Skylead Data Processing Addendum
Last Updated: March 30, 2023
This Data Processing Addendum (“DPA”) is a part of the Skylead’s Terms & Conditions, and sets forth the parties’ rights and obligations in respect of the processing of Company in relation to the Skylead Services, to the extent that the same is subject to Applicable Privacy and Data Protection Laws.
If there is any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail. If there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.
1. Definitions
1.1 “Agreement” means subscription purchase, together with Skylead’s Terms & Conditions, available at https://skylead.io/terms-and-conditions/ , unless there is a separately negotiated agreement for Skylead Services between you and Skylead, then “Agreement” means that agreement.
1.2 “Applicable Privacy and Data Protection Laws” means collectively all local privacy and data protection laws, rules, and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”); the European Union’s General Data Protection Regulation (“GDPR”)t; and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
1.3 “Company,” “you,” and “your” mean the Skylead customer that has entered into the Agreement for Skylead Services.
1.4 “Company User” means a Data Subject for whom Company initiates and administers a Skylead account, Data Subjects acting on behalf of Company to administer the Skylead Service, and users of the Linkedin platform (https://linkedin.com , further referred to as “LinkedIn”) whose data is being searched, collected and structured on Skylead Services.
1.5 “Company User Data” means the Personal Data of Company Users that is submitted to Skylead in connection with the Skylead Services.
1.6 “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.7 “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.
1.8 “Skylead Services” means the Skylead-branded online platform and other services provided by Skylead pursuant to subscription purchase, or other, by Company and that involves the transfer of Company User Data to Skylead.
1.9 “Personal Data” means all ‘personal data’, ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.
1.10 “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.11 “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, and Personal Data similarly classified under Applicable Privacy and Data Protection Laws.
1.12 “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For transfers of Personal Data subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.
1.13 “Skylead” means, for the purpose of this DPA, Skylead Technologies LTD, https://skylead.io/ .
1.14 The terms “commercial purpose”, “personal data breach”, “process”, “sell”, “share”, and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.
2. Roles
2.1. To the extent Company User Data is subject to Applicable Privacy and Data Protection Laws, the parties agree that with respect to processing Company User Data in the provision of the Skylead Services, Company is the Controller, and Skylead is a Processor.
2.2. Company acknowledges and agrees that notwithstanding Section 2.1, Skylead and its affiliates may collect and process certain data directly from Data Subjects in their capacity as users of other Skylead Services. Though these Data Subjects may also be Company Users, Skylead acts as a Controller for Personal Data collected or submitted outside of the Skylead Services.
2.3. The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.
3. Terms of Processing by
3.1. Skylead agrees that it will:
3.1.1. Process Company User Data only (a) for the provision of the Skylead Services to Company according to the written instructions set forth in the Agreement or as otherwise instructed by Company, and (b) as permitted as a Processor under Applicable Privacy and Data Protection Laws (collectively, the “Agreed Purposes”);
3.1.2. Ensure that anyone acting on its behalf will process Company User Data according to the provisions of this DPA and applicable data protection regulations, and is bound by an appropriate obligation of confidentiality;
3.1.3. Notify Company if Skylead becomes aware of any circumstance which would prevent it from fulfilling Company’s instructions under this DPA;
3.1.4. Notify Company if Skylead becomes aware that any applicable law or regulation prevents it from fulfilling the instructions received from Company and its obligations under this DPA;
3.1.5. Notify Company within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws and allow Company to take reasonable and appropriate steps to stop and remediate unauthorized processing of Company User Data;
3.1.6. Upon Company’s request, provide information to reasonably enable Company to conduct and document data protection assessments; and
3.1.7. To the extent required under Applicable Privacy and Data Protection Laws, not more than once annually, allow and cooperate with reasonable assessments by Company or its designated assessor, to conduct an assessment of Skylead’s technical and organizational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Skylead engages its own assessor, it shall provide a summary report to Company upon request, which shall satisfy Skylead’s obligations under this Section 3.1.7.
3.2. Subject to Section 3.1.1., Skylead will not:
3.2.1. Sell or share the Company User Data;
3.2.2. Retain, use or disclose the Company User Data for any purpose other than the Agreed Purposes;
3.2.3. Retain, use or disclose the Company User Data outside of the direct business relationship between Company and Skylead; or
3.2.4. Combine Company User Data with Personal Data Skylead receives from other customers.
4. Terms of Processing by Company
4.1. Company agrees that it will:
4.1.1. Collect, use and process Company User Data in accordance with Applicable Privacy and Data Protection Laws, including obtaining any necessary consents, licenses, and approvals;
4.1.2. Have sole responsibility for the accuracy, quality, and legality of Company User Data and the means by which it was obtained; and
4.1.3. Not submit to Skylead or otherwise cause Skylead to Process any Sensitive Data. Without limiting Sections 4.1.1. and 4.1.2., Company acknowledges that Skylead will not assess the contents of Company User Data to identify information subject to any specific legal requirements.
5. Security & Compliance
5.1. Skylead shall implement reasonable technical, organizational and security measures to protect the privacy and security of the Company User Data.
5.2. Skylead shall assist Company, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to ), in complying with its obligations under Articles 32 to 36 of the GDPR.
5.3. Any storage and/or transfer of Company User Data by Company to any third party or platform other than Skylead shall be at the sole risk and responsibility of Company.
5.4. If Skylead becomes aware of any personal data breach affecting Company User Data, Skylead will, without undue delay, provide notification to Company in accordance with applicable regulations. Skylead’s notification of a personal data breach will not be deemed as an acknowledgement by Skylead of any fault or liability with respect to such incident. In the event of a personal data breach, Company shall be obligated to take the measures required under applicable laws in connection with its Company User Data. Where requested, Skylead will assist Company with communicating with regulators regarding the personal data breach.
5.5. Upon reasonable written request, Skylead will make available to Company information necessary to demonstrate compliance with its obligations under this DPA and applicable law.
6. Sub-processors
6.1. Skylead is hereby generally authorized by Company to engage any sub-processor, provided that Skylead shall (i) ensure in each case that the sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than those contained in this DPA; and (ii) subject to the terms of the Agreement (including but not limited to any limitations on liability agreed therein), remain fully liable to Company for the performance of that sub-processor’s obligations. For a list of current sub-processors, see Annex III.
6.2. Skylead shall notify Company of any intended changes concerning the addition or replacement of sub-processors, thereby giving Company the opportunity to object to such changes. Notice will be provided by email to the email address(es) submitted by Company. If Company objects to any sub-processing by Skylead, Company should immediately discontinue its use of the Skylead Services.
7. Individual Rights Requests
7.1. To the extent required under Applicable Privacy and Data Protection Laws, Skylead will take appropriate measures to assist Company in complying with its obligations under Applicable Privacy and Data Protection Laws in responding to Data Subject rights requests.
7.2. Skylead will notify Company when it receives a Data Subject rights request for erasure or access to information directed towards Company User Data. Company shall provide direction to Skylead regarding whether to fulfil such request.
8. International Transfers
8.1. Standard Contractual Clauses
8.1.1. Company understands and agrees that Skylead operates the Skylead Service primarily from the United States and as such, Company User Data will be transferred from Company’s location and/or the applicable Data Subject’s location to Skylead in the United States. Skylead will ensure such transfers are made in compliance with Applicable Privacy and Data Protection Law, including by relying on the Standard Contractual Clauses (Module 2: Transfer Controller to Processor), which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as follows:
- Clause 7: the optional clause is included;
- Clause 11(a): the optional clause is disregarded;
- Clause 13(a): For the competent supervisory authority, insert the Information Commissioner’s Office of UK;
- Clause 17: the governing law shall be that of the England and Wales; and
- Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the England and Wales.
8.1.2. Company and Skylead agree that subscription purchase will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any transfers falling within Section 8.1.1. that are required in relation to the Skylead Services, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses together (where applicable) with the UK Addendum.
8.2. Supplementary Measures. If Skylead receives an order from any third party for compelled disclosure of Personal Data that has been transferred using the Standard Contractual Clauses, Skylead will:
8.2.1. Use every reasonable effort to redirect the third party to request the data directly from Company;
8.2.2. Promptly notify Company, unless prohibited by law;
8.2.3. Request a reasonable extension of time from the third party to allow Company to evaluate the request; and
8.2.4. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK or applicable EU member state law.
If, after exhausting these steps, Skylead remains compelled to disclose Personal Data to a third party, Skylead will disclose only the minimum necessary to satisfy the request.
8.3 Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
8.3.1. The EU SCCs shall also apply to transfers of such Personal Data, subject to sub-Section below;
8.3.2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above in Section 8.1.1 of this Addendum, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Addendum.
9. Term and Termination
9.1. This DPA shall be in effect for as long as Company uses any of the Skylead Services, provided however, that where Skylead is obligated, according to the terms of this DPA or any Skylead’s Terms & Conditions, to retain Company User Data following the termination or expiration of the Skylead Services, this DPA shall continue to be in effect for as long as Skylead holds such data.
9.2. Upon termination or expiration of the Agreement, and unless Skylead has a lawful basis to retain such Company User Data under Skylead’s Terms & Conditions, any agreement or applicable law, Skylead shall enable Company, through its admin account, to delete the Company User Data. If Company does not take any action to delete, Skylead will delete it when retention is no longer necessary for the purposes for which it was collected or required to be retained under applicable law.
9.3. Skylead shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
9.4. Any questions regarding this DPA or requests from Company to support the fulfilment of Data Subject rights requests should be addressed to support@skylead.io. Skylead will attempt to resolve any complaints regarding the use of Company User Data in accordance with this DPA and Skylead’s Terms & Conditions.
9.5. In the event of inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail.
Annex I: Details of the Processing
A. List of Parties
Data exporter(s): | Data Exporter is the Company identified in the associated Agreement. |
Role (controller/processor): | Controller |
Data importer(s): | Skylead Technologies Ltd |
Address: | 71 Rodney Court 6 – 8 Maida Vale, London, England, W9 1TJ |
Contact person’s name, position and contact details: | Relja Denic, CEO, relja@skylead.io |
Role (controller/processor): | Processor |
Activities relevant to the data transferred under these Clauses: | In accordance with the Skyleads’s Terms & Conditions, associated Agreement agreed upon between Data Exporter and Data Importer. |
Signature and date: | The parties agree that subscription purchase constitutes signature of this Annex I. The date is according to the date of purchase. |
B. Description of Transfer
Subject matter: | The subject matter of the data processing under this DPA is Company User Data. |
Data subjects: | The data subjects are Company Users. |
Nature of the processing: | Skylead processes Company User Data to provide the Skylead Services, including the provision of streamline services for marketing on the LinkedIn social network, which requires the processing of personal data of LinkedIn registered users by the Processor on behalf of the Controller |
Duration: | The duration of the processing is equal to the duration of Company’s use of the Skylead Services and associated agreement. |
C. Purpose of processing and Personal data categories
Purpose | Category of personal data |
To allow Controller to prepare and conduct LinkedIn marketing activities | Profile photo, name, occupation, company, url, inbox messages, date and time of the message |
To allow Controller to find people from its LinkedIn connections | Profile link, profile picture, full name, status (contact / new contact / ex-contact / connection sent) type of connection (1st / 2nd / 3rd / group connections), occupation, tags, connected since, campaign assigned, filter words from profile |
To allow Controller to automate interactions with LinkedIn contacts | Inbox messages, connection status (contact / new contact / connect requested), message status (email required / no interaction / awaiting reply / replied) name of message recipient, date and time when the message was sent |
To allow Controller to find people on LinkedIn | Profile picture, name, occupation, company, url, post engagement, post author |
To allow Controller to track the status of its connection requests on LinkedIn | Profile picture, name, occupation, tags, actions |
To allow Controller to sort its LinkedIn connections | Name, campaign affiliation, tags, actions to be done |
To allow Controller to integrate third-party tools | LinkedIn Controller data from and a third-party tool: name, event, campaign, tags, target url, history, time delta, test |
To allow Controller to import its LinkedIn contacts and blacklists to Processor’s platform | Contact id, first name, last name, profile link, job title, company name, email, phone, address, image link, tags, contact status, conversation status, object urn, public identifier, profile link public identifier, message thread link, invited at, connected at |
To allow Controller to analyse whether a LinkedIn contact responded to its message positively | Conversation status (success / failure) |
To allow Controller to export LinkedIn publicly available data found via Processor’s platform | First Name, Last Name, Campaign Name, Profile Url, Occupation, Current Company, Email, Phone, Country, Website, Twitter, Business Email, Last Step Execution, Status, Lead Tags, Lead Conversation, Is Connection Accepted Detected |
To allow the Controller to analyse the efficiency of its social/marketing activities on LinkedIn | Day-by-day (periodical) statistics, total statistics, communication statistics, campaign statistics, task statistics based on personal data listed above |
D. Competent Supervisory Authority
UK’s Information Commissioner’s Office
Annex II: Technical and Organizational Measures to Ensure the Security of the Data
maintains internal Information Security and Privacy Policies. These policies include standards for information security management as required by the EU’s General Data Protection Regulation (GDPR) and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Skylead’s information security framework:
- Monitoring of API endpoints;
- Limitation and management of access rights to personal data;
- SSH protocol for accessing LinkedIn login data;
- Database encryption at-rest;
- VPN for accessing servers;
- Secure (https://) connection;
- Compliance with password protection and management, access control policies;
- Usage of antivirus software and firewalls;
- Employees are aware of and trained on their respective data protection responsibilities;
- Regular back-ups of the data processed.
Annex III: Sub-Processors
The Controller has provided a general authorization for use of sub-processors per Section 6.1 of the DPA. The Sub-processors currently engaged by Processor and authorized by Controller are:
Sub-Processor | Function | Corporate Location |
Amazon Web Services, Inc | Cloud infrastructure hosting and data warehouse provider | United States |
Contabo | Cloud infrastructure hosting and data warehouse provider | United States, Germany |