Last updated: May 12, 2026
This Data Processing Addendum (this “DPA”) is incorporated into and made a part of the Master Subscription Agreement, online Terms of Service, or other agreement governing the provision of Services (the “Services Agreement”) entered into by Customer and SkaleData, Inc. (“SkaleData” or “Processor”) and applies solely to the extent that SkaleData processes Customer Personal Data in connection with the Services. Customer and SkaleData may be referred to individually as a “Party” or collectively as the “Parties”.
In the event of conflict, the provisions of this DPA shall control over the Services Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Services Agreement. For purposes of this DPA only, except where otherwise indicated, the term “Customer” shall include Customer and its authorized Affiliates.
In the course of providing the Services to Customer pursuant to the Services Agreement, the Parties acknowledge that: (a) Customer acts as a Controller; (b) Customer wishes to subcontract certain services that involve the processing of Personal Data to SkaleData, and SkaleData acts as the Processor; (c) the Parties seek to implement an agreement that complies with applicable Data Protection Laws, including the GDPR; and (d) the Parties wish to document their respective rights and obligations.
In this DPA:
“Agreement” means this DPA and the Services Agreement, and all associated terms of service, schedules, statements of work, and order forms.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
“Cloud Environment” means a cloud computing or other storage resource operated by or for SkaleData or Customer, as the case may be, pursuant to this Agreement.
“Control Plane” means the elements of the Services residing within SkaleData's Cloud Environment, including without limitation the user-facing console through which Customer manages its data infrastructure.
“Customer Data” means all data, records, files, information, and content uploaded by or on behalf of Customer to, or processed by Customer's workloads within, the Data Plane.
“Customer Personal Data” means any Personal Data processed by SkaleData through the Control Plane on behalf of Customer pursuant to or in connection with the Agreement. For clarity, Customer Personal Data does not include Personal Data that resides within the Data Plane and is not transmitted to or processed by the Control Plane.
“Data Plane” means the portion of a Cloud Environment, operated by Customer within Customer's own cloud provider account (including, without limitation, a Google Cloud Platform project, Amazon Web Services account, or Microsoft Azure subscription), in which Customer Data is processed as part of the Services.
“Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including European Data Protection Laws and applicable U.S. federal and state privacy laws, as amended from time to time.
“European Data Protection Laws” means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and all other privacy and data-protection laws of the European Economic Area, the United Kingdom, Switzerland, and their respective Member States, as amended from time to time.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation).
“International Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, version B1.0.
“Services” means the SkaleData platform and related services provided to Customer under the Agreement.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.
“Subprocessor” means any third party engaged by or on behalf of SkaleData to process Customer Personal Data on behalf of Customer in connection with the Services.
The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meanings given in the GDPR, and their cognate terms shall be construed accordingly.
3.1 Instructions and Compliance. Customer instructs SkaleData to process Customer Personal Data to provide the Services to Customer as described in the Services Agreement and in accordance with this DPA. SkaleData shall (a) comply with all applicable Data Protection Laws in its processing of Customer Personal Data; (b) not process Customer Personal Data other than on Customer's documented instructions, unless required to do so by applicable law, in which case SkaleData shall inform Customer of that legal requirement before processing, unless applicable law prohibits such information on important grounds of public interest; and (c) promptly inform Customer if, in SkaleData's opinion, an instruction infringes Data Protection Laws.
3.2 Sensitive Personal Data. Customer shall not provide sensitive personal information or special category personal data, as defined under applicable Data Protection Laws, to SkaleData-controlled product interfaces, or store such data in a manner that is persistent or retained within the Control Plane (including in audit logs, configuration values, support communications, or other Control Plane records). This includes, without limitation, government identification numbers (such as Social Security numbers, driver's license numbers, and passport numbers), financial account information, health and medical information, and biometric data. Processing such data as part of Customer workflows within the Data Plane is permitted, provided that such data is not uploaded to or stored within the Control Plane.
SkaleData shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of SkaleData or any Subprocessor who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data as strictly necessary for the purposes of the Agreement and to comply with applicable laws, and ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 SkaleData Security Measures. SkaleData shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. SkaleData shall take into account the risks presented by processing — in particular, from a Personal Data Breach — to ensure a level of security appropriate to that risk, including, as applicable, the measures referred to in Article 32(1) of the GDPR.
5.2 Customer Responsibility for the Data Plane. Customer is solely responsible for what Customer Data, including any Personal Data, is processed within the Data Plane. Customer acknowledges its obligation to implement, maintain, and review relevant and sufficient security and organizational measures to protect Personal Data processed within the Data Plane. Customer acknowledges and agrees that SkaleData does not provide or have access to provide security measures within Customer's Data Plane environment beyond the configuration of the Services as set out in the documentation.
5.3 Security Addendum. The Parties shall comply with the Security Addendum located at https://skaledata.com/security, which is incorporated into this DPA by reference. SkaleData may update the Security Addendum from time to time, provided that such updates do not materially or substantially degrade SkaleData's security commitments. SkaleData will provide Customer with at least thirty (30) days' prior notice of any material changes to the Security Addendum. Until such time as the Security Addendum is published at the foregoing URL, the technical and organizational measures set out in Annex II shall apply.
6.1 General Authorization. Customer authorizes SkaleData to disclose Customer Personal Data to Subprocessors provided that: (i) such disclosure is necessary to enable SkaleData to provide the Services; (ii) SkaleData has conducted appropriate due diligence on the Subprocessor in accordance with Data Protection Laws; (iii) the terms on which SkaleData has appointed the Subprocessor are enforceable and at least equally protective of Customer Personal Data as those set out in this DPA; and (iv) the Subprocessor is either listed at https://skaledata.com/legal/subprocessors (the “Subprocessor List”) or SkaleData has notified Customer of the inclusion of the Subprocessor in accordance with Section 6.2.
6.2 Notice of New Subprocessors. SkaleData shall provide Customer with at least thirty (30) days' prior notice of any addition or replacement of Subprocessors that will process Customer Personal Data, by updating the Subprocessor List and by sending notice to the primary account contact identified by Customer. If Customer reasonably objects to the appointment of a new Subprocessor on grounds related to compliance with Data Protection Laws, and SkaleData is unable to modify the Services to avoid the involvement of the objected-to Subprocessor, Customer may terminate the portion of the Services that depends on that Subprocessor by providing written notice to SkaleData.
6.3 Liability for Subprocessors. SkaleData shall be liable for the acts and omissions of each Subprocessor to the same extent SkaleData would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
Taking into account the nature of the processing, SkaleData shall implement appropriate technical and organizational measures to assist Customer in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. If SkaleData receives a request from a Data Subject regarding Customer Personal Data, SkaleData shall (a) promptly notify Customer of such request; (b) not respond to such request except on Customer's documented instructions or as required by applicable law; and (c) not sell Customer Personal Data as that term is defined under the CCPA. Data Subjects may direct requests regarding the exercise of their rights to legal@skaledata.com.
SkaleData will notify Customer without undue delay upon SkaleData becoming aware of a Personal Data Breach affecting Customer Personal Data. SkaleData will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws, including, to the extent then known: (a) a description of the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects and Personal Data records concerned; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to address the Personal Data Breach. SkaleData will cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
SkaleData shall provide reasonable assistance to Customer in response to any Data Protection Impact Assessment requests and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case specific to SkaleData's processing of Customer Personal Data and taking into account the nature of the processing and information available to SkaleData.
Within thirty (30) days of the termination or expiration of the Services Agreement, or upon written request from Customer, SkaleData shall delete, and procure the deletion of, all copies of Customer Personal Data in SkaleData's possession or control, except to the extent that retention is required by applicable law or in archived backup or disaster-recovery systems until such data is deleted in the ordinary course. Upon reasonable written request and within thirty (30) days of termination or expiration of the Services Agreement, SkaleData will make available to Customer the ability to export Customer Personal Data through the Services.
11.1 Information Requests. SkaleData shall make available to Customer, upon Customer's reasonable written request, all information necessary to demonstrate compliance with this DPA, including by providing confidential summary reports prepared by third-party security professionals (each, an “Audit Report”), security certifications, and completed security questionnaires.
11.2 Acceptance of Audit Reports. Customer agrees to accept Audit Reports, subject to confidentiality requirements, in satisfaction of its audit right. However, if Customer can demonstrate that it requires additional information beyond the Audit Reports made available by SkaleData, Customer may request, at Customer's expense, that SkaleData provide for an additional audit, subject to reasonable confidentiality procedures, which shall: (i) not include access to any information that could compromise confidential information relating to other SkaleData customers or Subprocessors, or any SkaleData trade secrets; (ii) be performed upon not less than thirty (30) days' notice, during regular business hours, and in such a manner as not to unreasonably interfere with SkaleData's business activities; and (iii) be conducted not more than once per twelve (12) month period, except in the event of a Personal Data Breach or as required by a Supervisory Authority.
12.1 European Economic Area. In the event of any transfer of Customer Personal Data collected within the European Economic Area to a country outside of the European Economic Area that does not guarantee a level of protection considered adequate by the European Commission, the Parties agree to be bound by the terms of Module 2 (Controller to Processor) of the Standard Contractual Clauses, which shall be deemed to be populated and completed as follows:
Clause 7 (Docking clause) shall not apply; Clause 9 (Use of Subprocessors): Option 2 (general written authorization) shall apply, and the relevant notice period shall be thirty (30) days; Clause 11(a) (Redress): the optional language shall not apply; Clause 17 (Governing Law): Option 2 shall apply, and the laws of Ireland shall govern; Clause 18 (Choice of Forum and Jurisdiction): the courts of Ireland are selected; Annex I.A (List of Parties): Customer is the data exporter, SkaleData is the data importer; Annex I.B (Description of Transfer): as set forth in Annex I to this DPA; Annex I.C (Competent Supervisory Authority): the supervisory authority of Ireland; Annex II (Technical and Organisational Measures): as set forth in the Security Addendum or, in the absence thereof, Annex II to this DPA; Annex III (List of Subprocessors): as set forth in the Subprocessor List.
12.2 United Kingdom. In the event of any transfer of Personal Data collected within the United Kingdom to a country outside of the United Kingdom that does not guarantee a level of protection considered adequate by the British government, the Parties shall be bound by the terms of the International Data Transfer Addendum, which shall be deemed to be populated and completed as described above and as follows: Table 1 shall be deemed populated with Customer as data exporter and SkaleData as data importer; Table 2 shall be deemed populated with the corresponding details and selections described in Section 12.1 in relation to Module 2 of the Standard Contractual Clauses; Table 3 shall be deemed populated with the information set out in Annex I to this DPA; Table 4 is completed by only “Importer” being selected.
12.3 Switzerland. In the event of any transfer of Personal Data subject to Swiss data protection law, the Standard Contractual Clauses shall apply with the following modifications: (a) references to the GDPR shall be interpreted as references to the Swiss Federal Act on Data Protection where applicable; (b) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner; and (c) the term “Member State” shall not be interpreted in a way that excludes Data Subjects in Switzerland from exercising their rights in their place of habitual residence.
12.4 Onward Transfers. In the event of any inconsistency between the Standard Contractual Clauses, the International Data Transfer Addendum, and this DPA or the Services Agreement, the Standard Contractual Clauses or the International Data Transfer Addendum, as applicable, shall prevail. Any onward transfer of Personal Data by SkaleData shall be made only in accordance with applicable Data Protection Laws.
13.1 Confidentiality. Each Party shall keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and shall not use or disclose that Confidential Information without the prior written consent of the other Party, except to the extent that (a) disclosure is required by law or (b) the relevant information is already in the public domain.
13.2 Notices. All notices and communications given under this DPA shall be in writing and delivered personally, sent by post, or sent by email (with confirmation of receipt) to the addresses set forth in the Agreement or such other addresses as the Parties may designate from time to time. Privacy-related notices to SkaleData may be sent to legal@skaledata.com.
13.3 Modification. SkaleData may propose modifications to this DPA from time to time. SkaleData shall notify Customer of proposed changes through communications via Customer's account, email, or other reasonable means. Modifications that materially affect Customer's rights or obligations under this DPA shall require Customer's consent, which shall not be unreasonably withheld.
Except to the extent otherwise specifically required by Data Protection Laws (including the Standard Contractual Clauses), the provisions of the Services Agreement governing applicable law and resolution of disputes shall apply to this DPA.
Notwithstanding anything to the contrary in this DPA, the liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the Services Agreement.
The terms and conditions of this DPA and any relevant Services Agreement are intended to complement each other. To the extent they conflict, the terms and conditions of this DPA will control with respect to the subject matter hereof.
| Item | Description |
|---|---|
| List of Parties | Customer is the Controller / data exporter. SkaleData, Inc. is the Processor / data importer. Contact: legal@skaledata.com. |
| Categories of Data Subjects | Customer's authorized end users (employees, contractors, or other personnel granted access to the Services); Customer's billing and administrative contacts. |
| Categories of Personal Data | Identification and contact data (names, email addresses, employer/organization); authentication and credential data (usernames, password hashes managed by Subprocessor, multi-factor authentication codes, session tokens); technical and device data (IP addresses, browser and device identifiers); usage and audit data (interactions with the Control Plane, configuration changes, administrative actions); and, where applicable, billing data (contact information, payment-method tokens — card numbers are not received or stored by SkaleData). |
| Sensitive or Special Category Data | The Services are not intended to process special categories of Personal Data within the Control Plane. Customer is contractually prohibited from providing sensitive or special category Personal Data to SkaleData-controlled product interfaces (see Section 3.2). |
| Frequency of the Processing | Continuous, for the duration of the Services Agreement. |
| Nature of the Processing | Provision of a cloud-based data infrastructure platform via a centralized Control Plane that provisions, configures, monitors, and manages data applications deployed within Customer's Data Plane. |
| Purpose of the Processing | Provision of the Services to Customer under the Services Agreement. |
| Duration of the Processing | For the duration of the Services Agreement, plus any post-termination retention period described in Section 10. |
| Subprocessors | As set out at https://skaledata.com/legal/subprocessors. |
| Competent Supervisory Authority | Where the Standard Contractual Clauses apply, the Irish Data Protection Commission. |
This Annex II applies until such time as the Security Addendum is published at https://skaledata.com/security, at which point the Security Addendum shall govern. SkaleData implements and maintains technical and organizational measures designed to ensure a level of security appropriate to the risk, including the following:
1. Architectural Controls (Bring Your Own Cloud)
The Services follow a Bring Your Own Cloud architecture: Customer Data resides exclusively within the Data Plane under Customer's identity, networking, and encryption controls, and is not transferred to or stored within SkaleData's Control Plane infrastructure. The Control Plane accesses the Data Plane exclusively through Customer-authorized delegated-access mechanisms (such as service account impersonation, IAM role assumption, or managed identity assignment), which Customer may revoke at any time. Customer retains control of cloud-provider identity and access management, networking, encryption keys, backups, and disaster recovery within the Data Plane.
2. Access Controls
Role-based access control with least-privilege principles for SkaleData personnel. Multi-factor authentication required for SkaleData personnel accessing production systems. Authentication and identity management for end users provided through a SOC 2-attested authentication Subprocessor. Periodic access reviews of SkaleData personnel.
3. Network and Infrastructure Security
Encryption of Customer Personal Data in transit using TLS 1.2 or higher. Encryption of Customer Personal Data at rest using AES-256 or equivalent. Network segmentation between production and non-production environments. Hosting in tier-1 cloud infrastructure providers with established security certifications (SOC 2, ISO 27001, or equivalent).
4. Application Security
Code review process for changes to production systems. Dependency scanning and vulnerability management for third-party libraries. Source code repositories protected by access controls and branch-protection mechanisms. Secrets and credentials managed through dedicated secrets-management infrastructure.
5. Logging and Monitoring
Centralized, append-only audit logging of administrative actions and access to Customer Personal Data. Retention of audit logs for a minimum of twelve (12) months. Monitoring for anomalous activity and unauthorized access.
6. Personnel
Confidentiality obligations imposed on all personnel with access to Customer Personal Data. Security awareness training for personnel. Background screening for personnel with access to production systems, where permitted by applicable law.
7. Incident Response
Documented incident response procedures. Notification process for Personal Data Breaches as described in Section 8.
8. Business Continuity
Regular backups of Control Plane data with retention sufficient to support recovery. Disaster recovery procedures designed to restore service in the event of infrastructure failure.
9. Vendor Management
Due-diligence review of Subprocessors prior to engagement. Contractual requirements imposing security and confidentiality obligations on Subprocessors. Periodic review of Subprocessor security posture.