faith to consider a reasonable solution, which may include, as the case may be, a configuration change, a limitation of service or the termination of the services concerned.

11. Data transfers outside the European Economic Area 

Where the performance of the Services involves a transfer of personal data to a country outside the European Economic Area, the Processor shall ensure that an appropriate transfer mechanism is put in place in accordance with Chapter V of the GDPR, such as an adequacy decision, standard contractual clauses, or any other mechanism recognized as valid under applicable law.

Where applicable, the Processor shall implement additional technical, contractual or organisational measures reasonably appropriate in the light of the nature of the transfer, the processing concerned and the applicable requirements.

12. Fate of data at the end of the contract

 Upon expiration or termination of the relevant Services, the Processor deletes or returns, at the option of the Controller where technically feasible and provided for by the applicable offer, the personal data processed on its behalf, unless there is a legal obligation to retain it, the need for limited retention for the defense of the Processor's rights, or temporary retention in secure backups according to the applicable retention cycles.

It is the responsibility of the Data Controller to take, before the effective termination of the Services, the necessary measures to export or retrieve the data, content, prompts, histories, configurations and other elements that it wishes to keep, in accordance with the available functionalities.

13. Information, demonstration of compliance and audit

The parties agree to give preference, where reasonably possible, to a desk audit or review of existing compliance reports, prior to any on-site intervention.

The Processor shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with its obligations under this Agreement, to the extent that such information can be disclosed without prejudice to the security, confidentiality, trade secrets, obligations to third parties or the rights of other customers.

Where the information provided is not sufficient and there are objective elements reasonably suggesting a serious non-compliance relating to the processing covered by this Agreement, the Data Controller may request a limited, non-intrusive and proportionate audit, carried out either by itself or by an independent auditor subject to a strict obligation of confidentiality and not in a situation of conflict of interest.

Unless there is a legal emergency or an order from a competent authority, any audit is subject to reasonable written notice, takes place during business hours, without unduly disrupting the Processor's business or compromising the security of the Services, and remains limited to what is strictly necessary. Unless the audit reveals a material non-conformity attributable to the Processor, its costs are borne by the Controller.

14. Liability 

The liability of the parties under this Agreement shall be governed by the liability provisions set forth in the General Terms and Conditions of Use, the General Terms and Conditions of Sale and, where applicable, the applicable Special Terms, subject to the mandatory provisions of the GDPR or any other applicable legislation.

Unless otherwise provided by mandatory requirements, any liability incurred under this Agreement is subject to the limits of liability set forth in the applicable Terms of Use and Terms and Conditions of Sale.

15. Duration

This Agreement shall enter into force on the date on which it becomes applicable according to the contractual documents referred to above and shall remain in force for the duration during which the Processor processes personal data on behalf of the Controller in connection with the Services.

16. Amendment 

The Processor may modify this Agreement in order to take into account, in particular, legal, regulatory, jurisprudential, technical, organizational, operational or developments relating to the Power Prompt Services. The updated version shall be brought to the attention of the Data Controller by any appropriate means. In the event of a material change affecting the rights or obligations of the parties, the Processor shall endeavour, within a reasonable period of time, to inform the Controller before its entry into force.

17. Applicable law and jurisdiction

This Agreement is governed by Luxembourg law. Subject to any applicable mandatory provision, any dispute relating to its validity, interpretation, execution, termination or consequences falls under the exclusive jurisdiction of the courts of Luxembourg City.

18. Contact 

If you have any questions about this Agreement, the Customer may contact us either in writing at the following address:

Digital Business Services S.à r.l.
2, rue Tresch
L-8373 Hobscheid
Luxembourg

Via our electronic form: https://powerprompt.eu/contactus

Appendix A – Description of Treatment

A.1. Purpose, nature and purposes of the processing

 The Processor processes personal data to provide the Power Prompt solution to the Data Controller, in particular to allow, depending on the subscribed offer and the configuration set up, the creation, structuring, organization, storage, sharing, versioning, comparison, optimization, testing, execution and operation of prompts, libraries, variables, instruction sets, content,  configurations, histories, generated outputs, and related items, including through web interfaces, collaborative workspaces, integrations, and APIs.

Within the scope of this Agreement, the processing carried out by the Processor on behalf of the Controller may also include authentication, administration of customer accounts, management of access rights, logging related to the use of the Services, maintenance, support, backup, restoration, technical supervision and management of integrations selected or activated by the Controller,  to the extent that such operations are necessary for the provision of the Services to the Controller.

The processing carried out by Digital Business Services S.à r.l. for its own purposes, such as commercial management, invoicing, accounting, legal compliance, general security of its systems or the prevention of abuse on its own behalf, does not fall within the scope of this Annex A.

A.2. Categories of data subjects

•  authorized users, administrators and collaborators of the Data Controller;
• data subjects whose data is included by the Controller in prompts, documents, files, instructions, contexts, logs, configurations or content processed through the Services;
• professional contacts, customers, prospects, suppliers, partners, service providers, external collaborators or other third parties whose data is submitted to the Services by the Data Controller;
• persons communicating with the Controller via systems or content integrated into the Services.

A.3. Categories of personal data

•  identification and contact data, such as surname, first name, business email address, business telephone number, job title, company;
• account and authentication data, such as logins, roles, login logs, access metadata, and related technical information;
• content, prompts, instructions, documents, files, variables, configurations, comments, histories, outputs generated and metadata associated with the use of the Services;
• technical data, such as IP addresses, device identifiers, event logs, session information, and diagnostic data;
• any other data that the Controller chooses to submit to the Services under its sole responsibility.

Unless specifically agreed otherwise and appropriate measures, the Data Controller shall refrain from submitting to the Services special categories of data, criminal data, protected secrets or highly sensitive data that are not necessary for the intended use.

A.4. Processing operations

Processing operations may include collection, recording, organization, structuring, storage, adaptation, consultation, use, transmission, provision, combination, analysis, export, temporary storage, deletion and destruction, to the extent necessary for the provision of the Services.

A.5. Duration of processing

The data is processed for the duration of the contractual relationship relating to the relevant Services and then deleted or returned in accordance with this Agreement, subject to the retention periods required by law, reasonable technical constraints, secure backups and legitimate needs for proof, security or the defense of rights.

Appendix B – Subprocessors

The sub-processors below may be involved, depending on the Services, options, integrations, and technical environments enabled, when processing personal data on behalf of the Controller in connection with the Services covered by this Agreement.

Appendix C – Technical and Organizational Measures (Synthetic Description)

The Processor implements, according to an approach proportionate to the risk, technical and organisational measures including, in particular:

• authorisation management and access control;
• Authentication and account protection;
• logging and traceability of relevant technical events;
• Backup, recovery, and reasonable resiliency of services.
• appropriate network, system and application security measures;
• vulnerability management and security maintenance;
• contractual confidentiality and data protection framework with authorised persons and sub-processors;
• internal procedures for managing incidents and, where applicable, data breaches;
• minimization, access limitation, and logical separation measures where appropriate.

The operational details of certain measures may be communicated separately upon legitimate request, subject to security and confidentiality requirements.