Skip to content
Skillsolutions

Data Processing Agreement

Last updated: April 19, 2026

In short

If your organization needs a signed Data Processing Agreement (DPA) under GDPR Article 28, request one from our Data Protection Officer. We will countersign and return it within 5 business days. A downloadable template version is also available below.

Request a signed DPADownload template (PDF)

1. Scope

This Data Processing Agreement applies whenever Skillsolutions for Management Consultancy ("Processor") processes personal data on behalf of a customer organization ("Controller") using the SkillHQ platform. It forms part of the Terms of Service and takes precedence where the two conflict on data-protection matters.

2. Roles and responsibilities

Under this DPA:

  • The customer is the Controller of personal data it uploads or generates on the platform.
  • Skillsolutions is the Processor acting on the Controller's documented instructions.
  • Each party is responsible for its own GDPR compliance in its respective role.
  • The Controller must ensure its underlying legal basis for the processing (consent, contract, legitimate interest, etc.).

3. Subprocessors

We maintain a current list of subprocessors on our public subprocessors page. Customers are notified at least 30 days before we engage a new subprocessor or make a material change.

View current subprocessors

4. International transfers

Where personal data is transferred outside the EEA / UK / Bahrain, we rely on the EU Standard Contractual Clauses (2021/914 Module 2) and, where applicable, the UK International Data Transfer Addendum. Supplementary measures are in place for each subprocessor.

5. Technical and organizational measures

We maintain the following safeguards:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access control with the principle of least privilege.
  • Mandatory MFA for all administrative accounts.
  • Audit logging of all sensitive operations.
  • Daily backups with point-in-time recovery (7 days) and retained snapshots (30 days).
  • Annual security and privacy training for all staff with access to customer data.

6. Data subject rights

We provide tools for the Controller to fulfill data subject requests directly (export, erasure, rectification). Where the request cannot be fulfilled through in-product features, we will assist the Controller within GDPR deadlines.

7. Breach notification

We will notify the Controller without undue delay — and in any case within 72 hours — of any personal data breach affecting the Controller's data. Our incident response procedure includes containment, impact assessment, customer notification, and regulatory notification where required.

Privacy PolicySubprocessorsTerms of Service