Skip to main content
grid_view
Skode

Data Processing Agreement

Last updated: March 15, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Skode Technologies ("Processor," "we," "us") and you ("Controller," "you," "your") for the use of our Services, as defined in our Terms of Service. This DPA applies to the extent that Skode processes Personal Data on your behalf in the course of providing the Services.

This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), Article 28 of the UK GDPR (as incorporated by the UK Data Protection Act 2018), and equivalent provisions under the Indian Digital Personal Data Protection Act, 2023 ("DPDPA"). It sets out the terms on which the Processor shall process Personal Data on behalf of the Controller.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Indian Digital Personal Data Protection Act, 2023.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Sub-Processor" means any third party engaged by Skode to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Security Incident" means any unauthorized or unlawful access, acquisition, use, disclosure, alteration, or destruction of Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

Skode processes Personal Data on behalf of the Controller to provide the Services, which include customer relationship management, invoicing, lead management, AI-powered analytics, and omnichannel messaging through Skode CRM and Skode Flow.

2.2 Categories of Data Subjects

  • Your customers and prospective customers (leads).
  • Your business contacts and partners.
  • Your employees and team members who use the Services.
  • End users who interact with your widgets, forms, or messaging channels.

2.3 Types of Personal Data

  • Contact information (name, email, phone number, address).
  • Business information (company name, job title, industry).
  • Communication records (emails, chat messages, call logs, notes).
  • Transaction data (invoices, payment history, deal information).
  • Usage data (interactions within the CRM, activity logs).
  • Any other Personal Data you choose to store in the Services.

2.4 Duration

Processing continues for the duration of your subscription to the Services, plus any retention period required to fulfill our obligations under this DPA and applicable law.

3. Obligations of the Processor

Skode shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality.
  • Implement appropriate technical and organizational measures to ensure the security of Personal Data.
  • Not engage a Sub-Processor without prior written authorization from the Controller (general or specific).
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
  • Assist the Controller in ensuring compliance with obligations related to security of processing, data protection impact assessments, and prior consultations with supervisory authorities.
  • At the Controller's choice, delete or return all Personal Data upon termination of the Services, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Data Subject Rights

Skode will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access to Personal Data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing.

We will promptly notify you if we receive a request from a Data Subject directly. We will not respond to Data Subject requests without your prior authorization, unless required by applicable law.

5. Security Measures

Skode implements and maintains appropriate technical and organizational security measures, including:

  • Encryption: Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege for all system access.
  • Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning.
  • Monitoring: Continuous monitoring of systems for security events, with automated alerting and incident response procedures.
  • Employee Training: Regular security awareness training for all employees with access to Personal Data.
  • Physical Security: Hosting in SOC 2 compliant data centers with physical access controls, surveillance, and environmental protections.
  • Business Continuity: Regular backups, disaster recovery plans, and business continuity procedures.
  • Secure Development: Security-by-design principles in software development, including code reviews and security testing.

6. Sub-Processors

The Controller provides general written authorization for Skode to engage Sub-Processors for the purpose of providing the Services. A current list of Sub-Processors is maintained at /legal/sub-processors/.

Skode shall:

  • Notify the Controller of any intended changes to the list of Sub-Processors, providing an opportunity to object within 30 days of notification.
  • Ensure that any Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
  • Remain fully liable for the acts and omissions of its Sub-Processors.

If the Controller objects to a new Sub-Processor within the 30-day notice period and Skode cannot reasonably accommodate the objection, either party may terminate the affected Services with 30 days' written notice.

7. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, Skode ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • UK International Data Transfer Agreement or Addendum, where applicable.
  • Binding Corporate Rules, where applicable.
  • Any other transfer mechanism recognized under applicable Data Protection Laws.

8. Data Breach Notification

In the event of a Security Incident, Skode shall comply with all applicable breach notification requirements, including jurisdiction-specific timelines:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the Security Incident (as required by GDPR Article 33 and UK GDPR).
  2. India CERT-In Requirement: For Security Incidents affecting data subjects located in India, Skode shall report the incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware of the incident, in accordance with CERT-In Directions dated April 28, 2022. This includes cyber security incidents such as unauthorized access to systems, data breaches, and data leaks. Skode shall simultaneously notify the Controller of any such report.
  3. Provide sufficient information to enable the Controller to meet its obligations to report the Security Incident to supervisory authorities and Data Subjects, including:
    • The nature of the Security Incident, including categories and approximate number of Data Subjects affected.
    • The likely consequences of the Security Incident.
    • The measures taken or proposed to address the Security Incident and mitigate its effects.
    • The name and contact details of a designated point of contact for further information.
  4. Take immediate steps to contain, investigate, and remediate the Security Incident.
  5. Cooperate with the Controller and provide reasonable assistance in investigating and resolving the Security Incident.

9. Audit Rights

Skode shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an independent auditor appointed by the Controller.

  • Audit requests must be made in writing with at least 30 days' prior notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with Skode's operations.
  • The Controller shall bear the cost of any audit, unless the audit reveals material non-compliance by Skode.
  • Skode may satisfy audit requests by providing certifications, audit reports (e.g., SOC 2), or other documentation demonstrating compliance.

10. Data Deletion and Return

Upon termination of the Services:

  • Skode will provide the Controller with the ability to export all Personal Data for 30 days following termination.
  • After the 30-day export period, Skode will delete all Personal Data within 90 days, except where retention is required by applicable law.
  • Upon request, Skode will certify in writing that Personal Data has been deleted.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party excludes or limits its liability for breaches of its data protection obligations to the extent such limitation is prohibited by applicable Data Protection Laws.

12. Contact

For questions or concerns regarding this DPA, please contact: