Prescene
Sign inRequest access
← All legal documents

Data Processing Addendum

Last updated · May 6, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between AI Labs Inc., doing business as Prescene ("Prescene," "Processor," "we," "us"), and the customer entity named on the corresponding order form, Enterprise Agreement, or accepted Terms of Service ("Customer," "Controller," "you") (each a "Party" and together the "Parties") (the "Agreement").

This DPA applies to Prescene's processing of Personal Data on behalf of Customer in connection with the Services. Where this DPA conflicts with the Agreement, this DPA controls with respect to data protection. By executing or accepting the Agreement, Customer enters into this DPA on behalf of itself and its Authorized Affiliates.

1. Definitions

  • "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act/California Privacy Rights Act ("CCPA"), the Texas Data Privacy and Security Act ("TDPSA"), and any other applicable U.S. state or non-U.S. data protection law, in each case as amended from time to time.

  • "Authorized Affiliate" means any entity that controls, is controlled by, or is under common control with Customer, that is permitted to use the Services under the Agreement.

  • "Customer Data" means any Personal Data that Prescene processes on behalf of Customer in providing the Services, including Inputs and Outputs as defined in the Terms of Service.

  • "Data Subject," "Personal Data," "Processing," "Controller," and "Processor" have the meanings given in Applicable Data Protection Law.

  • "Restricted Transfer" means a transfer of Personal Data from a jurisdiction where such transfer requires a safeguard under Applicable Data Protection Law (including, for the EEA, Switzerland, and UK, transfers outside an adequate jurisdiction).

  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated.

  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.

  • "Subprocessor" means any third-party processor engaged by Prescene to process Customer Data on its behalf.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

2. Roles of the Parties

2.1 Controller and Processor

For Customer Data processed under the Agreement, Customer is the Controller (or, where Customer is itself a processor for a third-party controller, the third-party controller is the Controller and Customer authorizes Prescene to process accordingly). Prescene is the Processor.

For Personal Data that Prescene processes for its own purposes (e.g., billing data, account administrators' contact data, security logs, aggregate usage analytics), Prescene is the Controller. The processing of such data is governed by the Prescene Privacy Policy, not this DPA.

2.2 Customer Responsibilities

Customer represents and warrants that: (a) it has all rights, lawful bases, consents, notices, and authorizations required to provide Customer Data to Prescene and to instruct Prescene to process it as described herein; (b) its instructions to Prescene comply with Applicable Data Protection Law; (c) for any Customer Data that constitutes special categories of data (GDPR Article 9), sensitive data, or children's data, Customer has obtained any heightened consents or completed any heightened obligations required by Applicable Data Protection Law; (d) Customer Data does not include data that Customer is contractually or legally prohibited from disclosing to a Processor.

3. Processing Details

3.1 Subject Matter and Duration

The subject matter of processing is Prescene's provision of the Services to Customer. Processing continues for the duration of the Agreement and any post-termination period during which Prescene retains Customer Data as permitted herein.

3.2 Nature and Purpose

Prescene processes Customer Data to: host the Services; receive Inputs and generate Outputs (including via large language models); store, organize, retrieve, transmit, and display Customer Data within Customer's workspace; analyze Customer Data for the purpose of producing Outputs requested by Customer; provide support; secure the Services; and perform the obligations described in the Agreement and DPA.

3.3 Categories of Data Subjects

Customer Data may concern: Customer's authorized users (including writers, producers, executives, support staff); individuals whose Personal Data is incidentally included in Customer's uploaded Content (e.g., names of real persons appearing in screenplay drafts).

3.4 Categories of Personal Data

Customer Data may include: identifiers (name, email); professional information; user-generated Content uploaded by Customer's users (which may incidentally include any category of Personal Data depending on Customer's use); communication and support data; usage and audit logs.

Customer determines what Personal Data is included in its Content and is responsible for the legality of including such data.

4. Prescene's Obligations as Processor

4.1 Processing Only on Customer's Instructions

Prescene will process Customer Data only: (a) to provide the Services as described in the Agreement and this DPA; (b) on Customer's documented instructions, including the instructions embedded in Customer's use of the Services; (c) as required by applicable law, in which case Prescene will inform Customer of the requirement before processing, unless prohibited from doing so.

If Prescene believes Customer's instruction violates Applicable Data Protection Law, Prescene will notify Customer.

4.2 No Use for Other Purposes

Prescene will not:

  • sell Customer Data;
  • share Customer Data for cross-context behavioral advertising;
  • use Customer Data to train or fine-tune any AI foundation model;
  • combine Customer Data with personal data from any other source for purposes outside this DPA;
  • retain or use Customer Data for any commercial purpose outside the direct provision of Services to Customer.

4.3 Confidentiality

Prescene ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.

4.4 Security

Prescene implements and maintains appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, as described in Annex II (Security Measures).

4.5 Data Subject Requests

Prescene will, taking into account the nature of processing, provide reasonable assistance to Customer in responding to Data Subject requests for access, rectification, erasure, restriction, portability, or objection. If Prescene receives a Data Subject request directly relating to Customer Data, Prescene will redirect the Data Subject to Customer and notify Customer.

4.6 Personal Data Breach Notification

Prescene will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Data. Notice will include, to the extent then known: the nature of the breach, categories and approximate volume of data affected, likely consequences, measures taken or proposed, and a contact for further information.

Prescene will provide reasonable cooperation to assist Customer in fulfilling its own breach-notification obligations under Applicable Data Protection Law.

A "Personal Data breach" does not include unsuccessful access attempts that do not result in unauthorized access (e.g., pings, port scans, denial-of-service attempts that fail).

4.7 DPIA Assistance

Where required by Applicable Data Protection Law, Prescene will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities.

4.8 Audits

Customer may verify Prescene's compliance with this DPA by: (a) reviewing the most recent SOC 2 Type 2 report or equivalent third-party audit report (when available); and (b) requesting additional information through written questionnaires (no more than once per 12-month period, except in case of a breach or regulator request).

If, after reviewing audit reports and questionnaire responses, Customer reasonably determines that further audit is necessary, Customer may request an on-site audit at Customer's expense, with reasonable advance notice (at least 30 days), at a mutually agreed time, conducted by an independent auditor reasonably acceptable to Prescene, subject to confidentiality obligations and limited to once per 12-month period (except in case of a breach or where required by a supervisory authority).

4.9 Return or Deletion of Customer Data

Upon termination of the Agreement, Prescene will, at Customer's option, return or delete Customer Data within 90 days, except as required to be retained by law. Backup copies will be purged within 90 days after termination. Aggregated and anonymized data may be retained.

5. Subprocessors

5.1 Authorization

Customer provides general written authorization for Prescene to engage Subprocessors, subject to this Section 5.

5.2 List

Prescene maintains a current list of Subprocessors at prescene.com/legal/subprocessors (the "Subprocessor List"). The list includes the name, function, and location of each Subprocessor.

5.3 Notice of Changes

Prescene will provide Customer with at least 30 days' advance notice of any addition or replacement of a Subprocessor that processes Customer Data, by email to Customer's designated contact and/or via posting on the Subprocessor List with notification opt-in.

5.4 Objection

Customer may object to a new Subprocessor on reasonable, data-protection-related grounds by emailing privacy@prescene.ai within 30 days of notice. The Parties will work in good faith to resolve. If unresolved, Customer may terminate the Agreement (limited to the affected Services) without penalty, prorated for unused subscription period.

5.5 Subprocessor Obligations

Prescene will impose, by written contract, data-protection obligations on each Subprocessor that are no less protective than those in this DPA. Prescene remains liable to Customer for the acts and omissions of its Subprocessors with respect to Customer Data.

6. International Transfers

6.1 Mechanism

To the extent processing under this DPA involves a Restricted Transfer of Customer Data:

(a) From the EEA to a third country: the Parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller-to-Processor), with Prescene as the data importer and Customer as the data exporter. The optional clauses are deemed selected as set out in Annex I. The Parties agree:

  • Clause 7 (Docking Clause): does not apply;
  • Clause 9(a): Option 2 (general written authorization), with the time period set in Section 5.3 of this DPA;
  • Clause 11(a) optional language: not included;
  • Clause 17: governing law of Ireland;
  • Clause 18(b): courts of Ireland.

(b) From the UK: the Parties incorporate by reference the UK International Data Transfer Addendum to the SCCs (template addendum B.1.0).

(c) From Switzerland: the SCCs apply, modified as required by the Swiss FADP (references to GDPR also reference Swiss FADP; references to EU member states' supervisory authorities also include the Swiss Federal Data Protection and Information Commissioner).

The information required for the SCC Annexes is set out in Annex I (Description of Transfer) and Annex II (Security Measures).

6.2 Where Customer is Itself a Processor

Where Customer is itself a Processor for a third-party Controller, the Parties enter the SCCs at Module Three (Processor-to-Processor) by way of the same incorporation as above, with appropriate modifications to reflect roles.

6.3 Data Localization

Currently, Customer Data is processed on AWS infrastructure located in the United States. Customer acknowledges and consents to this transfer.

7. CCPA-Specific Terms

To the extent CCPA applies to processing of Customer Data:

  • Prescene acts as a "service provider" or "contractor" as defined in CCPA.
  • Prescene will not (a) sell Personal Data; (b) share Personal Data for cross-context behavioral advertising; (c) retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, including not retaining, using, or disclosing it outside the direct business relationship; (d) combine Personal Data with personal information received from another source, except as permitted by CCPA.
  • Prescene will notify Customer if it determines it can no longer meet its CCPA obligations and will permit Customer reasonable steps to stop and remediate unauthorized use.

8. Liability

Each Party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. To the extent the SCCs are incorporated, the SCCs' liability provisions apply between the Parties only with respect to claims by Data Subjects or supervisory authorities under the SCCs; as between the Parties, the Agreement governs.

9. General

9.1 Order of Precedence

In case of conflict regarding data protection, this DPA controls over the Agreement. The SCCs (where incorporated) control over conflicting terms in this DPA.

9.2 Term

This DPA is effective from the Effective Date and remains in force for the duration of the Agreement and any post-termination retention period.

9.3 Modifications

Prescene may update this DPA from time to time, including to address regulatory changes. Prescene will provide reasonable notice of material updates. Updates that incorporate new SCC versions or required regulatory mechanisms take effect upon issuance of the relevant regulatory instrument.

9.4 Severability

If any provision is held unenforceable, the remaining provisions remain in effect.

9.5 Governing Law (DPA)

Except for the SCCs (which are governed by their own terms), this DPA is governed by the law specified in the Agreement.

9.6 Notices

All notices under this DPA may be given to: AI Labs Inc., 1614 W 9th 1/2 St, Austin, TX 78703, attn: Legal; with email copy to privacy@prescene.ai.

ANNEX I — Description of Transfer

A. List of Parties

  • Data Exporter (Controller): Customer (as identified in the Agreement).
  • Data Importer (Processor): AI Labs Inc., 1614 W 9th 1/2 St, Austin, TX 78703, USA. Contact: privacy@prescene.ai.

B. Description of Transfer

  • Categories of data subjects: Customer's authorized users; individuals whose data is incidentally included in Customer's Content.
  • Categories of personal data: Identifiers, professional info, content data (Inputs and Outputs), communication and support data, usage and audit logs.
  • Sensitive data: not intentionally processed; may incidentally appear in Customer Content. Customer is responsible for compliance with heightened obligations.
  • Frequency of transfer: continuous for the duration of the Agreement.
  • Nature of processing: hosting, generation, transmission, display, support, security, audit.
  • Purpose of processing: provision of the Services as described in the Agreement.
  • Retention: as set out in Sections 4.9 and the Privacy Policy.
  • Subprocessors: as listed in the Subprocessor List, for the purposes and durations stated therein.

C. Competent Supervisory Authority

For SCCs purposes: Irish Data Protection Commission, unless Customer is located in another EU member state in which case its local supervisory authority. For UK transfers: UK Information Commissioner's Office. For Swiss transfers: Swiss Federal Data Protection and Information Commissioner.

ANNEX II — Technical and Organizational Security Measures

Prescene implements the following security measures:

1. Access Control

  • Multi-factor authentication for personnel accessing production systems.
  • Role-based access control with least-privilege principles.
  • Deprovisioning on personnel role change or termination.
  • No default access by personnel to Customer Content; access permitted only under defined exception scenarios with audit logging (see Privacy Policy Section 4).

2. Encryption

  • TLS 1.2 or higher for data in transit.
  • AES-256 (or equivalent) for data at rest.
  • Encrypted backups.

3. Network Security

  • VPCs and security groups segmenting production environments.
  • Web application firewall.
  • DDoS protection.
  • Intrusion detection and monitoring.

4. Application Security

  • Secure software development practices, including code review.
  • Vulnerability scanning of dependencies.

5. Logging and Monitoring

  • Centralized audit logging of administrative and security-relevant events.
  • Log retention as described in the Privacy Policy.

6. Personnel Security

  • Confidentiality obligations in employment and contractor agreements.

7. Vendor Management

  • Contractual data-protection obligations in agreements with Subprocessors that handle Customer Data.

8. Incident Response

  • Documented incident response plan.
  • Customer notification within 72 hours of confirmed Personal Data breach affecting Customer Data.
  • Post-incident review and remediation.

9. Business Continuity

  • Redundant hosting infrastructure on AWS.
  • Automated backups.

10. Data Minimization and Retention

  • Production systems retain Content only as long as Customer maintains the relevant data.
  • Backups purged within 90 days of deletion.
  • Anonymization or aggregation of data used for analytics.

These measures may evolve as our security practices mature. Updated measures will be at least as protective as those described above.

ANNEX III — Subprocessors

The current list of Subprocessors is maintained at prescene.com/legal/subprocessors.

Related documents