Data Processing Agreement
Last updated: 15 May 2026 — Alpha version
This DPA governs the processing of personal data by Prism on behalf of customers, in accordance with GDPR Article 28.
1. Scope and relationship
This agreement applies when a customer uses Prism to process documents that may contain personal data. Prism acts as data processor; the customer acts as data controller for the personal data contained in uploaded documents.
During the alpha phase, this DPA applies to closed alpha users only. The commercial DPA governing paid subscriptions will be published before general availability.
2. Processing instructions
Prism processes personal data only on documented instructions from the controller (i.e., to provide the analysis service as described in the Terms of Service). Prism will not process personal data for any other purpose, including model training.
3. Technical and organizational measures
Prism implements the following measures to protect personal data:
- Data in transit encrypted via TLS 1.2+
- Data at rest encrypted (AES-256) via Supabase / AWS
- Access to production data limited to authorized personnel
- Subprocessors bound by contractual data protection obligations
- Incident response plan with 72-hour breach notification capability
4. Subprocessors
Prism uses the subprocessors listed at prism.moe/subprocessors. Customers will be notified of material changes to the subprocessor list with at least 14 days' notice via email or this page.
5. Data subject rights
Prism will assist the controller in responding to data subject requests (access, erasure, portability, restriction) to the extent technically feasible, within 10 business days of receiving a written request at hi@prism.moe.
6. Data retention and deletion
Upon termination of the service relationship or written request, Prism will delete or return all personal data within 30 days, and certify deletion upon request.
7. Audits
Customers may request audit information by emailing hi@prism.moe. Formal third-party audits (SOC 2) are planned for V2.
8. International transfers
Where data is transferred outside the EEA (e.g., to Anthropic or Stripe in the US), Standard Contractual Clauses (SCCs) approved by the European Commission are in place.
9. Liability
Each party is liable for damages caused by its own non-compliance with GDPR obligations. Prism's liability is limited as set out in the Terms of Service.
10. Contact
Data protection inquiries: hi@prism.moe