Data Processing
How we protect your data
Skilitics Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Skilitics Terms of Use. It applies whenever Skilitics Limited ("Skilitics", "we", "us") processes Personal Data on behalf of any customer or visitor ("you"). Our goal is to explain clearly and without legal jargon, how we collect, use, protect, transfer, and dispose of Personal Data while delivering Interact, our SaaS Learning Development Platform (the Service).
1. Key Definitions
Where capitalised terms are used, they have the meanings below (or those given in Applicable Data Protection Laws).
Term | Plain‑English meaning |
---|---|
Applicable Data Protection Laws | All privacy laws that apply to your use of the Service (e.g., EU & UK GDPR, Swiss FADP, California CCPA/CPRA, other US‑state statutes, Australia Privacy Act). |
Controller / Customer | You – the entity that decides why and how Personal Data is processed. |
Processor / Skilitics | Us – we process Personal Data only on your documented instructions. |
Affiliate | Any entity that directly or indirectly controls, is controlled by, or is under common control with a party. Skilitics Affiliates may act as Sub‑processors. |
Personal Data | Any information that identifies or could identify a living individual (e.g., name, email, assessment results). |
Processing | Anything done with Personal Data: collecting, storing, analysing, deleting, etc. |
Sub‑processor | A third‑party provider (including Affiliates) engaged by Skilitics to help deliver the Service. |
Standard Contractual Clauses (SCCs) | European Commission templates that legally authorise certain international data transfers. |
Personal Data Breach | A confirmed accidental or unlawful loss, disclosure, or unauthorised access to Personal Data. |
Children’s Data Disclaimer - The Service is not designed to process Personal Data of children under 13 (or the equivalent minimum age in the relevant jurisdiction). You must not use our service in a way that could result in uploading such data without our prior written agreement.
2. How Skilitics Processes Your Data
Purpose limitation – We process Personal Data only on your documented instructions to deliver, secure, and support the Service.
Compliance – We comply with all Applicable Data Protection Laws when acting as Processor. You remain responsible for laws unique to your industry or use‑case.
Conflict of laws – If a law prevents us following your instruction, we will tell you (unless legally restricted) and pause non‑compliant processing until you provide lawful alternative instructions.
2.1 Security
We maintain an ISO 27001‑aligned Information Security Management System and the measures summarised in Annex 5. These include: encryption at rest and in transit using industry‑standard algorithms; keys managed via AWS KMS; role‑based access control; regular vulnerability scanning; and 24×7 monitoring. We may enhance these measures from time to time provided protection is not materially diminished.
A concise summary of our full controls can be obtained by paying customers on request.
2.2 Confidentiality
All personnel and Sub‑processors are bound by written confidentiality commitments that survive termination of their engagement with Skilitics.
2.3 Personal Data Breaches
We will notify you without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach, share all relevant information, and assist you in meeting regulatory duties.
2.4 Deletion / Return
Within 30 days of account closure you may request an export of your Personal Data in a structured, commonly used, machine‑readable format (CSV or JSON). Reasonable costs may apply.
We irreversibly delete remaining copies after that timeframe unless law requires retention.
On request, Skilitics will certify deletion under Article 28 (3)(g).
Data stored in immutable backups will be isolated and overwritten on the next scheduled cycle.
2.5 Processing under US State Privacy Laws
For data subject to the CCPA/CPRA and analogous US‑state privacy laws, Skilitics acts as a “service provider” / “processor.” We (and our Sub‑processors) will not sell, share, or use Personal Data for any purpose other than performing the Service, or as permitted by those laws.
2.6 Audit Rights
Once per rolling 12‑month period, or after a confirmed Personal Data Breach, you may review documentation that demonstrates our alignment with ISO 27001 requirements, recent penetration‑test summaries, and other security compliance materials available on request by paid customers. We do not offer customer‑initiated on‑site or remote audits. Where a competent supervisory authority lawfully requires an inspection, we will cooperate directly with that authority.
2.7 Government Access Requests
If we receive a legally binding request from law‑enforcement or government authorities for Personal Data, we will (i) promptly notify you before disclosing any data, unless we are legally prohibited, and (ii) challenge any request we reasonably believe is unlawful or over‑broad. We will share only the minimum amount of data required to comply.
3. Your Responsibilities as Controller
You confirm that:
Personal Data supplied to Skilitics is collected lawfully and is accurate.
You provide all required privacy notices and obtain any necessary consents.
Your instructions to Skilitics are lawful.
You and your end users access and use the Service in accordance with the Skilitics Terms of Use, including any Acceptable Use restrictions.
You are responsible for email‑marketing compliance when using in‑product messaging features.
If you cannot meet these obligations, you will promptly let us know so we can work together on a solution.
4. International Data Transfers
Primary hosting – Skilitics uses Amazon Web Services data centres located in the United States.
When we transfer Personal Data from the EEA, UK, or Switzerland to a non‑adequate country we rely on the mechanisms set out in Annex 2:
EU SCCs (Modules 2 & 3) + optional Docking Clause.
UK International Data Transfer Addendum (IDTA).
Swiss Federal Addendum.
Skilitics will provide reasonable information about its transfer safeguards to assist you in completing any Transfer‑Impact Assessment (TIA).
We will adopt any future replacement mechanisms as they take effect.
5. Sub‑processors
We carefully vet all Sub‑processors for security and privacy. A continuously updated list of our current Sub‑processors, including their purpose and location, is available at https://www.skilitics.com/legal/sub-processors. We will give 30 days’ notice before adding or replacing a Sub‑processor so you can object on reasonable data‑protection grounds.
Skilitics remains fully liable for the acts and omissions of its Sub‑processors as if performing the Service itself, and will ensure all Sub‑processors are bound by written terms imposing no‑sale/no‑share obligations equivalent to § 2.5.
Objection Remedy
If you object to a new Sub‑processor and the parties cannot find a commercially reasonable workaround within 15 business days, you may disable the affected feature or terminate the impacted portion of the Service. We will refund any prepaid fees pro‑rated for the terminated portion.
6. Assistance to You
Data Subject Requests – The admin console allows you to export, correct, or delete learner data. When additional help is required, we will forward any request without undue delay and in any event within five (5) business days, and provide further assistance (reasonable fees may apply).
Data‑Protection Impact Assessments, Transfer‑Impact Assessments & Prior Consultations – We will supply information and cooperation required to complete DPIAs, TIAs, or consult with supervisory authorities.
7. Limitation of Liability
Any liability arising under this DPA is subject to (and does not increase) the limitations set out in the Skilitics Terms of Use.
8. Governing Law
Unless mandated otherwise, this DPA is governed by the laws of New Zealand, and disputes are subject to the non‑exclusive jurisdiction of New Zealand courts. SCC‑specific matters are governed by Irish law (see Annex 2).
9. Miscellaneous
Amendments – We may update this DPA by posting a revised version and providing at least 30 days’ notice. Continued use of the Service after the effective date constitutes acceptance.
Severability – If any provision of this DPA is determined to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
Assignment – Neither party may assign this DPA without the other party’s prior written consent, except to an Affiliate or in connection with a merger, acquisition, or sale of substantially all assets. Any permitted successor will honour this DPA.
Entire Agreement – This DPA, together with its Annexes and the Terms of Use, constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior data‑processing agreements.
Sector‑specific laws – Where applicable (e.g., HIPAA, GLBA), Skilitics is willing to enter into additional compliant addenda upon request.
Annexes (integral to this DPA)
All annexes are available by request from paying customers.
Annex 1 – Description of Processing – Types of Personal Data, categories of Data Subjects, purpose, nature, and duration.
Annex 2 – International Transfer Mechanisms
EU SCCs (2021 Modules 2 & 3) with optional Docking Clause.
UK International Data Transfer Addendum (IDTA).
Swiss Federal Addendum.
Annex 3 – Competent Supervisory Authority – Details required by GDPR Articles 13 & 14.
Annex 4 – Sub‑processor Change Procedure – Notification workflow.
Annex 5 – Technical & Organisational Security Measures – Access control, encryption (at rest & in transit), key‑management via AWS KMS, secure SDLC, logging & monitoring, incident response, and business‑continuity controls.
By continuing to use the Skilitics Service after the “Last updated” date, you agree to this Data Processing Addendum.
Last updated: May 30 2025