Legal

--- title: Data Processing Agreement lastUpdated: May 24, 2026 version: 1.0 ---

This Data Processing Agreement (DPA) supplements and forms part of the Terms of Service or Master Service Agreement between PromptKing Inc. (Ontario Business Corporation No. 1001622155), incorporated in Ontario, Canada, operating as PromptKing AI FinOps (Processor), and the Customer (Controller). PromptKing Inc. is the legal contracting entity for all data processing agreements.

---

1. Definitions

Personal Information: Has the meaning under PIPEDA.

Controller: The Customer, who determines the purposes and means of processing.

Processor: PromptKing Inc. (operating as PromptKing AI FinOps), a Ontario Business Corporation registered in Ontario, Canada (Corp. No. 1001622155), who processes personal information on behalf of the Controller.

Sub-processor: A third party engaged by PromptKing to process personal information.

Data Breach: A breach of security leading to unauthorized access to or disclosure of personal information.

---

2. Scope and Purpose

PromptKing processes personal information only as necessary to deliver the Service. Categories include employee email addresses, job titles, AI usage records, vendor spend data, and other organizational data provided through the Service.

PromptKing will not process personal information for any purpose other than as instructed by the Customer or required by applicable law.

---

3. Customer Instructions

PromptKing processes personal information only on documented instructions from the Customer as reflected in the Agreement and the Customers use of the Service. If PromptKing believes an instruction violates applicable law, it will notify the Customer promptly.

---

4. Confidentiality

Persons authorized to process personal information are under appropriate obligations of confidentiality. PromptKing does not use Customer data to train machine learning models or for any purpose beyond Service delivery.

---

5. Security

PromptKing implements: encryption at rest (AES-256) and in transit (TLS 1.2+), row-level security via Supabase RLS, regular security reviews, and least-privilege access principles.

---

6. Sub-processors

The Customer authorizes PromptKing to engage sub-processors listed at promptking32.com/legal/sub-processors. PromptKing will provide at least 30 days notice before adding or replacing a material sub-processor. The Customer may object within that period; unresolved objections allow termination of the Agreement.

---

7. Data Subject Rights

PromptKing will assist the Customer in fulfilling data subject rights requests by providing appropriate technical measures. PromptKing will forward to the Customer within 5 business days any rights requests received directly relating to Customer data.

---

8. Data Breach Notification

PromptKing will notify the Customer within 72 hours of becoming aware of a Data Breach affecting Customer personal information, including: the nature and scope, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed.

The Customer is responsible for notifying affected individuals and the OPC as required by PIPEDA.

---

9. Deletion and Return of Data

At the end of the Agreement or on written request, PromptKing will at the Customers choice return or delete all Customer personal information within 30 days, except as required by applicable law.

---

10. Audits

PromptKing will provide information necessary to demonstrate compliance and allow for audits with reasonable notice (at least 30 days), no more than once per year. PromptKings SOC 2 Type II report (target: Q3 2026) will satisfy audit requirements for most customers.

---

11. Cross-Border Data Transfers

PromptKing operates infrastructure in the United States. For Enterprise customers requiring Canadian data residency, PromptKing will discuss dedicated infrastructure options under a separate enterprise agreement.

---

12. Governing Terms

This DPA is governed by the laws of the Province of Ontario, Canada. In the event of conflict with the Agreement, this DPA takes precedence with respect to data protection matters.

---

Execution

This DPA is effective upon the Customers acceptance of the Terms of Service, or upon separate execution for Enterprise agreements.

For a signed DPA: info@promptking32.com

---

PromptKing Inc. (operating as PromptKing AI FinOps) Ontario Business Corporation · Corp. No. 1001622155 · Registered Ontario May 24, 2026 Ontario, Canada, Canada | info@promptking32.com | promptking32.com