Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement or other written or electronic agreement between VKRA Inc, doing business as Promptster ("Processor", "Promptster", "we", or "us"), and the entity identified as the customer ("Controller", "Customer", or "you") for the provision of the Promptster platform services (the "Services") as described in the principal agreement (the "Agreement").

This DPA reflects the parties' commitment to abide by applicable data protection legislation, including Regulation (EU) 2016/679 (the "GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act as amended by the CPRA, and other applicable privacy laws. Where the terms of this DPA conflict with the terms of the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the Agreement.

• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer is the Controller.
• "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, VKRA Inc (Promptster) is the Processor.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including candidates undergoing technical assessments and hiring team members using the Services.
• "Personal Data" means any information relating to a Data Subject that is processed by Promptster in connection with the provision of the Services, as further described in Annex I.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third-party processor engaged by Promptster to process Personal Data on behalf of the Controller in connection with the Services.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope & Application

This DPA applies to all Processing of Personal Data by Promptster on behalf of the Customer in connection with the Services. The Services include the Promptster technical hiring assessment platform, which captures process telemetry data, code interaction patterns, and tool usage analytics during candidate assessments conducted through MCP-integrated development environments (such as Claude Code and Cursor).

This DPA shall apply to the extent that Promptster processes Personal Data that is subject to the protection of applicable data protection laws, on behalf of the Customer in the course of providing the Services. This DPA does not apply to data that Promptster processes as a Controller in its own right (for example, account registration data for billing purposes), which is governed by the Promptster Privacy Policy.

3. Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data in connection with the Services:

• The Customer is the Controller. The Customer determines the purposes and means of Processing Personal Data and is responsible for ensuring that a valid legal basis exists for the collection and transfer of Personal Data to Promptster for Processing under this DPA.
• VKRA Inc (Promptster) is the Processor. Promptster shall process Personal Data only on documented instructions from the Customer, except where required by applicable law. Promptster shall inform the Customer if it becomes aware that such instructions infringe applicable data protection law.

Nothing in this DPA shall prevent Promptster from processing Personal Data as an independent Controller where it has a separate legal basis and purpose for such Processing (for example, compliance with legal obligations, billing, or service improvement in aggregate and anonymized form).

4. Data Processing Details

4.1 Categories of Data Subjects

• Candidates — individuals undertaking technical hiring assessments through the Promptster platform at the direction of the Customer.
• Hiring Team Members — employees, contractors, or agents of the Customer who administer, review, or evaluate assessments using the Services.

4.2 Types of Personal Data

• Assessment telemetry — process signals captured via MCP integration, including timing data, tool invocations, iteration patterns, and workflow sequencing during candidate assessments.
• Code samples — source code, configurations, and related artifacts produced by candidates during assessments.
• Tool usage patterns — interaction data reflecting how candidates use AI-assisted development tools, including prompt engineering approaches, editing flows, and debugging strategies.
• Account information — names, email addresses, organizational affiliations, and role designations of hiring team members; names and email addresses of candidates to the extent provided by the Customer.

4.3 Purposes of Processing

Personal Data is processed solely for the following purposes:

• Providing, operating, and maintaining the Promptster technical hiring assessment platform.
• Capturing and analyzing process telemetry to generate assessment insights, attribution metrics, and orchestration scores for the Customer.
• Enabling session replay, comparison analytics, and reporting functionality within the Customer's account.
• Supporting the Customer in making informed hiring decisions through signal-to-noise analysis of candidate performance.
• Technical support, security monitoring, and service improvement as directed by the Customer.

4.4 Duration of Processing

Processing shall continue for the duration of the Agreement. Upon termination, data shall be handled in accordance with Section 12 (Return & Deletion of Data) of this DPA.

5. Obligations of the Processor

Promptster shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures as required by Article 32 of the GDPR, as further described in Annex II of this DPA.
• Respect the conditions for engaging Sub-processors as set forth in Section 6 of this DPA.
• Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as described in Section 11.

6. Sub-processing

The Customer provides general written authorization for Promptster to engage Sub-processors to assist in providing the Services, subject to the conditions set forth in this Section.

6.1 Current Sub-processors

As of the date of this DPA, Promptster engages the following Sub-processors:

6.2 Notification of Changes

Promptster shall notify the Customer in writing (including via email) at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall include the identity, location, and nature of Processing to be performed by the proposed Sub-processor.

The Customer may reasonably object to the appointment of a new Sub-processor by notifying Promptster in writing within fifteen (15) days of receipt of Promptster's notice. In such case, Promptster shall use commercially reasonable efforts to make available to the Customer a change in the Services to avoid the use of the objected-to Sub-processor. If Promptster is unable to accommodate the Customer's objection within thirty (30) days, either party may terminate the affected portion of the Services upon written notice.

6.3 Sub-processor Obligations

Promptster shall impose contractual obligations on each Sub-processor that are no less protective than those imposed on Promptster under this DPA, including obligations regarding confidentiality, data security, and cooperation with audits. Promptster shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.

7. Data Subject Rights

Promptster shall, taking into account the nature of the Processing, assist the Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligations to respond to Data Subject requests under Chapter III of the GDPR, including requests for:

• Access to Personal Data (Article 15 GDPR)
• Rectification of Personal Data (Article 16 GDPR)
• Erasure of Personal Data (Article 17 GDPR)
• Restriction of Processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Objection to Processing (Article 21 GDPR)

If Promptster receives a request directly from a Data Subject regarding the Customer's data, Promptster shall promptly notify the Customer and shall not respond to the request without the Customer's prior authorization, unless legally required to do so. Promptster shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of such requests, at the Customer's expense.

8. Security Measures

Promptster shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall include, without limitation:

8.1 Encryption

• Encryption at rest: All Personal Data stored in databases, file systems, and backups is encrypted using AES-256 or equivalent encryption standards.
• Encryption in transit: All data transmitted between Data Subjects, the Customer, and Promptster systems is protected using TLS 1.2 or higher.

8.2 Access Controls

• Role-based access control (RBAC) is enforced across all systems that process Personal Data, ensuring that personnel access only the data necessary for their specific role.
• Multi-factor authentication (MFA) is required for all personnel accessing production systems or Customer data.
• Administrative access to production infrastructure is restricted to a limited set of authorized personnel and subject to just-in-time access provisioning.

8.3 Audit Logging

• Comprehensive audit logs are maintained for access to, modification of, and deletion of Personal Data, including identity of the accessor, timestamp, and nature of the action.
• Logs are retained for a minimum of twelve (12) months and are protected against tampering and unauthorized access.

8.4 Incident Response

• Promptster maintains a documented incident response plan that includes procedures for identification, containment, eradication, recovery, and post-incident review.
• Incident response exercises are conducted at least annually to test the effectiveness of response procedures.
• All security incidents are classified by severity and escalated according to defined protocols.

9. Data Breach Notification

Promptster shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Data Breach affecting Personal Data processed under this DPA. The notification shall include:

• A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the data protection officer or other contact point where more information can be obtained.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Promptster shall cooperate with the Customer and take such commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each Data Breach. Promptster shall not inform any third party of a Data Breach without first obtaining the Customer's prior written consent, unless notification is required by applicable law, in which case Promptster shall, to the extent permitted by law, inform the Customer of that requirement and provide the Customer with a copy of the proposed notification.

10. Data Transfers

Promptster shall not transfer Personal Data to a country or territory outside the European Economic Area ("EEA") or the United Kingdom ("UK") unless appropriate safeguards are in place as required by applicable data protection law.

10.1 Standard Contractual Clauses

To the extent that the Processing of Personal Data involves a transfer from the EEA to a third country that has not been deemed to provide an adequate level of protection by the European Commission, the parties agree to enter into the SCCs as follows:

• Module 2 (Controller to Processor): shall apply where the Customer (as Controller established in the EEA) transfers Personal Data to Promptster (as Processor established outside the EEA) for Processing in accordance with this DPA.
• Module 3 (Processor to Sub-processor): shall apply where Promptster (as Processor) transfers Personal Data to a Sub-processor established outside the EEA for further Processing on behalf of the Customer.

The SCCs are hereby incorporated by reference into this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to cross-border data transfers.

10.2 UK International Data Transfer Addendum

For transfers of Personal Data subject to the UK GDPR, the parties agree to be bound by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum") as issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018.

10.3 Transfer Impact Assessment

Promptster shall, upon request, provide the Customer with information necessary to conduct a transfer impact assessment (TIA) relating to transfers of Personal Data to third countries, including information about the legal framework in the recipient country, any government access requests received, and supplementary measures implemented.

11. Audits

Promptster shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions:

• The Customer shall provide Promptster with at least thirty (30) days' prior written notice of any audit request, which shall include the proposed scope, duration, and start date.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Promptster's business operations.
• Any third-party auditor engaged by the Customer must execute a confidentiality agreement acceptable to Promptster prior to commencing the audit.
• The Customer shall bear the costs of any audit it initiates, including Promptster's reasonable costs of personnel time and resources dedicated to supporting the audit.
• Where Promptster has obtained relevant third-party certifications (such as SOC 2 Type II or ISO 27001), Promptster may satisfy audit requests by providing the Customer with copies of such certification reports or audit summaries, provided they are no more than twelve (12) months old.

12. Return & Deletion of Data

Upon termination or expiration of the Agreement, Promptster shall, at the Customer's election:

• Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format (such as JSON or CSV); or
• Delete all Personal Data, including all copies thereof, and certify in writing that such deletion has been completed.

The Customer shall make its election within thirty (30) days following termination or expiration of the Agreement. If no election is made, Promptster shall delete all Personal Data within sixty (60) days of termination. Promptster may retain Personal Data to the extent and for the duration required by applicable law, provided that Promptster shall ensure the confidentiality of such retained data and shall process it only for the purposes required by law.

Deletion of Personal Data from backup systems shall occur in accordance with Promptster's standard backup rotation schedule, which shall not exceed ninety (90) days from the date of deletion from primary systems.

13. Term & Termination

This DPA shall become effective on the date the Customer executes the Agreement (or, if later, on the date on which Promptster first processes Personal Data on behalf of the Customer) and shall remain in effect for the duration of the Agreement.

Termination or expiration of the Agreement shall automatically terminate this DPA, subject to the survival of provisions that by their nature should survive termination, including but not limited to Section 5 (Obligations of the Processor), Section 8 (Security Measures), Section 9 (Data Breach Notification), Section 12 (Return & Deletion of Data), and Section 14 (Liability).

Either party may terminate this DPA immediately upon written notice if the other party is in material breach of this DPA and fails to remedy such breach within thirty (30) days of receiving written notice thereof.

14. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that nothing in the Agreement or this DPA shall limit either party's liability with respect to:

• Any penalties, fines, or corrective measures imposed by a supervisory authority directly attributable to a party's breach of its obligations under applicable data protection law.
• Claims brought by Data Subjects arising from either party's breach of its obligations under applicable data protection law.
• Either party's indemnification obligations, if any, as set out in the Agreement with respect to data protection matters.

Where Promptster engages a Sub-processor, and that Sub-processor fails to fulfil its data protection obligations, Promptster shall remain fully liable to the Customer for the performance of the Sub-processor's obligations under this DPA.

15. Annex I: Details of Processing

The following details describe the Processing activities carried out under this DPA.

A. List of Parties

• Data Exporter (Controller): The Customer, as identified in the Agreement. The Customer is the organization using the Promptster platform to conduct technical hiring assessments.
• Data Importer (Processor): VKRA Inc, doing business as Promptster. Address: as set forth in the Agreement. Contact: dpa@promptster.ai.

B. Description of Processing

C. Competent Supervisory Authority

Where the Customer is established in the EEA, the competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the Customer is established in the UK, the competent supervisory authority shall be the UK Information Commissioner's Office (ICO).

16. Annex II: Technical and Organizational Measures

Promptster implements the following technical and organizational measures to ensure an appropriate level of security for the Processing of Personal Data under this DPA:

Measures of Pseudonymization and Encryption

• All Personal Data at rest is encrypted using AES-256 encryption via AWS Key Management Service (KMS) with Customer-managed or Promptster-managed encryption keys.
• All data in transit is encrypted using TLS 1.2 or higher with strong cipher suites.
• Assessment telemetry data is pseudonymized where technically feasible, with candidate identifiers separated from telemetry payloads in storage.
• Database fields containing direct identifiers are encrypted at the application layer in addition to storage-level encryption.

Measures for Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

• Infrastructure is deployed across multiple availability zones to ensure high availability and fault tolerance.
• Automated backups of all databases are performed at least daily and stored in a geographically separate region.
• All personnel with access to Personal Data are bound by confidentiality agreements and receive annual data protection training.
• Network segmentation isolates production systems from development and staging environments.
• Web application firewalls (WAF) and DDoS protection are deployed at the network perimeter.

Measures for Ensuring the Ability to Restore Availability and Access to Personal Data in a Timely Manner

• A documented disaster recovery plan is maintained and tested at least annually, with a recovery time objective (RTO) of four (4) hours and a recovery point objective (RPO) of one (1) hour.
• Automated failover mechanisms are in place for critical system components.
• Backup restoration procedures are tested quarterly to verify data integrity and recoverability.

Processes for Regularly Testing, Assessing, and Evaluating Effectiveness

• Vulnerability scanning is performed on a continuous basis against production systems, with critical findings remediated within twenty-four (24) hours.
• Third-party penetration testing is conducted at least annually by a qualified independent security firm.
• Security incident response procedures are reviewed and updated at least annually.
• Internal security audits are conducted on a quarterly basis, covering access controls, logging, and configuration management.

Measures for User Identification and Authorization

• Role-based access control (RBAC) is enforced across all systems, with the principle of least privilege applied to all user accounts.
• Multi-factor authentication (MFA) is required for all access to production systems, administrative consoles, and Customer data.
• Unique user accounts are assigned to all personnel; shared accounts are prohibited.
• Access reviews are conducted quarterly to verify that access rights remain appropriate and that former personnel have been promptly de-provisioned.

Measures for the Protection of Data During Transmission

• TLS 1.2 or higher is enforced for all external API endpoints and internal service-to-service communication.
• Certificate pinning is implemented where technically feasible.
• HSTS (HTTP Strict Transport Security) headers are deployed on all public-facing services.

Measures for the Protection of Data During Storage

• All data stores (databases, object storage, caches) employ encryption at rest using AES-256 with keys managed through AWS KMS.
• Logical data separation ensures that each Customer's data is isolated and accessible only within the context of their account.
• Data retention policies are enforced automatically, with aged data purged according to schedule.

Measures for Ensuring Physical Security of Locations at Which Personal Data Are Processed

• All Personal Data is hosted in AWS data centers, which maintain industry-leading physical security controls including 24/7 security staffing, biometric access controls, CCTV monitoring, and environmental controls. AWS data center compliance documentation is available at aws.amazon.com/compliance/data-center/controls.
• Promptster does not process Personal Data in physical office locations; all Processing occurs in cloud infrastructure.

Measures for Ensuring Events Logging

• Comprehensive logging is enabled for all access to Personal Data, including API calls, database queries, and administrative actions.
• Log data is centralized in a tamper-evident logging system with immutable storage for a minimum retention period of twelve (12) months.
• Automated alerting is configured for anomalous access patterns, unauthorized access attempts, and security-relevant events.

Measures for Ensuring System Configuration and Default Settings

• Infrastructure is managed using infrastructure-as-code (IaC) with version-controlled configurations, ensuring reproducibility and auditability of all system changes.
• Security hardening baselines are applied to all systems, with deviations tracked and justified.
• Default passwords and unnecessary services are removed from all production systems prior to deployment.