Data Processing Agreement
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between SmartKeep Solutions SRL (registered no. RO43273365, Arad, Romania — "Skryx", the processor) and the customer ("the Controller"). It governs Skryx's processing of personal data on the Controller's behalf under Article 28 GDPR. In case of conflict with the Terms, this DPA prevails on data-protection matters.
1. Subject matter and duration
Skryx processes personal data solely to provide the search-as-a-service Service (catalogue indexing, search, AI assistance, analytics). Processing lasts for the term of the contract, plus the retention periods described in Section 9.
2. Nature and purpose of processing
Storage, indexing, querying, returning results, generating embeddings and AI suggestions, and aggregating usage statistics — all strictly to operate the Service for the Controller's benefit.
3. Categories of data subjects and data
- Data subjects: the Controller's shoppers and visitors; potentially individuals named in catalogue data.
- Categories of data: catalogue data (which may occasionally contain personal data determined by the Controller); search queries; interaction events bearing a pseudonymous session identifier; IP addresses processed transiently for security and geographic aggregation.
- Skryx does not request special categories of data (Art. 9). The Controller undertakes not to submit such data through the Service.
4. Controller's obligations
The Controller warrants that it has a valid legal basis for the data it submits and that its instructions to Skryx comply with applicable law. The Controller is responsible for informing its own data subjects (e.g. via its own privacy policy) and obtaining any required consents.
5. Skryx's obligations (processor)
- Process data only on the Controller's documented instructions (including this DPA and use of the Service), unless required by law.
- Ensure confidentiality: personnel with access are bound by confidentiality.
- Implement the technical and organisational measures in Section 7.
- Assist the Controller, as far as possible, in fulfilling data-subject requests and its security, DPIA and prior-consultation obligations.
- Notify the Controller without undue delay after becoming aware of a personal-data breach (Section 8).
- On termination, delete or return the data (Section 9).
- Make available to the Controller the information needed to demonstrate compliance and allow reasonable audits (Section 10).
6. Sub-processors
The Controller generally authorises Skryx's use of the sub-processors below. Skryx imposes on each data-protection obligations equivalent to this DPA and remains liable for their acts.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud (GCS) | Encrypted database backups | EU |
| Cloudflare | Object storage (R2), CDN, WAF | Global / EU |
| Anthropic | Query understanding (Claude) | US |
| Voyage AI | Embeddings for semantic search | US |
| Twilio SendGrid | Transactional email | US |
| Sentry | Error monitoring | US |
| Stripe | Payments (account data, not shopper data) | EU / US |
We will give the Controller at least 30 days' notice before adding or replacing a sub-processor, with an opportunity to object on reasonable data-protection grounds.
7. Technical and organisational measures (Art. 32)
- TLS encryption in transit; encryption at rest for backups.
- Role-based access control on a least-privilege basis; protected authentication; hashing of passwords and keys.
- Isolation on a containerised architecture; firewall and WAF protection at the network edge.
- Monitoring, logging and alerting; encrypted backups tested periodically.
- Pseudonymisation: shopper events use session identifiers, not direct identifiers.
- Business-continuity and disaster-recovery procedures.
8. Breach notification
In the event of a security breach affecting the Controller's data, Skryx notifies the Controller without undue delay (normally within 72 hours of becoming aware), providing the information reasonably available so the Controller can meet its own notification obligations.
9. Return and deletion of data
On termination of the Service, or at the Controller's request, Skryx deletes or returns the personal data within a reasonable period and deletes existing copies, unless EU or member-state law requires retention. Encrypted backups expire under the rotation cycle.
10. Audit
Skryx makes available to the Controller the information necessary to demonstrate Article 28 compliance. The Controller may request an audit (including inspections) at most once per year, on reasonable notice, during normal hours, without disrupting operations and subject to confidentiality; existing security reports may satisfy such requests.
11. International transfers
For transfers to sub-processors outside the EEA, Skryx implements the European Commission's Standard Contractual Clauses and/or other appropriate safeguards under GDPR Chapter V, plus supplementary measures.
12. Liability
Liability under this DPA is subject to the limitations in the Terms of Service, to the extent permitted by law.
13. Contact
Data Protection / DPO: privacy@skryx.io · SmartKeep Solutions SRL, Arad, Romania.