Skillties logo

Data Processing Agreement (DPA)

(Agreement pursuant to Article 28 GDPR)

Version: 12th of January, 2026
Governing law: Federal Republic of Germany

This Data Processing Agreement ("DPA") is concluded between:

Skillties GmbH

Haydnstr. 1

12203 Berlin

Germany

("Processor")

and

[Customer Name]

[Customer Address]

("Controller")

Processor and Controller are hereinafter referred to individually as a "Party" and collectively as the "Parties".

1. Subject Matter and Scope

This DPA governs the processing of personal data by Skillties GmbH on behalf of the Customer in connection with the use of the Skillties platform ("Platform").

This DPA applies exclusively to claimed and paid workspaces operated by the Customer.

Processing of personal data that is publicly available on the Platform or processed by Skillties for its own purposes remains governed by the Privacy Policy and is not subject to this DPA.

2. Roles of the Parties

The Customer acts as controller within the meaning of Article 4(7) GDPR.

Skillties acts as processor within the meaning of Article 4(8) GDPR.

Skillties processes personal data solely on documented instructions of the Customer, unless required to do otherwise by applicable law.

3. Description of Processing

3.1 Nature and Purpose of Processing

Skillties processes personal data for the purpose of providing and operating the Platform, in particular to:

  • enable workspace-based collaboration,
  • process skill mappings and skill-related evaluations,
  • display workspace-internal visibility of skill data,
  • provide technical support and platform functionality.

3.2 Categories of Data Subjects

  • employees of the Customer,
  • contractors or other authorized users of the Customer,
  • workspace administrators.

3.3 Categories of Personal Data

Depending on the use of the Platform, the following categories of personal data may be processed:

  • identification data (name, email address),
  • authentication data,
  • skill-related data (skill mappings, skill levels),
  • calculated data (match levels, averages),
  • usage and interaction data within the workspace.

3.4 Processing Duration

Processing is carried out for the duration of the contractual relationship between the Parties, unless statutory retention obligations require longer storage.

4. Instructions of the Controller

Skillties shall process personal data only on documented instructions of the Customer.

Instructions are generally provided through:

  • this DPA,
  • the Master Service Agreement (MSA),
  • applicable order forms,
  • configuration and use of the Platform by authorized workspace administrators.

5. Obligations of the Processor

Skillties undertakes to:

  • process personal data exclusively in accordance with this DPA and applicable law,
  • ensure that persons authorized to process personal data are bound by confidentiality,
  • implement appropriate technical and organizational measures in accordance with Article 32 GDPR,
  • assist the Customer in fulfilling data subject rights,
  • notify the Customer without undue delay of any personal data breach.

6. Technical and Organizational Measures (TOMs)

Skillties implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including in particular:

  • access controls and role-based authorization,
  • encryption of data in transit,
  • regular backups,
  • logical separation of customer data,
  • monitoring and logging of system access.

A more detailed description of the technical and organizational measures may be provided upon request.

7. Subprocessors

The Customer grants a general authorization for Skillties to engage subprocessors.

Skillties may use subprocessors, in particular for:

  • hosting and infrastructure,
  • analytics and monitoring,
  • email delivery and platform operations.

Current subprocessors may include providers such as:

  • Google Cloud Platform (EU-only hosting),
  • PostHog,
  • Brevo,
  • and other service providers required for the operation of the Platform.

Skillties shall ensure that all subprocessors are contractually bound by data protection obligations equivalent to those set out in this DPA.

The Customer may object to the engagement of a new subprocessor on reasonable data protection grounds.

Additional Clarification on Tools Used for Skillties' Own Purposes

Tools and services used by Skillties exclusively for its own business purposes, including but not limited to customer relationship management (CRM), sales, marketing, product communication, and support operations (such as CRM systems), are not used for the processing of customer-controlled workspace data.

Such tools do not constitute subprocessors within the meaning of this Data Processing Agreement and are therefore not subject to Article 28 GDPR obligations in the context of this Agreement.

8. International Data Transfers

Skillties processes personal data exclusively within the European Union.

No intentional transfers of personal data to third countries take place.

Where subprocessors are headquartered outside the EU, processing is contractually restricted to EU regions.

9. Assistance with Data Subject Rights

Skillties shall support the Customer, taking into account the nature of the processing, in fulfilling requests from data subjects pursuant to Articles 12–23 GDPR.

Where a data subject submits a request directly to Skillties, Skillties shall forward the request to the Customer without undue delay.

10. Personal Data Breaches

Skillties shall notify the Customer without undue delay after becoming aware of a personal data breach.

Such notification shall include, where available:

  • a description of the breach,
  • the categories and approximate number of affected data subjects,
  • the likely consequences,
  • measures taken or proposed to address the breach.

11. Audits and Inspections

The Customer may verify compliance with this DPA by means of audits.

Audits shall:

  • be conducted during normal business hours,
  • be limited to once per year unless justified by a specific incident,
  • not unreasonably disrupt Skillties' operations.

Skillties may satisfy audit requests by providing appropriate documentation or third-party audit reports.

12. Return or Deletion of Data

Upon termination of the contractual relationship, Skillties shall, at the Customer's choice:

  • delete personal data processed on behalf of the Customer, or
  • return such data to the Customer,

unless statutory retention obligations apply.

13. Confidentiality

Both Parties shall treat all information obtained in connection with this DPA as confidential.

This obligation survives termination of the DPA.

14. Liability

Liability under this DPA shall be governed by the liability provisions of the Master Service Agreement.

Mandatory statutory liability remains unaffected.

15. Term and Termination

This DPA enters into force together with the Master Service Agreement or the applicable order form.

It remains effective for the duration of the processing of personal data by Skillties on behalf of the Customer.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany.

The place of jurisdiction is Berlin, Germany, to the extent legally permissible.

17. Final Provisions

If any provision of this DPA is invalid or unenforceable, the remaining provisions shall remain unaffected.

This DPA forms an integral part of the contractual relationship between the Parties.