Data Processing Addendum
GDPR Article 28 compliant agreement governing our processing of personal data on your behalf
Last Updated: March 18, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between StartupBros LLC d/b/a PR Bot ("PR Bot," "Processor," "we," "us") and the entity or individual accepting these terms ("Customer," "Controller," "you"). This DPA is incorporated by reference into the Terms of Service ("Agreement") and applies to the extent PR Bot processes Personal Data on Customer's behalf.
1. Definitions
Capitalized terms not defined herein have the meanings given in the Agreement. In this DPA:
- "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable US state privacy laws.
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data, as defined in Applicable Data Protection Law. For the purposes of this DPA, the Customer is the Controller.
- "Customer Personal Data" means Personal Data that PR Bot processes on behalf of the Customer in the course of providing the Service.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "EEA" means the European Economic Area.
- means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
"GDPR"
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Law."Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data."Processor" means the entity that processes Personal Data on behalf of the Controller, as defined in Applicable Data Protection Law. For the purposes of this DPA, PR Bot is the Processor."Restricted Transfer" means a transfer of Customer Personal Data from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision by the relevant authority."Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914."Sub-processor" means any third party engaged by PR Bot to process Customer Personal Data on behalf of the Customer."UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018."UK GDPR" means the GDPR as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.2. Scope and Applicability
- 2.1 This DPA applies to the processing of Customer Personal Data by PR Bot as described in Annex I (Description of Processing).
- 2.2 This DPA is effective as of the date the Customer accepts the Agreement and remains in effect for the duration of the Agreement, unless terminated earlier in accordance with the terms herein.
- 2.3 By accepting the Agreement, the Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, on behalf of its affiliates.
- 2.4 The Standard Contractual Clauses and the UK Addendum are deemed executed upon Customer's acceptance of the Agreement.
3. Customer Instructions and Processing
- 3.1 PR Bot shall process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which PR Bot is subject. In such a case, PR Bot shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- 3.2 The Customer's instructions for processing are set out in this DPA, the Agreement, and any applicable order forms. The Customer may issue additional written instructions consistent with the terms of this DPA.
- 3.3 PR Bot shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes the GDPR or other Applicable Data Protection Law.
- 3.4 PR Bot shall not process Customer Personal Data for any purpose other than as set out in this DPA and the Agreement, unless the Customer provides prior written consent.
4. Confidentiality
- 4.1 PR Bot shall ensure that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 4.2 PR Bot shall ensure that access to Customer Personal Data is limited to those personnel who require such access for the performance of the Service.
5. Security
- 5.1 PR Bot shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as required by Article 32 of the GDPR. These measures are described in Annex II (Technical and Organizational Measures).
- 5.2 PR Bot shall regularly test, assess, and evaluate the effectiveness of these technical and organizational measures for ensuring the security of processing.
- 5.3 The Customer acknowledges that the security measures are subject to technical progress and development, and that PR Bot may update or modify these measures from time to time, provided that such updates do not materially decrease the overall level of security.
6. Sub-processing
- 6.1 General Written Authorization: The Customer provides general written authorization for PR Bot to engage Sub-processors to process Customer Personal Data. The current list of Sub-processors is set out in Annex III (List of Sub-processors) and is maintained at prbot.ai/data-processing.
- 6.2 Notification of Sub-processor Changes: PR Bot shall notify the Customer at least thirty (30) days before engaging any new Sub-processor or replacing an existing Sub-processor. Such notification shall include the name of the Sub-processor, its location, and a description of the processing activities it will perform.
- 6.3 Objection Right: The Customer may object to the engagement of a new Sub-processor on reasonable data protection grounds by providing written notice to PR Bot within thirty (30) days of receiving notification. If the Customer objects, the parties shall discuss the Customer's concerns in good faith for a period of fifteen (15) business days with a view to achieving a commercially reasonable resolution. If the parties are unable to reach a resolution, the Customer may terminate the affected portion of the Service without penalty by providing written notice to PR Bot.
- 6.4 Sub-processor Obligations: PR Bot shall impose contractual data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, including obligations to implement appropriate technical and organizational measures.
- 6.5 Liability: PR Bot shall remain fully liable to the Customer for the performance of each Sub-processor's obligations in relation to Customer Personal Data.
- 6.6 Third-Party Data Recipients: Certain third-party services receive Customer Personal Data but operate as independent data controllers, not Sub-processors. These parties independently determine the purposes and means of processing the data they receive. Data is shared with such parties only upon the Customer's explicit instruction (e.g., when the Customer directs PR Bot to submit a pitch via a third-party platform). Third-party data recipients are identified separately from Sub-processors in Annex III and are subject to their own privacy policies and data protection obligations.
7. Data Subject Rights
- 7.1 PR Bot shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction, data portability, and objection.
- 7.2 If PR Bot receives a request from a Data Subject in relation to Customer Personal Data, PR Bot shall promptly notify the Customer and shall not respond to the request without the Customer's prior written instructions, unless required by Applicable Data Protection Law.
8. Personal Data Breach Notification
- 8.1 PR Bot shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
- 8.2 Such notification shall include, to the extent available:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and data records concerned
- The name and contact details of the point of contact from whom further information can be obtained
- A description of the likely consequences of the Personal Data Breach
- A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects
- 8.3 PR Bot shall cooperate with and assist the Customer in the investigation, mitigation, and remediation of any Personal Data Breach and in any notification to Data Subjects or supervisory authorities.
- 8.4 PR Bot shall assist the Customer in ensuring compliance with the Customer's obligations under Articles 33 and 34 of the GDPR (notification to supervisory authority and communication to Data Subjects), taking into account the nature of processing and the information available to PR Bot.
9. Data Protection Impact Assessments and Prior Consultation
- 9.1 PR Bot shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities that the Customer reasonably considers to be required under Articles 35 and 36 of the GDPR or equivalent provisions of other Applicable Data Protection Law, in each case solely in relation to the processing of Customer Personal Data.
10. International Data Transfers
- 10.1 Customer Personal Data may be transferred to and processed in the United States and other countries where PR Bot and its Sub-processors maintain facilities.
- 10.2 Transfers from the EEA, UK, and Switzerland: To the extent that any processing of Customer Personal Data involves a Restricted Transfer, such transfer shall be subject to appropriate safeguards as follows:
- EU Standard Contractual Clauses: The parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor) approved by European Commission Implementing Decision (EU) 2021/914 shall apply to Restricted Transfers from the EEA. The SCCs are hereby incorporated by reference and deemed executed as of the effective date of this DPA, with the details specified in Annex I and Annex II.
- UK International Data Transfer Addendum: For Restricted Transfers from the United Kingdom, the UK Addendum to the EU SCCs as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 shall apply, supplementing the SCCs as described above.
- Swiss Data Transfers: For Restricted Transfers from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including references to the FADP instead of the GDPR where applicable.
- EU-US Data Privacy Framework: To the extent that a Sub-processor is a certified participant of the EU-U.S. Data Privacy Framework, such framework may serve as a transfer mechanism for the relevant processing, with the SCCs serving as a fallback mechanism.
- 10.3 SCC Module 2 Specifications: For the purposes of the Standard Contractual Clauses (Module 2):
- Clause 7 (Docking clause): The optional docking clause shall apply.
- Clause 9(a) (Use of sub-processors): Option 2 (General written authorization) shall apply. PR Bot shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, in accordance with Section 6.2 of this DPA.
- Clause 11(a) (Redress): The optional language shall not apply.
- Clause 13(a) (Supervision): Where the data exporter is established in an EU Member State, the supervisory authority of that Member State shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State, the Irish Data Protection Commission shall act as the competent supervisory authority.
- Clause 17 (Governing law): The SCCs shall be governed by the laws of Ireland.
- Clause 18(b) (Choice of forum and jurisdiction): Disputes shall be resolved before the courts of Ireland.
- 10.4 Supplementary Measures: In accordance with the Schrems II decision (Case C-311/18), PR Bot has implemented the following supplementary measures to protect Customer Personal Data transferred outside the EEA:
- Encryption of data in transit using TLS 1.3 and at rest using AES-256
- Strict role-based access controls with multi-factor authentication for all administrative access
- Data minimization: only the minimum data necessary is transferred to Sub-processors
- Pseudonymization of Personal Data where feasible before transfer to AI Sub-processors
- Contractual commitments from all Sub-processors to protect data and resist government access requests to the extent permitted by law
- AI Sub-processors (OpenAI, Anthropic, Google) are contractually prohibited from using Customer Personal Data for model training
11. Audit Rights
- 11.1 PR Bot shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.
- 11.2 Third-Party Audit Reports: Upon the Customer's reasonable written request, and no more than once per calendar year, PR Bot shall provide the Customer with copies of:
- PR Bot's most recent SOC 2 Type II audit report (or equivalent industry-standard certification), when available
- A summary of the most recent penetration test results
- Responses to a reasonable security questionnaire provided by the Customer
Such materials shall be treated as PR Bot's confidential information. - 11.3 On-Site Audit: If the Customer reasonably believes that the information provided under Section 11.2 is insufficient to verify PR Bot's compliance with this DPA, the Customer may conduct or commission a third-party audit, subject to the following conditions:
- The Customer shall provide at least thirty (30) days' prior written notice
- The audit shall be conducted during normal business hours and shall not unreasonably interfere with PR Bot's operations
- The scope of the audit shall be limited to the processing of Customer Personal Data
- The auditor must be bound by confidentiality obligations and must not be a direct competitor of PR Bot
- The Customer shall bear the reasonable costs of the audit
- Audits shall be limited to no more than one (1) per calendar year, unless required by a supervisory authority or as a result of a Personal Data Breach
- 11.4 PR Bot shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, as required by Article 28(3)(h) of the GDPR.
12. Data Return and Deletion
- 12.1 Upon termination or expiration of the Agreement, the Customer may instruct PR Bot to either return or delete all Customer Personal Data. PR Bot shall comply with such instruction within thirty (30) days and, upon written request, provide written certification that deletion has been completed.
- 12.2 During the term of the Agreement, the Customer may delete Customer Personal Data using the functionality available within the Service (including through account settings and data export features).
- 12.3 PR Bot may retain Customer Personal Data to the extent required by Applicable Data Protection Law or other applicable law, provided that:
- Such data remains subject to the protections of this DPA for as long as it is retained
- PR Bot processes such data only for the purpose(s) specified in the applicable law requiring its retention
- PR Bot deletes such data promptly upon the expiration of the applicable retention period
- 12.4 Backup copies of Customer Personal Data shall be deleted in accordance with PR Bot's standard backup rotation schedule, not to exceed ninety (90) days following deletion of the primary data.
13. PR Bot as Independent Controller
- 13.1 The parties acknowledge that PR Bot acts as an independent controller (and not as a processor) for certain processing activities that are necessary to provide and operate the Service, including:
- Account management and administration (e.g., authentication, billing, support)
- Fraud detection and prevention
- Compliance with legal and regulatory obligations to which PR Bot is subject
- Aggregate analytics and product improvement (using de-identified or anonymized data)
- 13.2 When acting as an independent controller, PR Bot shall process Personal Data in accordance with its Privacy Policy and in compliance with Applicable Data Protection Law.
14. CCPA and US State Privacy Law Provisions
- 14.1 To the extent that PR Bot processes Customer Personal Data that is subject to the CCPA/CPRA or other applicable US state privacy laws, PR Bot acts as a "service provider" (as defined in the CCPA) or equivalent designation under applicable US state privacy law.
- 14.2 PR Bot shall not sell or share Customer Personal Data, as those terms are defined under the CCPA/CPRA.
- 14.3 PR Bot shall not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA.
- 14.4 PR Bot shall not combine Customer Personal Data with personal information that it receives from or on behalf of another person or collects from its own interactions with the individual, except as expressly permitted by the CCPA/CPRA.
- 14.5 PR Bot certifies that it understands the restrictions set forth in this Section 14 and shall comply with them.
15. Liability
- 15.1 The total aggregate liability of either party arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the Agreement.
- 15.2 Nothing in this DPA shall limit either party's liability for violations of the Standard Contractual Clauses, or either party's obligations under Applicable Data Protection Law that cannot be limited by contract.
- 15.3 Each party shall be responsible for its own compliance with Applicable Data Protection Law and for any administrative fines imposed on it by a supervisory authority.
16. Term and Termination
- 16.1 This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiration of the Agreement, subject to Section 12 (Data Return and Deletion).
- 16.2 The obligations of PR Bot under this DPA with respect to any Customer Personal Data that PR Bot continues to process after termination shall survive until PR Bot ceases all processing of Customer Personal Data.
17. Conflict and Precedence
- 17.1 In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.
- 17.2 In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- 17.3 Nothing in this DPA reduces PR Bot's obligations under the Agreement in relation to the protection of Personal Data.
Annex I: Description of Processing
Part A: List of Parties
| Data Exporter (Controller) | The Customer, as identified in the Agreement. The Customer determines the purposes and means of processing of Personal Data submitted to the Service. |
| Data Importer (Processor) | StartupBros LLC d/b/a PR Bot
100 1st Ave N, #2706, St. Petersburg, FL 33701, USA
Contact: privacy@prbot.ai |
Part B: Description of Transfer
| Element | Description |
|---|
| Categories of Data Subjects | Customer's employees, contractors, and authorized users of the Service; individuals whose contact information is uploaded by the Customer (e.g., media contacts, journalists) |
| Categories of Personal Data | Names, email addresses, professional titles, credentials and expertise descriptions, company information, communication preferences, journalist query responses, AI-generated pitch content, usage data, and billing information |
| Sensitive Data | None anticipated. If the Customer submits special category data (as defined in Article 9 of the GDPR), the Customer is solely responsible for ensuring a lawful basis for such processing. |
| Frequency of Transfer | Continuous, for the duration of the Agreement |
| Nature of Processing | Collection, storage, organization, structuring, retrieval, use (including AI-powered content generation and relevance matching), transmission to third-party platforms, and erasure |
| Purpose of Processing | Providing the PR Bot service: AI-powered media outreach, pitch generation, journalist query matching, response management, subscription billing, customer support, and product analytics |
| Retention Period | Duration of the Agreement, plus thirty (30) days for deletion, except as required by applicable law (see Section 12) |
Part C: Competent Supervisory Authority
Where the data exporter is established in an EU Member State, the supervisory authority of that Member State shall be the competent supervisory authority. Where the data exporter is not established in the EU, the Irish Data Protection Commission (www.dataprotection.ie) shall be the competent supervisory authority.
Annex II: Technical and Organizational Measures
PR Bot implements the following technical and organizational measures to ensure a level of security appropriate to the risk of processing, as required by Article 32 of the GDPR:
1. Encryption and Pseudonymization
- Data encrypted in transit using TLS 1.3
- Data encrypted at rest using AES-256 (database-level encryption via cloud infrastructure provider)
- Pseudonymization of Personal Data where feasible before transfer to AI Sub-processors
- Hashing applied to sensitive identifiers where full values are not required for processing
2. Confidentiality
- All personnel with access to Customer Personal Data are bound by contractual confidentiality obligations
- Role-based access controls (RBAC) enforced at the application and database levels
- Principle of least privilege for all system access
- Multi-factor authentication (MFA) required for all administrative access
- Row-level security (RLS) policies enforced at the database level to ensure tenant isolation in the multi-tenant architecture
3. Integrity
- Input validation and output encoding at application level
- Audit logging of data access and modifications
- Version-controlled infrastructure and application code with change management processes
4. Availability and Resilience
- Regular automated backups with point-in-time recovery capabilities
- Geographically distributed infrastructure via cloud service providers
- High-availability architecture with redundancy
- Disaster recovery procedures with defined recovery time and recovery point objectives
5. Data Restoration and Testing
- Tested backup restoration procedures
- Point-in-time recovery capabilities for database systems
- Regular testing, assessment, and evaluation of the effectiveness of security measures
6. Access Control and Authentication
- Unique user identification and authentication
- Automated session timeout policies
- Secure credential storage using industry-standard hashing algorithms
- Third-party authentication via Supabase Auth with MFA support
7. Incident Detection and Response
- Monitoring and alerting systems for security events
- Documented incident response procedures
- Breach notification to Controller within 72 hours of discovery
- Post-incident review process
8. Physical Security
- Physical security is inherited from our cloud infrastructure providers (AWS via Supabase and Vercel), which maintain industry-standard data center security controls and certifications
9. Sub-processor Oversight
- Due diligence assessment before engaging new Sub-processors
- Contractual data protection obligations imposed on all Sub-processors
- Periodic compliance review of Sub-processor practices
- AI Sub-processors (OpenAI, Anthropic, Google) operate under API terms that prohibit use of Customer data for model training
10. Data Minimization and Retention
- Data collection limited to what is necessary for the purposes of processing
- Defined retention periods enforced per data category
- Automated data deletion upon account termination (within 30 days)
- IP addresses pseudonymized after 90 days for analytics data
11. Governance and Training
- Designated personnel responsible for data protection matters
- Written information security policies
- Security awareness practices for all personnel
Annex III: List of Sub-processors
The following Sub-processors are authorized to process Customer Personal Data on behalf of the Customer. An up-to-date list is also maintained at prbot.ai/data-processing.
| Sub-processor | Location | Processing Activity | Data Categories |
|---|
| Supabase Inc. | United States | Database, authentication, file storage | All user data, profile data, account information, files |
| OpenAI, L.L.C. | United States | AI content generation (GPT models) | Profile data, journalist queries, generated responses |
| Anthropic PBC | United States | AI content generation (Claude models) | Profile data, journalist queries, generated responses |
| Google LLC | United States | AI content generation (Gemini models) | Profile data, journalist queries, generated responses |
| Stripe, Inc. | United States | Payment processing, subscription billing, affiliate payouts | Payment information, billing details, transaction history, banking details (affiliates) |
| PostHog Inc. | United States | Product analytics, session replay, feature flags | Usage patterns, feature interactions, anonymized session data, IP addresses |
| Vercel Inc. | United States / Global CDN | Application hosting, content delivery network | Log data, IP addresses, usage data |
| HighLevel Inc. (GoHighLevel) | United States | CRM, live chat widget, marketing automation | Name, email address, chat messages, browsing context |
| Google LLC (Google Analytics) | United States | Website analytics, traffic reporting | IP addresses (anonymized), browsing behavior, page views, device information |
| Resend Inc. | United States | Transactional email delivery | Email addresses, names, email content |
Third-Party Data Recipients (Independent Controllers)
The following third parties receive Customer Personal Data but operate as independent data controllers under their own privacy policies. These are not Sub-processors within the meaning of GDPR Article 28; rather, they independently determine the purposes and means of processing the data they receive. Data is shared with these parties on the basis of the Customer's consent (provided when the Customer instructs PR Bot to submit data to these platforms) and PR Bot's legitimate interest in delivering the Service.
| Recipient | Location | Purpose | Data Categories | Safeguards |
|---|
| Featured.com (Terkel Inc.) | United States | Media outreach and expert content placement. When the Customer instructs PR Bot to submit pitches via Featured.com, user profile data and AI-generated pitch content are transmitted to Featured.com's journalist network. Featured.com independently determines how submitted content is matched, displayed, and used within its platform. | Name, professional credentials, expertise descriptions, AI-generated pitch content | Featured.com processes data under its own Privacy Policy. Data is transmitted only upon explicit Customer instruction (pitch submission). Encryption in transit (TLS 1.3). Data minimization applied prior to transfer. |
Note: Featured.com is classified as an independent controller because it independently determines the purposes and means of processing the data it receives (operating a journalist query marketplace and determining how expert content is matched, published, and distributed). This is a controller-to-controller data transfer, not a Sub-processor relationship under GDPR Article 28. The Customer consents to this transfer by instructing PR Bot to submit pitches via Featured.com. PR Bot applies data minimization prior to each transfer, transmitting only the data necessary for the pitch submission.
Contact and Related Documents
For questions about this DPA or to exercise your rights, please contact:
- Email: privacy@prbot.ai
- Postal Address: StartupBros LLC, 100 1st Ave N, #2706, St. Petersburg, FL 33701, USA
EEA/UK/Swiss Data Subjects: If you are located in the European Economic Area, United Kingdom, or Switzerland, you may direct inquiries regarding this DPA or the processing of your data to privacy@prbot.ai. We cooperate with the guidance and decisions of the relevant data protection supervisory authorities.
This DPA should be read together with:
Questions about this document? Contact us at privacy@prbot.ai
Ready to build your media presence?
Most customers get their first backlink within 7 days. 30-day money-back guarantee on every plan.
See Plans
