Data Processing Addendum

Effective: 3/6/2026

Effective Date: March 6, 2026 | Version 1.0 | Last Reviewed: March 6, 2026

Data Controller: The Customer ("You")
Data Processor: MC Conversions Ltd (Company No. 14019497), Pantycrai, Adfa, Newtown, Powys, SY16 3BX, United Kingdom ("We," "Us")
Contact: Luke@mcconversions.uk

1. Scope & Application

1.1 This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy. It governs Our processing of Personal Data on Your behalf when You use AI Prompt Architect.

1.2 This DPA applies where We act as a Data Processor and You act as (or on behalf of) a Data Controller under: (a) UK GDPR (Data Protection Act 2018); (b) EU GDPR (Regulation 2016/679); and (c) any other applicable data protection legislation.

1.3 In the event of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.

2. Definitions

2.1 "Personal Data," "Data Subject," "Processing," "Controller," "Processor," "Sub-Processor," and "Supervisory Authority" have the meanings given in UK GDPR / EU GDPR.

2.2 "Service Data" means Personal Data that We Process on Your behalf through the Service.

3. Processing Details

ElementDetails
Subject MatterProvision of AI Prompt Architect SaaS platform
DurationFor the term of Your use of the Service
Nature & PurposeStorage, retrieval, AI inference, and delivery of Content; Account management; Payment processing
Categories of Data SubjectsEnd users of the Service (Your employees, contractors, representatives)
Types of Personal DataAccount data (name, email), usage data, Content (which may include Personal Data), payment references

4. Processor Obligations (GDPR Art. 28(3))

4.1 We shall:

  • (a) Process Service Data only on Your documented instructions, unless required by law (Art. 28(3)(a));

  • (b) Ensure persons authorised to process Service Data are bound by confidentiality obligations (Art. 28(3)(b));

  • (c) Implement appropriate technical and organisational security measures (Art. 28(3)(c), Art. 32);

  • (d) Comply with the conditions for engaging Sub-Processors set out in Section 6 (Art. 28(3)(d));

  • (e) Assist You, at Your cost, with Data Subject rights requests (Art. 28(3)(e));

  • (f) Assist You, at Your cost, with DPIAs and prior consultation with Supervisory Authorities (Art. 28(3)(f));

  • (g) At Your choice, delete or return all Service Data upon termination (Art. 28(3)(g));

  • (h) Make available information necessary to demonstrate compliance and allow audits (Art. 28(3)(h)).

5. Security Measures (Art. 32)

5.1 We implement and maintain the following measures:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest

  • Access Control: Role-based access control (RBAC); multi-factor authentication (MFA) for administrative access

  • Monitoring: Real-time security monitoring; automated backup systems

  • Infrastructure: Google Cloud Platform with SOC 2 Type II and ISO 27001 certification

  • Incident Management: Documented incident response procedures

  • Employee Training: Data protection awareness training for all personnel

6. Sub-Processors

6.1 You provide general written authorisation for Us to engage Sub-Processors listed on Our Sub-Processors page.

6.2 We will notify You at least fourteen (14) days before engaging a new Sub-Processor.

6.3 You may object to a new Sub-Processor within the notice period. If We cannot reasonably accommodate the objection, either party may terminate the affected Service.

6.4 We impose the same data protection obligations on Sub-Processors as set out in this DPA.

7. International Transfers

7.1 Service Data may be transferred outside the UK/EEA only with appropriate safeguards:

  • Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914

  • UK International Data Transfer Agreement (IDTA) — ICO approved

  • EU-US Data Privacy Framework (where applicable)

  • Supplementary measures: encryption, pseudonymisation, access controls

7.2 Transfer Impact Assessments (TIAs) are conducted for all transfers to jurisdictions without adequacy decisions.

8. Breach Notification

8.1 We will notify You without undue delay (and in any event within forty-eight (48) hours) of becoming aware of a Personal Data breach affecting Service Data.

8.2 Notification will include: (a) nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; (d) measures taken or proposed.

9. Data Subject Rights

9.1 We will assist You in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) at Your documented instruction and cost.

9.2 If We receive a request directly from a Data Subject, We will redirect them to You unless legally required to respond.

10. Audit Rights

10.1 You may audit Our compliance with this DPA up to once per year, with thirty (30) days' written notice, during business hours, at Your cost.

10.2 We may satisfy audit requests by providing: (a) relevant certifications (SOC 2, ISO 27001 of infrastructure providers); (b) completed security questionnaires; or (c) summary audit reports.

11. Deletion & Return

11.1 Upon termination, We will: (a) provide You thirty (30) days to export Service Data; and (b) delete all Service Data within ninety (90) days, except where retention is required by law.

11.2 We will certify deletion upon Your written request.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

12.2 You shall indemnify Us for any losses arising from processing performed in accordance with Your instructions that results in a breach of applicable data protection law.

13. Term

13.1 This DPA commences when You first use the Service and continues until all Service Data is deleted or returned.

13.2 Sections 8, 10, 11, and 12 survive termination.

14. Contact

Data protection queries: Luke@mcconversions.uk

MC Conversions Ltd | Company No. 14019497 | Registered in England and Wales