PRYSMERA.AI
Back to Home Start Free Trial

Data Processing Agreement

Legal

Last Updated: November 29, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and Prysmera.ai ("Processor," "we," "us") and governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This DPA applies when Customer uses Prysmera to process personal data of its website visitors ("Data Subjects") and Customer acts as the Data Controller while Prysmera acts as the Data Processor.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person collected through Customer's website when using Prysmera's SDK.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, analysis, and deletion.
  • "Data Controller" means the Customer who determines the purposes and means of processing Personal Data.
  • "Data Processor" means Prysmera.ai, which processes Personal Data on behalf of the Customer.
  • "Sub-processor" means any third-party processor engaged by Prysmera to process Personal Data.
  • "Data Subject" means an individual whose Personal Data is processed.

3. Data Processing Details

3.1 Nature and Purpose of Processing

Prysmera processes Personal Data to:

  • Analyze visitor behavior and engagement patterns on Customer's website
  • Detect buying intent and generate AI-powered recommendations
  • Deliver personalized interventions ("Moments") to visitors
  • Provide analytics and insights via the Customer dashboard
  • Improve and optimize the Prysmera Service

3.2 Types of Personal Data

Prysmera may process the following categories of Personal Data:

  • Anonymous session identifiers (generated by SDK, not linked to real identity)
  • IP addresses (anonymized after 30 days)
  • Browser metadata (user agent, viewport size, language preferences)
  • Behavioral data (page views, clicks, scroll depth, time on page)
  • Interaction data (form field focus, CTA clicks, element hovers)

Note: Prysmera does NOT collect form input values, passwords, credit card numbers, or other sensitive personal data unless Customer explicitly configures custom tracking events.

3.3 Categories of Data Subjects

  • Website visitors
  • Prospective customers
  • Current customers (if accessing Customer's web application)

3.4 Duration of Processing

Prysmera will process Personal Data for the duration of the Customer's subscription and as required by applicable laws. Upon subscription termination, data is retained for 30 days and then permanently deleted.

4. Customer's Obligations as Data Controller

Customer agrees to:

  • Comply with all applicable data protection laws (GDPR, CCPA, etc.)
  • Provide clear and conspicuous notice to Data Subjects about Prysmera's data processing
  • Obtain valid consent from Data Subjects where required by law
  • Include Prysmera in their privacy policy and cookie consent banner
  • Not process special categories of personal data (sensitive data) without prior written agreement
  • Ensure lawful basis exists for all data processing activities
  • Respond to Data Subject requests (access, deletion, etc.) in a timely manner

5. Prysmera's Obligations as Data Processor

Prysmera agrees to:

  • Process Personal Data only in accordance with Customer's documented instructions
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 6)
  • Assist Customer in responding to Data Subject requests (access, deletion, portability)
  • Assist Customer in ensuring compliance with data protection impact assessments
  • Notify Customer without undue delay (within 48 hours) of any personal data breaches
  • Delete or return all Personal Data upon subscription termination
  • Make available all information necessary to demonstrate compliance with this DPA

6. Security Measures

Prysmera implements the following technical and organizational measures:

6.1 Technical Measures

  • Encryption at rest - AES-128 encryption for sensitive database fields
  • Encryption in transit - TLS 1.3 for all network communications
  • Access controls - Role-based access control (RBAC) and row-level security (RLS)
  • Secure authentication - Bcrypt password hashing, HMAC-signed API keys
  • Network security - Firewall rules, VPC isolation, DDoS protection
  • Secure coding practices - Input validation, parameterized queries, XSS prevention

6.2 Organizational Measures

  • Employee training - Regular security and privacy training for all staff
  • Confidentiality agreements - All employees sign NDAs
  • Access management - Principle of least privilege, regular access reviews
  • Incident response plan - Documented procedures for data breach notification
  • Vendor management - Due diligence on all sub-processors
  • Regular audits - Annual security assessments and penetration testing

7. Sub-processors

Customer authorizes Prysmera to engage the following sub-processors to assist in providing the Service:

Sub-processor Purpose Location
Google Cloud Platform Cloud hosting, database storage, infrastructure United States
Anthropic (Claude API) AI model processing for content generation United States
Mistral AI Brand intelligence analysis France
Stripe Payment processing United States
SendGrid Transactional email delivery United States

Prysmera will notify Customer of any changes to sub-processors at least 30 days in advance via email. Customer may object to a new sub-processor by terminating the subscription within the notice period.

All sub-processors are contractually bound to data protection obligations equivalent to those in this DPA.

8. Data Subject Rights

Prysmera will assist Customer in fulfilling Data Subject requests, including:

  • Right of access - Provide data via Customer dashboard or API export
  • Right to deletion - Delete data via DELETE /api/account or manual request
  • Right to portability - Export analytics data in JSON/CSV format
  • Right to rectification - Update incorrect data via dashboard or API
  • Right to restriction - Temporarily suspend processing (contact support)
  • Right to object - Opt out of analytics tracking

Customer is responsible for verifying Data Subject identity before fulfilling requests. Prysmera will provide technical assistance within 5 business days of receiving a request from Customer.

9. Data Breach Notification

In the event of a personal data breach, Prysmera will:

  • Notify Customer without undue delay (within 48 hours of becoming aware)
  • Provide details of the breach, including affected data and estimated number of Data Subjects
  • Describe measures taken to mitigate the breach
  • Provide recommendations for Customer's response to Data Subjects
  • Cooperate with Customer's investigation and regulatory reporting

10. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries where Prysmera or its sub-processors operate. To ensure adequate protection for such transfers, Prysmera relies on:

  • Standard Contractual Clauses (SCCs) - EU Commission-approved clauses for data transfers outside the EEA
  • Adequacy decisions - Transfers to countries recognized by the EU Commission as providing adequate protection
  • Sub-processor agreements - All sub-processors sign SCCs or equivalent safeguards

Upon request, Prysmera will provide Customer with a copy of the SCCs governing international transfers.

11. Data Retention and Deletion

Prysmera will:

  • Retain Personal Data only as long as necessary to provide the Service
  • Anonymize IP addresses after 30 days
  • Retain analytics data per Customer's subscription plan limits
  • Upon subscription termination or deletion request:
    • Soft-delete data immediately (no longer accessible to Customer)
    • Permanently delete data within 30 days
    • Provide confirmation of deletion upon request
  • Retain backups for disaster recovery (30-day retention, encrypted)

12. Audit Rights

Customer has the right to audit Prysmera's compliance with this DPA, subject to:

  • Providing 30 days' advance written notice
  • Conducting audits no more than once per year
  • Signing a confidentiality agreement
  • Paying Prysmera's reasonable costs for facilitating the audit

Alternatively, Customer may accept Prysmera's annual SOC 2 Type II report (when available) in lieu of conducting their own audit.

13. Liability and Indemnification

Each party is liable for its own breaches of this DPA. Customer indemnifies Prysmera against claims arising from Customer's failure to comply with data protection laws or obtain proper consent from Data Subjects.

Prysmera's total liability for data protection breaches is limited to the amount specified in the Terms of Service.

14. Term and Termination

This DPA takes effect on the date Customer accepts the Terms of Service and remains in effect until the subscription is terminated. Upon termination, Prysmera will delete or return all Personal Data in accordance with Section 11.

15. Governing Law

This DPA is governed by the same laws as the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data processing matters.

16. Contact for Data Protection Inquiries

For questions about this DPA or data processing practices:

Data Protection Officer:
Email: dpo@prysmera.ai
Website: https://prysmera.ai
Address: [Your Company Address]

Privacy PolicyTerms of ServiceCookie PolicyBack to Home