This document is a technical scaffold, not yet reviewed by counsel. It will be finalised by the legal team before commercial launch. In its current form it does not constitute a contractual offer.
Data Processing Agreement
Data Processing Agreement
This DPA forms part of our commercial terms when the Customer uses Skryx to process personal data they own (as controller) or process on behalf of third parties. Pursuant to GDPR Art. 28.
1. Roles
The Customer is the controller. Skryx is the processor. We process personal data solely on the Customer's documented instructions (the Terms, the Service configuration).
2. Subject matter, duration, nature
- Subject matter: indexing, search, AI insights over the Customer's catalog.
- Duration: the term of the contract + 30 days (grace period for recovery).
- Data categories: as provided by the Customer in their catalog (e.g. product titles, descriptions, prices, plus any end-customer data if included).
- Data subjects: depend on the Customer's catalog — end customers, employees, partners, etc.
3. Sub-processors
We use the sub-processors below. The Customer authorises this arrangement by accepting these Terms. We will notify by email at least 30 days before any addition or replacement.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic | AI query understanding & catalog analysis | USA | EU Standard Contractual Clauses |
| Voyage AI | Semantic search embeddings | USA | EU Standard Contractual Clauses |
| Contabo | Application + database hosting | Germany | EU/EEA — no transfer |
| Cloudflare | CDN, DDoS protection, DNS | USA | EU Standard Contractual Clauses |
| SendGrid (Twilio) | Transactional email delivery | USA | EU Standard Contractual Clauses |
| Stripe | Payment processing (when billing launches) | USA | EU Standard Contractual Clauses |
4. Technical and organisational measures
- TLS 1.2+ encryption for all transfers.
- At-rest encryption for databases and backups.
- Role-based access control (RBAC).
- Audit logging for access to personal data.
- Daily backups, 30-day retention.
- Business continuity and incident recovery plan.
- Personnel under contractual confidentiality obligation.
5. Skryx obligations
- We process data only on the Customer's instructions.
- We ensure personnel confidentiality.
- We assist you in responding to data-subject requests.
- We notify without undue delay (within 72 hours) of any security incident.
- At end of contract, we delete or return the data at your choice.
6. Audit
Upon reasonable request, we provide independent certifications / reports (SOC 2, ISO 27001 once obtained). On-site audits only by prior written agreement, with reasonable costs borne by the Customer.
7. Liability
Skryx's liability as processor is subject to the limitation clauses in the Terms.
8. Downloadable version
A PDF version pre-filled with your tenant details is available in Settings → Privacy after sign-in. Enterprise customers can negotiate a tailored DPA — contact legal@skryx.io.