Data Processing Addendum
Version 1.0
Last revised on: January 20, 2026
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Prediction Lab, LLC ("Prediction Lab," "we," "us," or "our") and the entity identified in the Agreement ("Customer," "you," or "your") for the provision of the Services.
This DPA reflects the parties' agreement regarding the Processing of Personal Data in accordance with Data Protection Laws.
1. Definitions
Capitalized terms not defined herein have the meanings in the Agreement.
"Data Protection Laws" means all applicable laws relating to Processing of Personal Data, including the GDPR, UK GDPR, UK Data Protection Act 2018, California Consumer Privacy Act (as amended by CPRA), and other applicable data protection laws.
"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by us on your behalf in connection with the Services.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Processing" means any operation performed on Personal Data, whether automated or not, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, erasure, or destruction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Decision 2021/914.
"Subprocessor" means any third party engaged by us to Process Personal Data on your behalf.
2. Scope and Roles
2.1 Scope. This DPA applies to Processing of Personal Data by us on your behalf in connection with the Services.
2.2 Roles. You are the Controller of Customer Data. We are the Processor, Processing Customer Data only on your behalf and in accordance with your documented instructions.
2.3 Customer as Processor. If you are a Processor of Customer Data (processing on behalf of your own customers), we are a Subprocessor. You warrant that you have obtained necessary authorizations to engage us.
2.4 Your Responsibilities. You represent that you have provided all necessary notices and obtained all necessary consents to enable lawful Processing, your instructions comply with Data Protection Laws, and you have assessed that our security measures are appropriate.
2.5 Our Responsibilities. We will Process Personal Data only in accordance with your documented instructions (unless required by law), ensure authorized persons are subject to confidentiality obligations, implement appropriate security measures, assist with Data Subject requests and compliance obligations, and delete or return Personal Data upon termination.
3. Processing Instructions
3.1 Documented Instructions. We will Process Personal Data only per your documented instructions, which include: the Agreement and this DPA, your configuration of the Services, and instructions through standard support channels.
3.2 Additional Instructions. If you provide instructions beyond Section 3.1, we will inform you if, in our opinion, they infringe Data Protection Laws.
3.3 Legal Requirements. If required by law to Process Personal Data beyond your instructions, we will inform you before Processing (unless prohibited by law).
4. Details of Processing
| Element | Description |
|---|---|
| Subject Matter | Provision of predictive modeling and analytics services |
| Duration | Term of the Agreement plus post-termination period in Section 10 |
| Nature and Purpose | Storage, hosting, and processing to provide the Services; Customer Data is not used to train AI/ML models |
| Types of Personal Data | As determined by you; may include contact information, identifiers, professional information |
| Categories of Data Subjects | As determined by you; may include employees, contractors, customers |
You determine the types of Personal Data and categories of Data Subjects. You are responsible for ensuring lawfulness of any Personal Data submitted.
5. Subprocessors
5.1 Authorization. You authorize us to engage the Subprocessors in Annex B and provide general authorization for additional Subprocessors subject to Section 5.2.
5.2 Notification. We will maintain an up-to-date Subprocessor list, notify you of intended additions or replacements at least 30 days before the new Subprocessor begins Processing, and provide notification via email or in-product notice.
5.3 Objection. If you have a legitimate, documented objection on data protection grounds, notify us in writing within 14 days. We will work in good faith to find a resolution. If none is reached within 30 days, you may terminate affected Services without penalty.
5.4 Obligations. We will enter written agreements with Subprocessors imposing obligations materially consistent with this DPA and remain fully liable for their acts and omissions.
6. Security Measures
6.1 Obligations. We will implement appropriate technical and organizational measures to ensure security appropriate to the risk, taking into account the state of the art, costs, nature, scope, context, and purposes of Processing.
6.2 Measures. Our security measures are described in Annex A and include: encryption in transit and at rest, access controls and authentication, measures for confidentiality, integrity, availability, and resilience, measures to restore availability following an incident, and regular testing of security effectiveness.
6.3 Certifications. We maintain SOC 2 certification. Upon written request and subject to confidentiality, we will provide a summary of our most recent report.
6.4 Updates. We may update security measures provided updates do not materially decrease overall security.
6.5 Your Responsibilities. You are responsible for implementing appropriate security for your use, securing account credentials and access controls, and evaluating whether our measures are appropriate for your Processing.
7. Data Subject Rights
7.1 Assistance. We will assist you by appropriate technical and organizational measures to fulfill obligations to respond to Data Subject requests, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 Notification. If we receive a request directly from a Data Subject, we will promptly notify you and will not respond except to acknowledge receipt or direct them to you, unless legally required.
7.3 Self-Service. Where possible, we provide self-service functionality enabling you to respond to requests directly.
8. Personal Data Breach
8.1 Notification. We will notify you without undue delay, and within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data.
8.2 Contents. Notification will include, to the extent known: description of the breach including categories and approximate numbers affected, contact details for further information, likely consequences, and measures taken or proposed.
8.3 Assistance. We will cooperate and provide reasonable assistance investigating the breach, preparing notifications, and mitigating effects.
8.4 No Admission. Our notification or response shall not be construed as admission of fault or liability.
9. Audits
9.1 Information. Upon written request, we will provide information reasonably necessary to demonstrate compliance, including: security questionnaires (once per year), summary of SOC 2 report (under NDA), and documentation of security measures.
9.2 Audit Rights. Upon 30 days advance notice and no more than once per 12 months, you may conduct or commission a third-party audit of our Processing and security measures. Audits shall be during business hours, not unreasonably disrupt operations, be subject to confidentiality, and be at your expense.
9.3 Third-Party Certifications. Our certifications and reports may satisfy audit requests where applicable.
10. Data Retention and Deletion
10.1 Retention. We retain Customer Data for the Agreement duration and post-termination period below.
10.2 Post-Termination. Upon termination: you have 90 days to export Customer Data; we delete Customer Data within 14 days after the export period; backups are purged within 30 days.
10.3 Exceptions. We may retain Personal Data as required by law, in backups until purged in ordinary course, or if de-identified or aggregated such that it no longer constitutes Personal Data.
10.4 Certification. Upon written request, we will certify deletion in accordance with this Section.
11. International Data Transfers
11.1 Locations. Customer Data may be transferred to locations specified in Annex B (Subprocessor locations).
11.2 Transfer Mechanisms. For transfers from the EEA or UK to countries without adequate protection, we rely on Standard Contractual Clauses (Module Two: Controller to Processor) incorporated by reference and the UK International Data Transfer Addendum.
11.3 SCC Application. Where SCCs apply: you are the data exporter, we are the data importer; Annexes are populated per this DPA; Clause 9 Option 2 (general authorization) applies; governing law and jurisdiction is Ireland for EEA transfers.
11.4 UK Transfers. The UK International Data Transfer Addendum is incorporated, governed by England and Wales law.
11.5 Transfer Assessments. We have conducted transfer impact assessments and implemented supplementary measures including encryption.
12. CCPA Provisions
12.1 Service Provider Status. To the extent CCPA applies, we are a "service provider" receiving Personal Data to provide the Services. We shall not sell or share Personal Data (as defined in CCPA), retain, use, or disclose it for purposes other than providing the Services, or use it outside the direct business relationship.
12.2 Certification. We certify understanding of and compliance with CCPA restrictions.
12.3 No Sale. We do not sell Personal Data and have not done so in the preceding 12 months.
13. Liability
Liability under this DPA is subject to the limitations in the Agreement.
14. Term and Precedence
14.1 Term. This DPA takes effect when you accept the Agreement and remains in effect until the Agreement terminates.
14.2 Precedence. In case of conflict between this DPA and the Agreement, this DPA prevails for Processing of Personal Data. In case of conflict between this DPA and the SCCs, the SCCs prevail.
15. Modifications
We may update this DPA to reflect changes in Data Protection Laws with at least 30 days notice of material changes.
Annex A: Technical and Organizational Security Measures
Access Control
| Measure | Description |
|---|---|
| User Authentication | MFA available; SSO integration |
| Access Management | Role-based access control; least privilege |
| Password Policy | Complexity requirements; secure storage |
| Session Management | Configurable timeouts; secure tokens |
Encryption
| Measure | Description |
|---|---|
| In Transit | TLS 1.2+ |
| At Rest | AES-256 |
| Key Management | AWS KMS; regular rotation |
Infrastructure Security
| Measure | Description |
|---|---|
| Hosting | AWS |
| Network | VPC isolation; security groups |
| Protection | WAF; DDoS protection |
| Monitoring | 24/7 monitoring; automated alerting |
Application Security
| Measure | Description |
|---|---|
| Development | Secure coding practices; code review |
| Vulnerability Management | Regular scanning; dependency updates |
| Penetration Testing | Annual third-party testing |
Operational Security
| Measure | Description |
|---|---|
| Change Management | Documented process |
| Backup and Recovery | Automated backups; tested recovery |
| Incident Response | Documented plan; regular testing |
Personnel Security
| Measure | Description |
|---|---|
| Background Checks | For personnel with data access |
| Confidentiality | Agreements for all personnel |
| Training | Security awareness training |
| Access Termination | Prompt revocation |
Annex B: Subprocessors
Cloud Deployments (Multi-Tenant and Single-Tenant)
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure | US (us-east-1) or customer-selected region |
| WorkOS, Inc. | Authentication, SSO | United States |
| Resend, Inc. | Transactional email | United States |
| Neon, Inc. | Database hosting | United States |
| Plain, Inc. | Customer support | United States |
BYOC Deployments
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure (in your account) | Customer-selected region(s) |
| WorkOS, Inc. | Authentication, SSO | United States |
| Resend, Inc. | Transactional email | United States |
| Plain, Inc. | Customer support | United States |
AI Providers (BYOK)
Engaged only when you enable BYOK and configure your API key. Data transmitted to AI providers is governed by your agreement with that provider.
Annex C: Standard Contractual Clauses Details
Annex I.A: List of Parties
Data Exporter: The entity identified as Customer in the Agreement (Controller)
Data Importer: Prediction Lab, LLC, 323 Lovers Ln, Terrell, TX 75160, privacy@predictionlab.ai (Processor)
Annex I.B: Description of Transfer
| Element | Description |
|---|---|
| Data Subjects | As determined by Customer |
| Personal Data Categories | As determined by Customer |
| Transfer Frequency | Continuous during Agreement term |
| Processing Nature | Storage, hosting, analysis for Services |
| Transfer Purpose | Provision of Services |
| Retention | Agreement term plus 90-day export period |
Annex I.C: Competent Supervisory Authority
Per SCC Clause 13: for EEA exporters, the supervisory authority of the exporter's Member State; for UK exporters, the UK ICO.
Annex II: Technical and Organizational Measures
See Annex A.
Annex III: List of Subprocessors
See Annex B.
Contact: privacy@predictionlab.ai