This Data Processing Addendum (“DPA“) forms part of the Skynet Terms of Service (the “Agreement“) entered into between:
- Skynet LLC. (“Skynet” or “Processor“); and
- The Merchant (“Controller“) who has executed the Agreement with Skynet.
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller.
1. Definitions and Interpretation
1.1 Definitions
- “Applicable Data Protection Law” means any data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the European Union’s General Data Protection Regulation 2016/679 (GDPR) and the California Consumer Privacy Act, as amended (CCPA).
- “Controller” has the meaning defined in Applicable Data Protection Law and refers to the Merchant.
- “Controller Personal Data” means any Personal Data processed by the Processor on behalf of the Controller pursuant to the Agreement.
- “Personal Data,” “Processing,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in the Applicable Data Protection Law.
- “Sub-processor” means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
1.2 Interpretation
In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail with respect to the processing of Personal Data.
2. Details of Processing
2.1 Scope and Purpose
The Processor shall process Controller Personal Data only in accordance with the documented instructions from the Controller, as set forth in the Agreement, this DPA, and as necessary to provide the Services.
- Subject Matter of Processing: The provision of the Skynet e-commerce and platform hosting services to the Controller.
- Duration: For the term of the Agreement, unless otherwise required by law.
- Categories of Data Subjects: Customers, employees, and users of the Controller’s Skynet Site.
- Categories of Personal Data: Identifiers (name, address, email, phone), commercial information (purchase history, payment details), and internet activity (IP address, device data).
- Nature of Processing: Collection, storage, retrieval, use, disclosure, and deletion of data as required to facilitate e-commerce and platform functions.
2.2 Controller Instructions
The Controller instructs the Processor to process Controller Personal Data to the extent necessary to provide the Services under the Agreement. The Controller warrants that its instructions comply with Applicable Data Protection Law and that the Processing of Personal Data by the Processor in accordance with the Controller’s instructions will not cause the Processor to violate any Applicable Data Protection Law.
3. Obligations of the Processor
3.1 Confidentiality
The Processor shall ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect Controller Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
3.3 Sub-processing
The Controller grants the Processor general authorization to engage Sub-processors. The Processor shall:
- Inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.
- Impose data protection obligations on the Sub-processors that are materially the same as those imposed on the Processor under this DPA.
3.4 Data Subject Rights
The Processor shall, considering the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject rights under Applicable Data Protection Law.
3.5 Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Personal Data, and shall cooperate with the Controller to address the breach.
3.6 Assistance and Audit
The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations laid down in this DPA. Upon reasonable request, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Obligations of the Controller
The Controller warrants and agrees that:
- It has provided all necessary notices and obtained all necessary consents and authorizations required under Applicable Data Protection Law for the lawful transfer and Processing of Controller Personal Data to the Processor.
- It is solely responsible for determining the purposes and means of the Processing of Personal Data.
5. International Data Transfers
The Processor may transfer Controller Personal Data to countries outside of the Controller’s country of residence, including to the United States. Where Applicable Data Protection Law requires a legal basis for such international transfers, the Processor shall ensure that appropriate safeguards are in place, such as standard contractual clauses (SCCs) or other legally recognized transfer mechanisms.
6. Data Return and Deletion
Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Controller Personal Data to the Controller and delete existing copies, unless storage is required by Applicable Data Protection Law.