Back to home

Data Processing Agreement

Last updated: March 25, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Skill Control Plane ("Processor") and the customer ("Controller") and governs the processing of personal data.

1. Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Processing — Any operation performed on personal data, including collection, storage, modification, retrieval, disclosure, or deletion.
  • Data Subject — The individual whose personal data is processed.

2. Scope of Processing

The Processor processes personal data solely to provide the Service, including:

  • User authentication and access management
  • Skill governance workflow processing
  • Billing and subscription management
  • Audit logging and security monitoring
  • Email notifications

3. Data Subject Categories

  • Controller's employees and contractors who access the platform
  • AI agents configured to interact with the platform via MCP/API

4. Types of Personal Data

  • Name, email address, profile picture
  • Organization membership and role
  • Usage logs and activity records
  • Billing contact information (via Stripe)

5. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control with principle of least privilege
  • Immutable audit logging of all administrative actions
  • Automated security scanning of uploaded content
  • Regular access reviews and credential rotation
  • Incident response procedures with 72-hour breach notification

6. Subprocessors

The current list of authorized subprocessors is maintained at /subprocessors. The Controller will be notified at least 30 days before any subprocessor changes take effect.

7. International Transfers

Personal data may be transferred to and processed in the United States. Such transfers are governed by the EU Standard Contractual Clauses (SCCs) as approved by the European Commission Decision 2021/914.

8. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by GDPR. Self-service tools for data export and account deletion are available in the platform.

9. Data Retention & Deletion

Upon termination or upon Controller's request, the Processor will delete or return all personal data within 30 days, except where retention is required by law. Audit logs are anonymized rather than deleted to maintain compliance records.

10. Breach Notification

The Processor will notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware of it, providing all information required under GDPR Article 33.

11. Contact

Data protection inquiries: [email protected]

Data Processing Agreement — Skill Control Plane | Skill Control Plane