Data Processing Addendum

Email [email protected] with your company details. We'll send the signable PDF (pre-signed by Promptable) within two business days. No NDA required for the standard DPA; enterprise-specific addenda go through a short review.

Subject matter and duration of processing, types of personal data, categories of data subjects, sub-processors (full list at /security), security measures, sub-processor change notifications, data subject rights assistance, breach notification, return and deletion, audit rights. Based on the EU GDPR Article 28 template with UK-specific adjustments.

Where personal data moves outside the UK — primarily inference calls to Anthropic and OpenAI in the US — we rely on the UK's International Data Transfer Addendum (IDTA) to the EU SCCs. Full copies of the SCCs and IDTA are appended to the DPA.

If your procurement process needs more than the DPA, we have a standard security review pack (architecture diagram, sub-processor list, data flow documentation, pen test summary, SOC 2 roadmap) available under NDA. Email [email protected].