Data Processing Addendum

This Addendum governs Skeldy's processing of Customer Personal Data on the customer's behalf. The customer is the controller; Skeldy SAS is the processor.

• Data subjects — the customer's staff, managers, and authorised users.
• Categories — identification (name, email), employment metadata (role, section, qualifications), schedule data, in-product communications, audit and security logs.
• No special categories of data (Art. 9 GDPR) are processed by default. Health-adjacent data such as sick-leave reasons must not be entered into Skeldy.

Processing lasts for the duration of the subscription plus the deletion window described below. Skeldy processes data only on the customer's documented instructions, including instructions given through the product UI and API.

Skeldy uses the sub-processors listed in the Privacy Policy. We will notify customers of new sub-processors at least 30 days in advance. Customers may object on reasonable grounds; if the objection cannot be resolved we will offer the customer the right to terminate the affected service.

Production data resides in the EU. Where transfers outside the EEA are required (e.g., Stripe), we rely on EU Standard Contractual Clauses (Decision 2021/914) plus supplementary technical measures. The relevant module of the SCCs is incorporated by reference into this Addendum.

• Encryption — TLS 1.2+ in transit, AES-256 at rest.
• Access — least-privilege role-based access, MFA on all administrative accounts.
• Database — row-level security policies enforce hierarchy across every table.
• Logging — privileged actions logged for 13 months.
• Backups — point-in-time recovery enabled, restore tested at least annually.
• Pen-test — independent test executed at least annually; remediation of high+ findings before launch.
• Personnel — confidentiality undertakings, security training annually.

Skeldy provides self-service export and deletion endpoints. Where additional assistance is required to respond to a data subject request, we will assist within 30 days. Contact [email protected].

We notify the customer without undue delay and at the latest within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with sufficient information to enable the customer's own GDPR Art. 33 / 34 obligations.

Customers may request audit information once per 12-month period, satisfied by SOC 2 reports, penetration test summaries, or written responses to a security questionnaire. On-site audits are available where mandatory under applicable law and at the requesting party's expense.

On termination, customers may export data for 30 days. After that period, Skeldy deletes Customer Personal Data within a further 30 days, except where retention is required by law (e.g., billing records).