How Do You Get Claude To Talk To All Your Enterprise Data? >>> Read the blog by our CEO

Data Processing Addendum

PROMETHIUM DATA PROCESSING ADDENDUM

(EU GDPR + UK GDPR)

This DPA forms part of the Promethium Terms of Service.

 

1. ROLES

Customer = Controller

Promethium = Processor

 

2. SCOPE OF PROCESSING

Promethium processes Personal Data:

  • Within the Control Plane;
  • Within the Data Plane (if Promethium-hosted);
  • Only as authorized for support where Data Plane is Customer-hosted.

Processing includes:

  • Storage
  • Transmission
  • Query execution
  • Logging
  • Monitoring
  • Support access

 

3. PROCESSOR OBLIGATIONS

Promethium will:

  • Process only on documented instructions
  • Maintain confidentiality
  • Implement Article 32 security measures
  • Assist with data subject rights
  • Notify Customer of Security Incidents without undue delay

 

4. SECURITY

Promethium maintains a written security program aligned with recognized industry standards (e.g., SOC 2).

Security measures include:

  • Access controls
  • Encryption in transit
  • Logging and monitoring
  • Tenant isolation
  • Incident response procedures

 

5. SUB-PROCESSORS

Customer authorizes Promethium to use Sub-processors.

Promethium:

  • Imposes equivalent data protection obligations;
  • Remains responsible for Sub-processor performance;
  • Maintains a Sub-processor list.

Customer may object on reasonable data protection grounds within 30 days of notice.

 

6. INTERNATIONAL TRANSFERS

Where required:

  • EU Standard Contractual Clauses (Module 2) are incorporated by reference.
  • The UK Addendum or IDTA applies for UK transfers.
  • Swiss Addendum applies where required.

 

7. DATA SUBJECT REQUESTS

Promethium will:

  • Notify Customer of requests;
  • Provide reasonable assistance;
  • Not respond directly unless legally required.

 

8. SECURITY INCIDENTS

Promethium will notify Customer without undue delay and provide information reasonably required to meet regulatory obligations.

 

9. AUDITS

Promethium may satisfy audit requests via:

  • SOC 2 reports
  • Questionnaires
  • Documentation review

On-site audits permitted only if required by law and subject to confidentiality.

 

10. RETURN AND DELETION

Upon termination:

  • Promethium deletes or returns Personal Data in accordance with the Agreement.
  • Legal retention exceptions apply.

 

11. LIABILITY

Liability under this DPA is subject to the limitations in the Agreement, except to the extent prohibited by applicable data protection law.

 

12. UK GDPR ADDENDUM

Where UK GDPR applies:

  • References to GDPR include UK GDPR.
  • ICO is the supervisory authority.
  • UK IDTA or UK Addendum to SCCs governs transfers.
  • Arbitration remains applicable except where prohibited by UK law.

 

Annex 1 – Processing Details

Subject Matter: Provision of Promethium Services

Duration: Subscription Term

Nature: Storage, querying, orchestration

Data Subjects: Customer end users, employees

Categories: Identifiers, logs, metadata, query data

 

Annex 2 – Technical & Organisational Measures

  • Role-based access control
  • Encryption (TLS)
  • Tenant isolation
  • Logging & audit trails
  • Vulnerability management
  • Disaster recovery controls