Data Processing Agreement

Last updated: July 8, 2026

1. Scope and Purpose

This Data Processing Agreement (“DPA”) forms part of the Terms of Use between PreThink Labs e.U. (“Processor,” “we,” “us”) and the entity subscribing to the Service (“Controller,” “you,” “your”). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the PreThink service.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applies to all personal data processed by the Processor on behalf of the Controller.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
  • “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Data Processing Details

Subject MatterAI prompt engineering, output review, and coaching services
DurationFor the term of the service agreement plus any legally required retention period
Nature & PurposeProcessing user-submitted prompts, generating AI outputs, scoring, and providing coaching analytics
Categories of DataEmail addresses, user-submitted prompts and context, AI-generated outputs, session metadata, usage scores
Data SubjectsController’s authorized end users of the Service

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including transfers to third countries
  • Ensure that persons authorized to process Personal Data have committed to confidentiality obligations
  • Implement appropriate technical and organizational security measures as described in Section 7
  • Not engage another processor without prior specific or general written authorization of the Controller
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all Personal Data upon termination of the service, at the Controller’s choice
  • Make available all information necessary to demonstrate compliance with these obligations

5. Controller Obligations

The Controller shall:

  • Ensure a lawful basis exists for the processing of Personal Data
  • Provide documented processing instructions to the Processor
  • Ensure data subjects are informed about the processing in accordance with GDPR Articles 13 and 14
  • Ensure that the use of the Service complies with applicable data protection laws

6. Sub-processors

The Processor currently engages the following categories of Sub-processors:

Sub-processorPurposeLocation
Cloud Infrastructure ProviderDatabase hosting, authentication, backend functionsUnited States
AI Model Providers (OpenAI, Google, Anthropic)AI prompt processing and output generationUnited States
Stripe Payments Europe, Ltd. (“Stripe”)Payment processingUnited States

The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object. If using the Bring Your Own Key (BYOK) feature, AI requests are routed directly to the Controller’s own AI provider account, bypassing PreThink’s AI sub-processors.

7. Security Measures

The Processor implements the following technical and organizational measures:

  • Access Control: Row-Level Security (RLS) ensures data isolation between users at the database level.
  • Encryption: All data is encrypted in transit (TLS/SSL). When an AI model is accessed via the user’s own API key, data is additionally encrypted at rest using zero-knowledge encryption.
  • Authentication: JWT-based authentication with secure token management.
  • Audit Logging: All administrative database access is logged with timestamps, action type, and target identifiers for accountability and compliance verification.
  • API Key Security: User-provided API keys (BYOK) are stored encrypted and accessible only to the key owner via RLS policies.
  • Minimized Admin Access: Administrative access to user data is restricted to service operation, security investigations, and legal compliance. All such access is audit-logged.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach. Notification shall include:

  • The nature of the breach, including categories and approximate number of data subjects affected
  • The name and contact details of the data protection point of contact
  • A description of the likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

9. Data Subject Rights

The Processor provides self-service tools enabling data subjects to exercise their rights directly:

  • Access & Portability: Data export in JSON format via Account Settings.
  • Erasure: Complete account and data deletion via Account Settings.
  • Rectification: Contact the Processor’s support for data corrections.

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests within the timeframes required by GDPR.

10. International Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or reliance on the data importer’s participation in an approved certification mechanism.

11. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, either directly or through a mandated third-party auditor, subject to reasonable notice and confidentiality obligations. The Processor shall contribute to such audits.

Audit logs of administrative access are retained and can be provided to the Controller upon request to verify that user data access is limited to documented purposes.

12. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller’s choice, delete or return all Personal Data within 30 days and certify the deletion in writing, unless retention is required by applicable law.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, except that neither party limits its liability for breaches of data protection obligations to the extent prohibited by applicable law.

14. Contact

For questions about this DPA or to request execution of a signed copy, contact: help@prethinkai.app