Data Processing Addendum

Last updated: May 13, 2026

This Data Processing Addendum (the "DPA") sets out the data protection terms that apply when SkillsDB processes personal data on behalf of our customers. It forms part of the Software Services Agreement ("Agreement") between SkillsDB Inc. ("SkillsDB," "we," "us") and the customer entity using our Services ("Customer," "you"), and is incorporated into the Agreement by reference.

You don't need to sign this DPA separately for it to apply — entering into the Agreement is enough. If your legal or procurement team requires a counter-signed copy, email privacy@skillsdb.com and we'll provide one.

Contents

  1. Introduction and Scope
  2. Definitions
  3. Roles and Responsibilities
  4. Processing as a Processor
  5. Processing as an Independent Controller
  6. Sub-Processors
  7. International Data Transfers
  8. U.S. State Privacy Laws
  9. Audits and Assessments
  10. Liability
  11. General Terms
  12. Contact

1. Introduction and Scope

1.1 When This DPA Applies

This DPA applies whenever SkillsDB processes Personal Data on behalf of a Customer in the course of providing our Services.

1.2 Order of Precedence

If anything in this DPA conflicts with the Agreement, this DPA controls for matters of Personal Data protection. For everything else, the Agreement controls. The Standard Contractual Clauses, where they apply, control over both.

1.3 Term

This DPA is effective on the Effective Date of the Agreement and remains in effect for as long as we process Personal Data on your behalf.

2. Definitions

The following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws.

  • "Affiliate" means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with a party.
  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including (in each case as applicable and as amended): (i) the GDPR; (ii) the UK GDPR; (iii) the Swiss Federal Act on Data Protection ("Swiss FADP"); (iv) the U.S. State Privacy Laws (defined below); (v) national laws supplementing or derogating from the foregoing; and (vi) binding guidance and codes of practice issued by relevant supervisory authorities.
  • "EU Standard Contractual Clauses" or "EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or its successor).
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • "Personal Data Breach" has the meaning given in the GDPR (and equivalent terms in other Data Protection Laws, where applicable).
  • "Restricted Transfer" means a transfer of Personal Data from a jurisdiction in which the transfer would be prohibited by Data Protection Laws absent a valid transfer mechanism, including transfers from the EEA, the United Kingdom, or Switzerland to a jurisdiction without an adequacy decision.
  • "Services" means the services supplied by SkillsDB to Customer under the Agreement.
  • "Standard Contractual Clauses" means, as applicable in the context, the EU SCCs and/or the EU SCCs as amended by the UK IDTA.
  • "Sub-Processor" means any third party engaged by SkillsDB to Process Personal Data on behalf of Customer.
  • "UK GDPR" means the GDPR as transposed into United Kingdom national law by section 3 of the European Union (Withdrawal) Act 2018, as amended.
  • "UK IDTA" means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the UK Data Protection Act 2018.
  • "U.S. State Privacy Laws" means the California Consumer Privacy Act and California Privacy Rights Act (collectively "CCPA"), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), and any other comprehensive state-level privacy law applicable to the Processing of Personal Data under this DPA, in each case as amended.

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Process / Processing", "Service Provider", "Contractor", and "Supervisory Authority" have the meanings given in applicable Data Protection Laws.

3. Roles and Responsibilities

3.1 SkillsDB as Processor

For most processing in connection with the Services, you act as the Controller (and where applicable, the Business or Data Exporter) and SkillsDB acts as the Processor (and where applicable, the Service Provider, Contractor, or Data Importer). Section 4 governs.

3.2 SkillsDB as Independent Controller

For certain limited processing — account administration, billing, support communications, product analytics, and your general business interactions with us — SkillsDB acts as an independent Controller. Section 5 governs.

4. Processing as a Processor

4.1 Scope and Instructions

We process Personal Data only on your documented instructions, for the purpose of providing the Services. The Agreement, this DPA, and any in-Service configurations you make are your complete and final instructions. Anything beyond that scope requires mutual written agreement, including any applicable fees. We'll let you know if we believe an instruction would violate Data Protection Laws.

4.2 Personnel and Confidentiality

Our personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and have undergone training in the protection of Personal Data.

4.3 Security Measures

We implement and maintain the technical and organizational measures set out in Appendix 2, designed to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and equivalent requirements under other Data Protection Laws. Our information security program is audited annually under the SOC 2 Type II framework. The current report is available at trust.skillsdb.com upon request under a customary non-disclosure agreement.

4.4 Personal Data Breach Notification

We will notify you without undue delay, and in any event within 48 hours, after confirming a Personal Data Breach affecting your Personal Data. The notification will include, to the extent known at the time and as more information becomes available: (i) the nature of the breach, including the categories and approximate number of affected Data Subjects and records; (ii) the likely consequences; (iii) the measures taken or proposed to address the breach and mitigate adverse effects; and (iv) a designated contact point for further information. We'll reasonably cooperate with your investigation, regulatory notifications, and Data Subject communications.

4.5 Assistance with Data Subject Requests

Taking into account the nature of the processing, we'll provide reasonable assistance through appropriate technical and organizational measures to enable you to respond to Data Subject requests under Data Protection Laws. If we receive a request directly that relates to your Personal Data, we'll forward it to you promptly.

4.6 Assistance with DPIAs and Consultations

We'll provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Data Protection Laws and taking into account the nature of the processing and the information available to us.

4.7 Return or Deletion

Upon termination or expiration of the Agreement, at your written election within 30 days, we will return or delete your Personal Data in our possession, in accordance with Section 11.2(d) of the Agreement. After 60 days following termination, we have no obligation to retain your Personal Data and will securely delete it in accordance with our standard practices, unless retention is required by applicable law.

5. Processing as an Independent Controller

5.1 Independent Controllers

To the extent we act as an independent Controller (as described in Section 3.2), each party acts as a separate and distinct independent Controller. Neither party is a joint Controller with the other.

5.2 Obligations

We will: (i) comply with applicable Data Protection Laws when processing such Personal Data; (ii) process such Personal Data only as necessary to perform our obligations under the Agreement or as otherwise required by law; (iii) maintain appropriate technical and organizational measures consistent with Section 4.3; and (iv) notify you in writing without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting such Personal Data.

5.3 Cooperation

The parties will reasonably cooperate with each other in connection with (i) any notifications to Supervisory Authorities or Data Subjects following a Personal Data Breach, and (ii) any Data Subject request, communication, or regulatory inquiry concerning the processing of Personal Data.

6. Sub-Processors

6.1 General Authorization

You give us general authorization to engage Sub-Processors to process Personal Data, subject to this Section 6.

6.2 Current Sub-Processors

The current list is maintained at trust.skillsdb.com and is the source of truth for all our Sub-Processor relationships.

6.3 Notice of Changes; Objection

We'll give you at least 30 days' advance notice before adding or replacing a Sub-Processor that will process your Personal Data, by (i) updating the list at trust.skillsdb.com, and (ii) emailing the privacy or notices contact you've designated (or by providing a subscription mechanism at trust.skillsdb.com for these notifications).

If you object on reasonable data-protection grounds within 30 days of notice, and we can't resolve the objection in good faith within a reasonable time, your exclusive remedy is to terminate the affected Services under the Agreement. We'll refund any prepaid Service Fees for the unused portion of the then-current Subscription Term on a pro-rated basis.

6.4 Sub-Processor Agreements

We impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA, including security measures appropriate to the risk and obligations to honor Data Subject rights. We remain responsible for each Sub-Processor's performance.

7. International Data Transfers

7.1 EU Restricted Transfers — Processor

For Restricted Transfers subject to the GDPR where SkillsDB acts as Processor, the parties incorporate Module 2 (Controller to Processor) of the EU SCCs by reference. Customer (and any applicable Affiliate) is the data exporter; SkillsDB is the data importer. Selections:

  • Clause 7 (Docking) — applies.
  • Clause 9 (Sub-processors) — Option 1 (General Authorization) applies, with the time period in Section 6.3.
  • Clause 11(a) (Redress) — optional language does not apply.
  • Clause 13(a) (Supervision) — the supervisory authority is The Netherlands.
  • Clause 17 (Governing Law) — Option 1 applies; the governing law is the law of the Agreement, or where that is non-EU, the law of The Netherlands.
  • Clause 18 (Forum and Jurisdiction) — as in the Agreement, or where that is non-EU, the courts of The Netherlands.
  • Annex I.A and I.B — as set out in Appendix 1.
  • Annex II — as set out in Appendix 2.
  • Annex III — the Sub-Processor list at trust.skillsdb.com.

7.2 EU Restricted Transfers — Controller

For Restricted Transfers subject to the GDPR where SkillsDB acts as independent Controller, the parties incorporate Module 1 (Controller to Controller) of the EU SCCs, with the same selections as Section 7.1 applied mutatis mutandis.

7.3 UK Restricted Transfers

For Restricted Transfers subject to the UK GDPR, the EU SCCs are deemed amended by the UK IDTA, with these permitted amendments to Part 1 (Tables):

  • Table 1 — SkillsDB as Data Importer (with applicable role and Key Contact); Customer and Affiliates as Data Exporter.
  • Table 2 — Approved EU SCCs as in Section 7.1 or 7.2 (as applicable).
  • Table 3 — Appendix 1.
  • Table 4 — Neither party may terminate solely due to changes to the Approved Addendum.

7.4 Swiss Restricted Transfers

For Restricted Transfers subject to the Swiss FADP, the EU SCCs apply with these adjustments: (a) references to the GDPR include the Swiss FADP; (b) references to the EU and EU Member States include Switzerland; (c) the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; (d) the governing law is Swiss law where Swiss law applies; (e) the forum is the courts of Switzerland to the extent required by Swiss law.

7.5 Alternative Transfer Mechanisms

If the Standard Contractual Clauses ever cease to provide a lawful basis for a Restricted Transfer, we'll work with you in good faith to put an alternative compliant mechanism in place.

8. U.S. State Privacy Laws

8.1 Service Provider / Processor Status

For processing subject to U.S. State Privacy Laws, SkillsDB acts as a "service provider" or "contractor" (CCPA) or as a "processor" (under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, and similar laws). We'll provide the same level of privacy protection to Personal Data as is required of you under applicable U.S. State Privacy Laws.

8.2 Restrictions on Use

We will:

  • process Personal Data only for the specific business purposes of performing the Services, in accordance with the Agreement and this DPA;
  • not "sell" or "share" (as defined under the CCPA) Personal Data, or otherwise use or disclose it for cross-context behavioral advertising;
  • not process Personal Data outside the direct business relationship between you and SkillsDB or for any commercial purpose other than performance of the Services;
  • not combine Personal Data received from you with Personal Data received from or on behalf of any other person, except as permitted by applicable U.S. State Privacy Laws;
  • where we receive deidentified data (or deidentify Personal Data you've provided): take reasonable measures to ensure it can't be re-associated with a consumer or household; publicly commit to maintaining it in deidentified form; not attempt to reidentify it; and contractually bind recipients to equivalent requirements;
  • promptly notify you if we determine that we can't comply with this DPA or applicable Data Protection Laws and, on your request, cease processing or remediate unauthorized use; and
  • on reasonable notice, allow you to take reasonable and appropriate steps to ensure we're using Personal Data in a manner consistent with your obligations under U.S. State Privacy Laws.

8.3 Sub-Processor Restrictions

We disclose Personal Data to Sub-Processors only under written contract terms providing protections substantially equivalent to those in this DPA, and solely to enable us to provide the Services for your benefit.

8.4 Assistance with Data Subject Rights

We'll assist you, by appropriate technical and organizational measures and to the extent reasonably practicable, in responding to verified Data Subject requests under U.S. State Privacy Laws — including access, deletion, correction, portability, and opt-out requests.

8.5 Certification

SkillsDB certifies that it understands the restrictions in this DPA (including this Section 8) and will comply with them.

9. Audits and Assessments

9.1 SOC 2 Type II

We maintain a SOC 2 Type II audited information security program. Your audit and inspection rights under this DPA and the Standard Contractual Clauses (including SCC Clause 8.9) are satisfied in the first instance by our provision of the current SOC 2 Type II report under a customary non-disclosure agreement.

9.2 Additional Information

No more than once per 12-month period and on at least 15 business days' written notice, you may request additional information reasonably necessary to demonstrate our compliance with this DPA. We'll respond within a reasonable time.

9.3 On-Site Audits

You may conduct an on-site audit of our facilities and processing activities only where (a) a competent Supervisory Authority requires it, (b) the parties have confirmed a material Personal Data Breach affecting you, or (c) the SOC 2 Type II report and additional information above are insufficient to address a reasonable concern under Data Protection Laws.

On-site audits are: (i) conducted by you or a mutually agreed independent third-party auditor under non-disclosure obligations; (ii) at your expense; (iii) at mutually agreed times during normal business hours; (iv) with at least 30 days' advance written notice; and (v) limited to information directly relevant to our obligations under this DPA, subject to reasonable confidentiality and security protections.

10. Liability

The parties' total aggregate liability arising under or in connection with this DPA (including the Standard Contractual Clauses) is subject to the limitations of liability set out in the Agreement.

11. General Terms

11.1 Governing Law

This DPA is governed by the law specified in the Agreement, subject to the governing law selections in Section 7 for the Standard Contractual Clauses.

11.2 Changes to This DPA

We may update this DPA from time to time by posting a revised version at skillsdb.com/dpa. We'll provide notice of material changes by (i) updating the "Last updated" date at the top, and (ii) emailing the notices contact you've designated at least 30 days before the changes take effect (or such longer period as Data Protection Laws may require). Continued use of the Services constitutes acceptance of the updated DPA.

11.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

11.4 Need a Counter-Signed Copy?

You don't need to sign this DPA for it to apply — it's incorporated into your Agreement by reference. If your legal or procurement team requires a counter-signed copy, email privacy@skillsdb.com and we'll provide one.

12. Contact

Data Protection Officer: privacy@skillsdb.com

EU Representative (Article 27 GDPR)
DataRep Ltd., The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
datarequest@datarep.com · +353 1 554 9700

UK Representative (Article 27 UK GDPR)
DataRep UK Ltd., 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
datarequest@datarep.com · +44 20 3287 7264

Appendix 1 — Description of Processing

A. Subject Matter and Duration

Subject matter: Processing of Personal Data in connection with the SkillsDB platform and related Services.

Duration: For the term of the Agreement and any post-termination retention period set out in Section 4.7.

B. Nature and Purpose

We process Personal Data to provide skills intelligence, skills tracking, gap analysis, career progression, assessments, talent development, internal mobility, and workforce planning Services to your organization, and to deliver related support, account administration, and technical operations.

C. Categories of Personal Data

Routine, low-risk business contact and competency data, including:

  • first and last name;
  • business email address;
  • job title, role, and competency group;
  • skill grades and assessment results;
  • authentication data (e.g., login identifiers and device tokens); and
  • other employment-context data you or your users input.

You're contractually prohibited from uploading Prohibited Data (as defined in the Agreement), including special categories of Personal Data under Article 9 GDPR, financial account data, government identifiers, and health data.

D. Categories of Data Subjects

Your employees, contractors, applicants, non-executive directors, vendors, and other individuals whose data you choose to upload to the Services.

E. Frequency of Restricted Transfers

Continuous, as necessary to deliver the Services for the duration of the Agreement.

F. Retention Period

For the term of the Agreement, plus the post-termination period set out in Section 4.7 of this DPA and Section 11.2(d) of the Agreement.

G. Sub-Processors

Per the current list at trust.skillsdb.com.

Appendix 2 — Technical and Organizational Measures

We maintain a SOC 2 Type II audited information security program. The detailed controls evaluated under that program are described in our current SOC 2 Type II report, available at trust.skillsdb.com upon request under a customary non-disclosure agreement. The program includes, at a minimum, the following measures, which apply to the processing of Personal Data on your behalf.

  1. Information security program. A formal, documented information security program aligned with the SOC 2 Trust Services Criteria and informed by NIST, ISO 27001/27002, and similar industry frameworks. A named Information Security Officer.
  2. Access controls. Role-based access controls with least-privilege principles, multi-factor authentication for administrative access to customer environments and to internal systems containing customer Personal Data, periodic access reviews, and prompt deprovisioning on personnel changes.
  3. Encryption. Transport layer security (TLS) encryption in transit; encryption at rest for customer Personal Data stored in SkillsDB-managed databases and backups; encryption of company-managed laptops and removable media.
  4. Network security. Network segmentation, firewall controls, intrusion detection, and continuous monitoring of production environments.
  5. Vulnerability management. Annual third-party penetration testing of production applications and infrastructure; regular vulnerability scanning; remediation in accordance with our vulnerability management policy.
  6. Endpoint protection. Anti-malware controls on company-managed endpoints; centralized endpoint management and patching.
  7. Personnel. Background checks (consistent with applicable law) for personnel with access to customer Personal Data; mandatory annual security and privacy awareness training; confidentiality obligations binding on all personnel.
  8. Vendor management. Risk-based assessment of Sub-Processors; contractual obligations consistent with this DPA.
  9. Incident response. A documented incident response program with defined roles, escalation paths, and post-incident review.
  10. Business continuity and disaster recovery. Documented business continuity and disaster recovery plans, tested at least annually, with defined Recovery Time Objectives and Recovery Point Objectives for production systems.
  11. Physical security. Production environments are hosted by SOC 2 / ISO 27001 certified cloud infrastructure providers; SkillsDB offices implement appropriate physical access controls.
  12. Change management. Documented software development lifecycle including code review, automated testing, and staged deployment.

Appendix 3 — Sub-Processors

The current list of authorized Sub-Processors is maintained at trust.skillsdb.com and is the source of truth for our Sub-Processor relationships. Changes to this list are governed by Section 6.3.