Data Processing Agreement
Last updated: June 25, 2025
This Data Processing Agreement (“DPA“) is subject to and forms part of the Agreement and governs Skyfire’s Processing of Personal Data.
1. Skyfire as Data Processor and Data Controller
| Data Processing Roles | |
|---|---|
| Skyfire as a Data Processor | When Skyfire Processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller. |
| Skyfire as a Data Controller | When Skyfire Processes Personal Data as a Data Controller it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through you. |
| Data Processing Purposes | |
|---|---|
| Skyfire as a Data Processor | The purposes of Skyfire’s Processing of Personal Data in its capacity as a Data Processor are to: • service the Skyfire platform; and • provide, and provide access to, Skyfire’s products and services. |
| Skyfire as a Data Controller | The purposes of Skyfire’s Processing of Personal Data in its capacity as a Data Controller when providing Skyfire’s products and services are to: • determine and utilize third parties (for example, payment method providers); • monitor, prevent and detect fraudulent transactions and other fraudulent activity on the Skyfire platform; • monitor, prevent and mitigate financial loss, security risks, and other harm; • implement, maintain and perform internal processes that enable Skyfire to provide its products and services, including relationship management, billing and invoicing; • comply with Law, including applicable anti-money laundering screening and know-your-customer obligations, and Governmental Authority requirements and requests; and • analyze and develop Skyfire’s products and services. |
| Categories of Data Subjects and Personal Data: Skyfire as a Data Processor and a Data Controller | |
|---|---|
| Data Subjects | Skyfire may Process the Personal Data of customers, representatives, customers of its customers and any natural person who accesses or uses a Skyfire Account. |
| Personal Data | If applicable, Skyfire may Process payment or bank account details, name, device ID, email address, IP address/location, order ID, tax ID/status, unique customer identifier, and identity information. |
| Sensitive Data | If applicable, Skyfire may Process Sensitive Data (e.g., facial recognition data). |
| Duration of Processing | |
|---|---|
| Skyfire as a Data Processor | For the term of the Agreement and any period required to perform a party’s post-termination obligations. |
| Data Security | |
|---|---|
| Skyfire as a Data Processor and Data Controller | Skyfire will implement and maintain a written information security program with the Data Security Measures stated in Exhibit A of this DPA. |
2. Skyfire Obligations when Acting as a Data Processor
2.1 Obligations
When Skyfire is acting as a Data Processor for you, Skyfire will:
(a) Process Personal Data on your behalf and according to your Instructions;
(b) ensure that all persons Skyfire authorizes to Process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data;
(c) to the extent required by DP Law, inform you of each request Skyfire receives from Data Subjects (including “verifiable consumer requests” as defined under the CCPA) exercising their rights under DP Law to (i) access (e.g., right to know under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased; (iii) restrict or object to Skyfire’s Processing; or (iv) data portability (collectively “Data Subject Request“). Other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to you as Data Controller, Skyfire will not respond to these requests unless you instruct Skyfire in writing to do so. Taking into account the nature of the Processing, Skyfire will assist you by appropriate technical and organizational measures, to the extent this is possible, to enable you to meet your obligation to respond to a Data Subject Request;
(d) to the extent required by DP Law, inform you of each law enforcement request Skyfire receives from a Governmental Authority requiring Skyfire to disclose Personal Data or participate in an investigation requiring Skyfire to disclose Personal Data, unless prohibited by Law;
(e) to the extent required by DP Law, provide you with reasonable assistance, following your written request, to help you comply with your obligations under DP Law and, taking into account the nature of the Processing and the information available to Skyfire, Skyfire will provide reasonable information to help you conduct a data protection impact assessment or consult with a Supervisory Authority. If you request assistance from Skyfire that goes beyond Skyfire’s obligations under DP Law or this Agreement, Skyfire may charge you a reasonable fee;
(f) if Skyfire experiences a Data Incident, notify you without undue delay, which for Data Incidents affecting Personal Data subject to the GDPR or UK GDPR will be no later than 48 hours, in each case after becoming aware of the Data Incident. To the extent known to Skyfire, Skyfire’s notification to you will describe in reasonable detail (i) the type of Personal Data that was the subject of the Data Incident, (ii) the categories and potential number of individuals or records affected (including their countries), and (iii) the status of Skyfire’s investigation and current or planned remediation. Following the notification, Skyfire will provide relevant updates to assist you in complying with your obligations under DP Law;
(g) to the extent required by DP Law and following your written request, contribute to audits or inspections by making audit reports available to you. Following this request, and no more frequently than once annually, Skyfire will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding Skyfire’s Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are Skyfire’s confidential information; and
(h) at your choice, delete or return to you all Personal Data Processed in connection with the Skyfire Services, and delete existing copies, following termination of the Agreement, except that Skyfire will not be required to delete or return that Personal Data, or delete existing copies, to the extent that Skyfire’s storage of that Personal Data or those copies is (i) required by Skyfire to exercise its rights and perform its obligations under the Agreement; or (ii) required or authorized by DP Law for a longer period.
2.2 Sub-processors
(a) Skyfire engages Sub-processors as necessary to perform the Skyfire Services. Skyfire’s list of Sub-processors is located at skyfire.xyz/service-providers-legal (“Skyfire Subprocessors List“). You consent to Skyfire’s use of its existing Sub-processors and grant Skyfire a general written authorization to engage Sub-processors as necessary to perform the Services. If you subscribe to email notifications through your Skyfire Account, then Skyfire will notify you via email if Skyfire intends to add one or more Sub-processors to that list at least 30 days before the changes take effect. You may reasonably object to a change on legitimate grounds within 30 days after you receive notice of the change. You acknowledge that Skyfire’s Sub-processors are essential to provide the Skyfire Services and that if you object to Skyfire’s use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement (including this DPA), Skyfire will not be obligated to provide you the Skyfire Services for which Skyfire uses that Sub-processor.
(b) Skyfire will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on Skyfire under this DPA, including the obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, Skyfire will remain liable to you for the acts and omissions of its Sub-processor to the same extent Skyfire would be liable if performing the relevant Skyfire Services directly under this DPA.
2.3 CCPA
If the CCPA applies and Skyfire is acting as a Data Processor, Skyfire will not: (a) sell or share (as defined under the CCPA) Personal Data; (b) retain, use or disclose Personal Data outside of its direct business relationship with you other than to provide Skyfire’s products and services and as required to comply with Law; and (c) combine Personal Data received from or through you with Personal Data received from or on behalf of an individual or collected from Skyfire’s own interactions with the individual, except to provide Skyfire’s products and services and as permitted by Law. Skyfire certifies that it understands and will comply with the requirements in this DPA relating to the CCPA and will provide the same level of privacy protection to Personal Data as required by the CCPA. Skyfire will inform you if it determines that it can no longer meet its obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
2.4 Disclaimer of Liability
Notwithstanding anything to the contrary in the Agreement, including this DPA, Skyfire will not be liable for any claim made by a Data Subject arising from or related to Skyfire’s acts or omissions, to the extent that Skyfire was acting in accordance with your Instructions.
3. Your obligations when acting as a Data Controller
You must:
(a) only provide Instructions to Skyfire that are lawful;
(b) comply with and perform your obligations under DP Law, including with regard to Data Subject rights, data security and confidentiality, and ensure you have an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this DPA; and
(c) provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) and, where required by DP Law, obtain all necessary consents, regarding Skyfire’s and your Processing of Personal Data for the purposes described in the Agreement, including this DPA.
4. Skyfire’s obligations when acting as a Data Controller
Skyfire must comply with and perform its obligations under DP Law when Processing Personal Data.
5. Data transfers
You acknowledge that in order for Skyfire to provide the Services, you transfer Personal Data to Skyfire in the United States. If the transfer comprises Personal Data that requires a Data Transfer Mechanism, the Data Transfers Addendum in Exhibit B, which is incorporated into this DPA, will apply. Skyfire may transfer Personal Data on a global basis as necessary to provide the Services.
6. Conflict
If there is any conflict between:
(a) the provisions of this DPA and any provision of the Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and
(b) the provisions of this DPA and any provision of the Data Transfers Addendum, the provisions of the Data Transfers Addendum will prevail.
7. Definitions
Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.
“Agreement” means the Skyfire Services Agreement between you and Skyfire located at www.skyfire.xyz/legal/ssa.
“CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and its implementing regulations.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Incident” means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party’s or its affiliate’s, or a party’s or its affiliate’s subcontractor’s, agent’s or representative’s, possession or control.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Security Measures” means technical and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.
“Data Subject” means an identified or identifiable natural person to which Personal Data relates.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in the EEA, Switzerland and the UK, such as the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under DP Law that is incorporated into this DPA.
“DP Law” means Law that applies to Personal Data Processing under the Agreement and this DPA, including international, federal, state, provincial and local Law relating in any way to privacy, data protection or data security.
“EEA” means the European Economic Area.
“EEA SCCs” means Module 1 (Transfer: Controller to Controller) and Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.
“GDPR” means General Data Protection Regulation (EU) 2016/679.
“Instructions” means any communication or documentation, including that which may be provided through a Skyfire API, or Skyfire Dashboard, or written agreements between you and Skyfire through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data.
“Personal Data” means any information relating to an identifiable natural person that is Processed in connection with the Skyfire Services, and includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA.
“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law.
“Sensitive Data” means, to the extent this data is treated distinctly as a special category of Personal Data under DP Law: (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person’s sex life or sexual orientation; (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (c) geolocation data; or (d) sensitive personal information as defined under the CCPA.
“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Skyfire Services.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection that has supervisory authority and jurisdiction over you.
“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
“UK International Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office.
Exhibit A: Skyfire Data Security
| Security Programs and Policies | Skyfire maintains and enforces a security program that addresses how Skyfire manages security, including its security controls. The security program includes: • documented policies that Skyfire formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually; • documented, clear assignment of responsibility and authority for security program activities; • policies covering, as applicable, acceptable computer use, data classification, cryptographic controls, access control, removable media and remote access; and • regular testing of the key controls, systems and procedures. Privacy Program. Skyfire maintains and enforces a privacy program and related policies that address how Personal Data is collected, used and shared. |
|---|---|
| Risk and Asset Management | Skyfire performs risk assessments, and implements and maintains controls for risk identification, analysis, monitoring, reporting and corrective action.
Skyfire maintains and enforces an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle. |
| Personnel Education and Controls | All (a) Skyfire employees; and (b) Skyfire independent contractors who may have access to data, including those who Process Personal Data ((a) and (b), collectively “Personnel”) acknowledge their data security and privacy responsibilities under Skyfire’s policies.
For Personnel, Skyfire, either itself or through a third party: Authentication. Skyfire authenticates each Personnel’s identity through appropriate authentication credentials such as strong passwords, token devices or biometrics. |
| Network and Operations Management | Policies and Procedures. Skyfire implements policies and procedures for network and operations management. These policies and procedures address hardening, change control, segregation of duties, separation of development and production environments, technical architecture management, network security, malware protection, protection of data in transit and at rest, data integrity, encryption, audit logs and network segregation.
Vulnerability Assessments. Skyfire performs periodic vulnerability assessments and penetration testing on its systems and applications, including those that Process Personal Data. |
| Technical Access Controls | Access control. Skyfire implements measures to prevent data processing systems from being used by unauthorized persons, including the following measures: • user identification and authentication procedures; • ID/password security procedures, including stronger digital authentication measures based on NIST 800-63B including MFA; • automatic blocking (e.g., password or timeout); and • break-in-attempt monitoring. Data access control. Skyfire implements measures to ensure that persons entitled to use a data processing system gain access only to the Personal Data allowed for their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including: |
| Physical access controls | Skyfire uses reputable third-party service providers to host its production infrastructure. Skyfire relies on these third parties to manage the physical access controls to the data center facilities that they manage. Some of the measures that Skyfire’s service providers provide to prevent unauthorized persons from gaining physical access to the data processing systems available at premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed, include: • physical access control system and program in place at Skyfire premises; • 24×7 Global Security Operation Center that monitors physical security systems; • security video and alarm systems; • access control roles and area zones; • access control audit measures; • electronic tracking and management program for keys; • access authorisations process for employees and third parties; • door locking (electrified locks etc.); and • trained uniformed security staff. Skyfire reviews third-party audit reports to verify that Skyfire’s service providers maintain appropriate physical access controls for the managed data centers. |
| Availability Controls | Skyfire implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including: • database replication; • backup procedures; • hardware redundancy; and • a disaster recovery plan. |
| Disclosure Controls | Skyfire implements measures to ensure that Personal Data (a) cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic); and (b) can be verified to which companies or other legal entities Personal Data are disclosed, including logging, transport security and encryption. |
| Entry Controls | Skyfire implements measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including logging and reporting systems, and audit trails and documentation. |
| Separation Controls | Skyfire implements measures to ensure that Personal Data collected for different purposes can be Processed separately, including: • “least privilege” limitation of access to data by internal service; • segregation of functions (production/testing); • procedures for storage, amendment, deletion, transmission of data for different purposes; and • logical segmentation processes to manage the separation of Personal Data. |
| Encryption | Skyfire applies data encryption mechanisms at multiple points in Skyfire’s service to mitigate the risk of unauthorized access to Skyfire data at rest and in transit. Access to Skyfire cryptographic key materials is restricted to a limited number of authorized Personnel.
Encryption in transit. To protect data in transit, Skyfire requires all inbound and outbound data connections to be encrypted using the TLS 1.2 protocol. For data traversing Skyfire’s internal production networks, Skyfire uses mTLS to encrypt connections between production systems. Encryption at rest. To protect data at rest, Skyfire uses industry standard encryption (AES- 256) to encrypt all production data stored in server infrastructure. |
| Data Security Incident Management and Notification | Skyfire implements a data security incident management program that addresses how Skyfire manages Data Incidents.
Skyfire will notify impacted Skyfire users and Governmental Authorities (where applicable) of Data Incidents in a timely manner as required by DP Law. |
| System Configuration | Skyfire implements measures for ensuring system configuration, including default configuration measures for internal IT and IT security governance.
Skyfire relies on deployment automation tools to deploy infrastructure and system configuration. These automation tools leverage infrastructure configurations that are managed through code that flows through Skyfire’s change control processes. Skyfire’s change management processes require formal code reviews and two-party approvals prior to the release to production. Skyfire uses monitoring tools to monitor production infrastructure for changes from known configuration baselines. |
| Data Portability | The Skyfire API enables Skyfire users to programmatically access the data stored for transfer. |
| Data Retention and Deletion | Skyfire implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate. |
Exhibit B: Data Transfers Addendum
Skyfire is headquartered in the United States, with offices in San Francisco as well as employees globally. The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our subsidiaries, service providers or third-party data partners process data. This means that we may process your Personal Data in and transfer your Personal Data to countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We take steps designed to ensure that Personal Data is processed and protected as described in this Data Transfer Addendum and in accordance with Law wherever the data is located.
Currently, we primarily use data centers in the United States to host your Personal Data. The storage location(s) are chosen to operate efficiently and improve performance.
We transfer Personal Data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland) or other available transfer mechanisms, to help ensure your rights and protections.
The EU Standard Contract Clauses
Module 1 (Transfer: Controller to Controller) and Module 2 (Transfer: Controller to Processor) of the EEA SCCs, each as completed and supplemented as set out in this Data Transfers Addendum, apply to a transfer by you to Skyfire of Personal Data that is subject to DP Law in the EEA and Processed under your DPA.
3. UK International Data Transfer Addendum
The UK International Data Transfer Addendum, completed and supplemented according to this Data Transfers Addendum, applies to a transfer by you to SINC of Personal Data that is subject to DP Law in the United Kingdom and Processed under your DPA.
4. Personal Data transfers from Switzerland
The EEA SCCs, supplemented by this Data Transfers Addendum and adapted as follows, applies to a transfer by you to Skyfire of Personal Data that is subject to DP Law in Switzerland and Processed under your DPA: (a) a reference to “Member State” will not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), and (b) To the extent the transfer of personal data is governed by the Swiss Federal Act on Data Protection, the Swiss Federal Data Protection and Information Commissioner will act as the competent supervisory authority; to the extent the transfer of personal data is governed by the GDPR, the supervisory authority determined in Annex IC of the EEA SCCs will act as the competent supervisory authority; any references to the “competent supervisory authority” will be interpreted accordingly.
5. Supplemental Clauses to the EEA SCCs
5.1. Personal Data will be encrypted both in transit and at rest using encryption technology by Skyfire.
5.2. Skyfire will resist, to the extent permitted by Law, any request under Section 702 of Foreign Intelligence Surveillance Act (“FISA“).
5.3. Skyfire will use reasonably available legal mechanisms to challenge any demands for data access through the national security process that it may receive in relation to data exporter’s data.
5.4. No later than the date on which your acceptance of the DPA that incorporates or references this Data Transfers Addendum becomes effective, Skyfire will notify you of any binding legal demand for the Personal Data it has received, including national security orders and directives, which will encompass any process issued under Section 702 of FISA, unless prohibited under Law.
6. Operation of the EEA SCCs
You and Skyfire agree that the application of the EEA SCCs to each transfer made under this Data Transfers Addendum will be interpreted as follows:
6.1. Clause 8.1(a) of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Instructions. The DPA and the Agreement are your complete and final instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be agreed separately in writing by you and Skyfire. For the purposes of Clause 8.1(a) of Module 2 (Transfer: Controller to Processor) of the EEA SCCs, the Processing described in the DPA is deemed an instruction by you to Process Personal Data.
6.2. Clause 8.9 of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Audit. You acknowledge and agree that you exercise your audit right under Clause 8.9 of Module 2 (Transfer: Controller to Processor) of the EEA SCCs by instructing Skyfire to comply with the audit measures described in the DPA.
6.3. Clause 9(c) of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Copies of Sub-processor Agreements. You and Skyfire agree that, following your request, Skyfire will provide copies of the Sub-processor agreements that must be provided to you under Clause 9(c) of Module 2 (Transfer: Controller to Processor) of the EEA SCCs, provided that Skyfire may (i) redact or remove all commercial information or clauses unrelated to the EEA SCCs or their equivalent and (ii) determine the manner in which to provide the copy agreements to you.
6.4. Application of the Agreement. The EEA SCCs are incorporated into the Agreement. As between you, and Skyfire, to the greatest extent permitted by Law, the limitations and exclusions of liability set out in the Agreement apply to the EEA SCCs.
7. Order of Precedence
If, in connection with Skyfire providing the Skyfire Services to you, more than one Data Transfer Mechanism could apply to a transfer of Personal Data, you and Skyfire agree that the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence:
(a) the EU SCCs;
(b) the UK International Data Transfer Addendum; and
(c) any other data transfer mechanism available under DP Law that is incorporated into your DPA, including this Data Transfers Addendum.