SkyKick Data Processing Addendum
Last updated: September 27, 2021
This Data Processing Addendum (the “DPA”) is entered into between SkyKick LLC or the relevant SkyKick affiliate (“SkyKick”) and the customer (“Customer”). If Customer is located in the European Economic Area, the United Kingdom or Switzerland, this DPA is with SkyKick B.V. This DPA amends and forms a material part of the Agreement, pursuant to which Customer has obtained the right to use one or more Services.
1. DEFINITIONS AND BACKGROUND
1.1. Definitions. Capitalized terms used but not defined herein or in Attachment 1 to this DPA will have the meanings set forth in the Terms and Conditions.
1.2. Background. Customer and SkyKick acknowledge that Customer will be accessing the Services as a data controller for its own purposes. SkyKick will be the processor for Customer.
2. DATA PROCESSING AND PROTECTION
2.1. Limitations on Use. SkyKick will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer, which will include Processing (i) to provide the Services, (ii) as authorized or permitted under the Agreement, including as specified in Attachment 2 to this DPA, and (iii) consistent with other reasonable documented instructions of Customer; and (b) as required by applicable law, provided that SkyKick will inform Customer (unless prohibited by such applicable law) of the applicable legal requirement before Processing pursuant to such applicable law.
2.2. Customer Obligations. Customer will not instruct SkyKick to perform any Processing of Personal Data that violates any Data Protection Law. Customer represents and warrants that (i) that any Personal Data provided to SkyKick is collected otherwise Processed by Customer in accordance with Data Protection Law; (ii) any Processing of Personal Data by SkyKick performed in accordance with the Agreement does not and will not violate any Data Protection Law; and (iii) all individuals whose Personal Data is Processed by SkyKick have been notified of SkyKick’s data Processing pursuant to the Services and as detailed in this Agreement. SkyKick may suspend Processing based upon any Customer instructions that SkyKick reasonably suspects violate Data Protection Law.
2.3. Confidentiality. SkyKick will ensure that persons authorized by SkyKick to Process any Personal Data are subject to appropriate confidentiality obligations.
2.4. Security. SkyKick will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate administrative, physical, technical and organizational safeguards to (a) avoid accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed unauthorized or unlawful Processing of Personal Data and accidental loss, destruction of or damage to Personal Data; and (b) ensure the security of Personal Data. This in accordance with industry best practices and industry-recognized standards. Any persons Processing Personal Data on behalf of SkyKick have committed themselves to confidentiality.
3. RETURN OR DISPOSAL.
At the choice of Customer, SkyKick, assisted by the SkyKick Partner as appropriate, will delete or return (or will enable Customer via the Services to delete or retrieve) all Personal Data after the end of the provision of Services (unless applicable law requires the storage of such Personal Data by SkyKick).
4. DATA PROCESSING ASSISTANCE
4.1. Data Subject’s Rights Assistance. Taking into account the nature of the Processing of Personal Data by SkyKick under the Agreement, SkyKick will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible and as necessary, for the fulfilment of the obligations of Customer (or its Client, as applicable) to respond to requests for exercising Data Subject’s rights under Chapter III of the GDPR with respect to Personal Data solely to the extent Customer does not have the ability to address such Data Subject request without such assistance.
4.2. Data Protection Impact Assessment Assistance. Taking into account the nature of SkyKick’s Processing of Personal Data and the information available to SkyKick, SkyKick will provide reasonable assistance to Customer if required for Customer (or its Client, as applicable) to comply with obligations under Articles 35 and 36 of the GDPR in connection with SkyKick’s Processing of Personal Data under the Agreement.
4.3. Personal Data Breach Notice and Assistance. SkyKick will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of Processing and the information available to SkyKick, SkyKick will provide reasonable assistance to Customer as may be necessary for Customer (or its Client, as applicable) to satisfy any notification obligations required under Articles 33 or 34 of the GDPR related to any Personal Data Breach.
4.4. SkyKick and the SkyKick Partner will provide the Customer with all the guidance and assistance mentioned in this clause 4 to meet its obligations as a controller. When the Customer seeks any of the assistance mentioned in this clause 4, the SkyKick Partner shall, where necessary, liaise with SkyKick to provide this assistance, and any information provided by SkyKick shall also be shared with the Customer through the SkyKick Partner.
At least at two yearly intervals, SkyKick shall make available to Customer a written audit report demonstrating the former’s compliance with the Data Protection Law and this DPA. If an audit report submitted by SkyKick in accordance with the above in Customer’s opinion – acting reasonably – is insufficient to demonstrate compliance with the Data Protection Law and this DPA, SkyKick shall permit Customer or an independent, qualified third party appointed by Customer (each an “Auditing Entity”), subject to reasonable prior written notice of at least sixty (60) business days, to access to its premises, computer and other information systems, records, documents and agreements as reasonably required by the Auditing Entity to check that SkyKick is complying with its obligations under the Data Protection Law and this DPA. Any review in accordance with this paragraph 5 (i) shall not take place more than once in every twelve (12) month period, unless otherwise required by a competent data protection supervisory authority or the Data Protection Law; and (ii) shall not require the review of any third party data. Prior to a review, the Auditing Entity shall enter into such (additional) confidentiality obligations with SkyKick as may be reasonably necessary to respect the confidentiality of SkyKick’s business interests and the rights and interests of any affected third parties. The Auditing Entity shall perform any audit during normal business hours only, and shall take due care during the audit not to disturb SkyKick’s business operations and operational workflows. SkyKick’s costs relating to any audit by an Auditing Entity shall be borne by Customer.
Customer authorizes SkyKick to use subcontractors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). As of the effective date of this DPA, the current list of Subprocessors is specified in Attachment 2. SkyKick will provide Customer with notice of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. If Customer does not object within five (5) days, Customer is deemed to have consented to the proposed addition or replacement. If Customer objects to any Subprocessor, SkyKick may terminate the Agreement immediately upon notice to Customer without liability. SkyKick will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA.
7. DATA TRANSFERS
Personal Data may be transferred to, and stored and processed by Subprocessors located outside the EEA, United Kingdom and Switzerland. Any Personal Data transferred from SkyKick to a Subprocessor located outside the EEA, United Kingdom or Switzerland shall be governed by the Standard Contractual Clauses adopted pursuant to EU Commission’s decision (EU) 2021/914 Module 3 (processor-to-processor), entered between SkyKick and the relevant Subprocessor.
SkyKick will abide by the requirements of Data Protection Law regarding the collection, use, transfer, retention, and other Processing of Personal. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards in accordance with 2.4 of this DPA.
In addition, SkyKick has certified compliance under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Principles, and the commitments they entail. In light of the judgement of the Court of Justice of the EU in Case C-311/18 (Schrems II), SkyKick no longer relies on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data from the EU to the U.S. Customer authorizes SkyKick to provide a summary or a representative copy of the relevant privacy provisions of this DPA to the U.S. Department of Commerce if requested by that department.
8.1. Customer Affiliates. To the extent SkyKick Processes Personal Data on behalf of Customer’s Affiliates, Customer enters into this DPA on behalf of itself and as agent for its Affiliates, and references to Customer under this DPA shall include Customer and its Affiliates; provided however that the Customer is the sole entity that may enforce this DPA on its own behalf and on behalf of its Affiliates.
8.2. General. This DPA forms part of the Agreement. The terms and provisions of the Agreement remain unchanged and in full force and effect. Except as otherwise stated herein, the Terms and Conditions apply to this DPA, including without limitation, any clauses set forth in the Terms and Conditions pertaining to limitation of liability. This DPA will automatically terminate upon the termination or expiration of the Agreement except as otherwise stated herein. SkyKick may from time to time amend this DPA in accordance with clause 12.10 of the Terms and Conditions. This DPA shall be governed by and construed in accordance with the laws applicable to the Terms and Conditions. All disputes that may arise out of or in connection with this DPA, or with any agreement, document, or instrument entered into pursuant hereto or in furtherance hereof, shall be brought exclusively before the competent court according to the Terms and Conditions
8.3. Execution. This DPA will be executed electronically as part of the Terms and Conditions. This DPA will be effective as of the date that Customer accepts the Terms and Conditions.
For purposes of this DPA, the following terms will have the meaning ascribed below:
“Affiliate” means, as to any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity.
“Control” for the purposes of this clause will mean with respect to any person or entity, the right to exercise or cause the exercise of at least fifty per cent (50%) or more of the voting rights in such person or entity.
“Agreement” has the meaning ascribed to in the Terms and Conditions.
“Business Contact Data” means information relating to any individual that uses the Services on behalf of Customer, which may include name, email address and other contact information.
“Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by SkyKick under the Agreement.
“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any data that SkyKick Processes via the Services on behalf of Customer that relates to a Data Subject. Personal Data does not include Business Contact Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” means the services provided by or on behalf of SkyKick pursuant to the Agreement.
“SkyKick Partner” means the service provider from whom the Customer has procured the Services
“Terms and Conditions” means the SkyKick Customer terms and conditions that apply to the Services and in which this DPA is referenced.
1. Subject-Matter and Duration of Processing
SkyKick Processes Personal Data for the subject matter specified under the Agreement and until the Agreement terminates or expires, unless otherwise agreed upon by the parties in writing. In particular, the subject matter is determined by the Services to which Customer subscribes.
2. Nature and Purpose of Processing
The nature of the processing is cloud migration, cloud storage and cloud management. A more detailed description of the nature and purposes of the Services can be made available through the SkyKick partner
3. Subcontractor’s Processing of Personal Data
In the below table is a summary of the categories of data, and storage locations for SkyKick’s current Subprocessors and their respective processing activities.
|Subprocessor||Scope and purpose of processing||Categories of Personal Data||Processing (and storage) locations (e.g. country/state)|
(200 West Thomas Street, Seattle, WA98119 USA)
|Provision of (technical) support||Personal data as described under Section 4 below||United States|
4. Types of Personal Data
Categories of Personal Data to be processed under this DPA includes the following categories of data: names, e-mail addresses and other contact details, as well as any personal data that may be included in the content of e-mails. More specifically:
|Administrator accounts |
|DNS Registrar credentials|
| For SkyKick Cloud Backup & Cloud Manager multi-factor authentication is used, no usernames or passwords are stored and access to the underlying SAAS service is granted based on an authentication token.|
| SkyKick recommends using a temporary administrator account for migrations which should be disabled on the completion of the migration.|
| May be applied to obtain access to the source for the migration if this access cannot be obtained through the administrator account. SkyKick in all cases recommends resetting the password on the destination environment on completion of a migration and provides automation to support this.|
5. Categories of Data Subjects
The categories of data subjects are Customer employees, contractors, business partners and other individuals whose Personal Data is included in the Customer Data.
SkyKick has various technical and organizational security measures in a place to secure, maintain and safeguard Personal Data. The security commitments in this DPA are the sole responsibility of SkyKick with respect to the security of that data.
|Organization of Information Security||Security Ownership.
SkyKick has appointed a data protection team responsible for coordinating, monitoring and regularly auditing all rules and procedures.
Security Roles and Responsibilities.
SkyKick staff with access to Personal Data are subject to confidentiality obligations.
Risk Management Program.
SkyKick performed a risk assessment before processing Personal Data through their Services and retains related documents pursuant to applicable retention requirements.
|Asset Management||Asset Inventory.
SkyKick maintains an inventory of all media on which Personal Data is stored. Access to the inventories of such media is restricted to SkyKick employees authorized to have such access.
SkyKick classifies Personal Data to help identify it and to allow for access to it to be appropriately restricted.
SkyKick imposes restrictions on printing Personal Data and has procedures for disposing of printed materials that contain Customer Data.
SkyKick staff must obtain SkyKick authorization prior to storing Personal Data on portable devices, remotely accessing Customer Data, or processing Personal Data outside SkyKick’s facilities.
|Human Resources Security||Security Training.
SkyKick informs its staff about relevant security procedures and their respective roles. SkyKick also informs its staff of possible consequences of breaching the security rules and procedures. SkyKick will only use anonymous data in training.
|Physical and Environmental Security||Physical Access to Facilities.
SkyKick limits access to facilities where information systems that process Personal Data are located to identified authorized staff members.
Physical Access to Components.
Where applicable, SkyKick maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Personal Data they contain.
Protection from Disruptions.
SkyKick applies a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
SkyKick uses industry standard processes to delete Personal Data when it is no longer needed.
|Communications and Operations Management||Operational Policy.
SkyKick maintains security documents describing its security measures and the relevant procedures and responsibilities of its staff who have access to Customer Data.
Data Recovery Procedures
On an ongoing basis SkyKick maintains copies of Personal Data from which Personal Data can be recovered.
SkyKick stores copies of Personal Data and data recovery procedures in a different container from where the processing the Personal Data is performed.
SkyKick has procedures in place governing access to copies of Customer Data.
SkyKick reviews its data recovery procedures at least annually.
SkyKick logs data restoration efforts, including the person responsible, the description of the restored data and where applicable and the person responsible.
SkyKick has anti-malware controls to help avoid malicious software, including malicious software originating from public networks, gaining unauthorized access to Customer Data.
Data Beyond Boundaries
SkyKick encrypts, or enables Customer to encrypt, Personal Data that is transmitted over public networks.
SkyKick restricts access to Personal Data in media leaving its facilities.
SkyKick logs the access and use of information systems containing Customer Data, registering the user ID, time, authorization granted or denied, and relevant activity of its staff members.
|Access Control||Access Policy.
SkyKick maintains a record of security privileges of staff members having access to Customer Data.
SkyKick maintains and updates a record of staff authorized to access SkyKick systems that contain Customer Data.
SkyKick deactivates authentication credentials that are not used for a period not exceeding six months.
SkyKick identifies those staff members who may grant, alter or cancel authorized access to data and resources.
SkyKick ensures that where more than one individual has access to systems containing Customer Data, the staff members have separate user identifiers and log-ins.
SkyKick staff members are only permitted to have access to Personal Data when required.
SkyKick restricts access to Personal Data to only those staff members who require such access to perform their job function.
Integrity and Confidentiality
SkyKick instructs SkyKick staff to disable administrative sessions when leaving premises SkyKick controls or when computers are otherwise left unattended.
SkyKick stores passwords in a way that makes them unintelligible while they are in force.
SkyKick uses industry standard practices to identify and authenticate users who attempt to access information systems.
Where authentication mechanisms are solely based on passwords, SkyKick requires that the passwords are renewed regularly.
Where authentication mechanisms are solely based on passwords, SkyKick requires the password to be at least eight characters long.
SkyKick ensures that de-activated or expired identifiers are not granted to other staff members.
SkyKick monitors repeated attempts to gain access to the information system using an invalid password.
SkyKick maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
SkyKick uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
SkyKick has controls to avoid staff members assuming access rights they have not been assigned to gain access to Personal Data they are not authorized to access.
|Information Security Incident Management||Incident Response Process
SkyKick maintains a record of security incidents with a description of the incident, the time period, its consequences, the name of the reporter, and to whom the incident was reported, and the procedure for recovering from an incident.
For each incident pertaining to Customer Data, notification by SkyKick will be made without undue delay and, in any event, within 72 hours.
SkyKick tracks disclosures of Customer Data, including what data has been disclosed, to whom, and at what time.
SkyKick security staff verify logs at least every six months to propose remediation efforts if necessary.
|Business Continuity Management||SkyKick maintains emergency and contingency plans for the facilities in which SkyKick information systems that process Personal Data are located.
SkyKick’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Personal Data in its original or last-replicated state from before the time it was lost or destroyed.
Along with the Data Processing Addendum and its Attachments this Data Pro Statement constitutes the Data Processing Addendum for the product or service(s) as provided by the company that has drawn up this Data Pro Statement.
1. Data Processor
This Data Pro Statement was drawn up by the following data processor:
SkyKick B.V. (“SkyKick“)
James Wattstraat 100
1097 DM Amsterdam
If you have any queries about this Data Pro Statement or data protection in general, please contact:
Global Data Protection Officer
2. Effective date
The Data Pro Statement shall enter into force on 5th of November 2020
We regularly revise our security measures described in this Data Pro Statement to ensure that we are always fully prepared and up to date regarding data protection. If this document is updated, we shall notify you of the revised versions through our regular channels.
This Data Pro Statement applies to the following products and services as provided by SkyKick: The entirety of the SkyKick Platform, including SkyKick Migration Suites, SkyKick Cloud Backup for Office 365 & SkyKick Cloud Manager.
4. SkyKick Product Descriptions
4.1 SkyKick Migration Suites
With the SkyKick cloud migration resellers can assist customers with cloud migration projects from pre-sales to project completion. Further product information is available here:
4.2 SkyKick Cloud Backup
The SkyKick cloud backup solution allows customers to protect their data from ransomware and other malicious and indeliberate events which lead to data loss or data corruption. Further product information is available here:
4.3 Description of SkyKick Cloud Manager
The SkyKick cloud management product cloud allows for seamless management of services across a customer, SaaS, and even hybrid environments. Through automation customers can improve their help desk performance and strengthen security and data protection. Further product information is available here:
5. Intended use of the SkyKick Services
The SkyKick platform was designed and built to process the types of data as described in Attachment 2 – Scope of Processing of the data processing addendum. When the services were designed the possibility that these would be used to process special categories of personal data or data regarding criminal convictions and offences or personal numbers issued by the government was not considered. It is up to Customer to determine whether it shall use the SkyKick services to process such data.
6. Processing of data outside the EU/EEA.
SkyKick has ensured that the personal data shall be protected to an appropriate standard as any personal data transferred from SkyKick to a Subprocessor located outside the EEA, United Kingdom and Switzerland shall be governed by the Standard Contractual Clauses Module 3 (processor-to-processor), entered between SkyKick and the relevant Subprocessor.
As part of its commitment to the adherence to GDPR SkyKick can – on entering into a non-disclosure agreement with the customer – provide additional detail on the additional safeguards it has put in place to complement the Standard Contractual Clauses to ensure its compliance with the GDPR in light of the ruling from the EU Court of Justice in the case Schrems II.
7. Use of sub processors:
All current sub processors of SkyKick are listed in Attachment 2 – Scope of Processing section 3.
8. Support with requests from Data Subjects:
SkyKick shall support its Customers to respond to requests from Data Subjects as described in the Data Processing Addendum section 4.1
9. Support with Data Privacy Impact Assessments (DPIA)
SkyKick shall support its Customers with Data Privacy Impact Assessments (DPIA) as described in the Data Processing Addendum section 4.2
10. Data deletion
Once an agreement with a Customer has been terminated, SkyKick shall delete personal data it processes on behalf of Customer in such a manner that they shall no longer be able to be used and shall be rendered inaccessible and as further described in the Data Processing Addendum section 3.
For SkyKick Cloud Manager deletion of personal data is automatically executed as soon as the service is disabled. For SkyKick Migration Suites data is deleted 365 days after a migration cutover date, provided no objects were changed post this date. This as support calls may come in up to a year after the cutover date of a migration. For SkyKick Cloud Backup data is only deleted on request by the customer and follows an automated purge process which can be cancelled up to 72 hours after the deletion has been requested. This to avoid malicious or accidental deletion of mission critical data.
Further details on the deletion of data and the automation can be provided upon request through our Data Protection Officer.
11. Data exports
If desired by a customer, once an agreement with a customer has been terminated SkyKick can return personal data it processes, as further described in the Data Processing Addendum section 3.
SkyKick has implemented the security measures as described in Attachment 3 – Technical & Organization Security Measures. And SkyKick adheres to the core principles of the following frameworks in relation to the maintenance of its Information Security Management System (ISMS):
- NEN-ISO 9001
- NEN-ISO 27001
- Microsoft Security Development Lifecycle
- CAIQ V3.1
SkyKick has obtained the following certificates
- Data Pro Certificate
Data leak protocol
In the unfortunate event something does go wrong, SkyKick shall follow the data breach protocol as described in the Data Processing Addendum section 4.3.