Data Processing Agreement
Version 1.0 - Effective: January 9, 2026
Need a signed DPA?
Download our pre-signed DPA or request a custom agreement for your organization.
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between:
- • Data Controller: The customer ("you") who uses Skemya services
- • Data Processor: Skemya SAS ("we", "us")
This DPA applies to all personal data processed by Skemya on behalf of the Customer in connection with the Skemya form builder services.
2. Processing Details
2.1 Subject Matter
The processing concerns the collection, storage, and management of form responses and related data submitted through forms created using the Skemya platform.
2.2 Duration
Processing will continue for the duration of the service agreement plus 30 days for data export and deletion.
2.3 Nature and Purpose
Processing is performed to enable form creation, response collection, analytics, integrations, and other features of the Skemya platform as directed by the Customer.
2.4 Categories of Data Subjects
- • Form respondents
- • Customer employees and authorized users
2.5 Types of Personal Data
- • Contact information (name, email, phone)
- • Form response data as defined by Customer
- • Technical data (IP address, browser information)
- • Any other data collected through Customer forms
3. Security Measures
We implement the following technical and organizational measures:
- • Encryption: AES-256 at rest, TLS 1.3 in transit
- • Access Control: Role-based access, multi-factor authentication
- • Monitoring: 24/7 security monitoring and intrusion detection
- • Backups: Encrypted daily backups with 30-day retention
- • Audits: Annual third-party security assessments
- • Certifications: SOC 2 Type II, ISO 27001
4. Sub-processors
We use the following sub-processors, all GDPR-compliant and EU-based:
| Sub-processor | Service | Location |
|---|---|---|
| OVHcloud SAS | Cloud infrastructure | France |
| Hetzner Online GmbH | Database hosting | Germany |
| Bunny CDN d.o.o. | Content delivery | Slovenia (EU nodes only) |
We will notify you 30 days before adding new sub-processors. You may object within this period.
5. Data Subject Rights
We will assist you in responding to data subject requests. Our platform provides self-service tools for data export and deletion. We will respond to your assistance requests within 72 hours.
6. Data Breach Notification
We will notify you of any personal data breach within 24 hours of becoming aware. Notification will include the nature of the breach, categories of data affected, and measures taken or proposed.
7. Audit Rights
You may audit our compliance with this DPA. We will provide access to our latest SOC 2 Type II report and ISO 27001 certification. On-site audits require 30 days notice and are limited to once per year.
8. Data Deletion
Upon termination of services, we will delete all personal data within 30 days unless legally required to retain it. You may export your data before termination using our export tools.
9. Contact
For DPA-related inquiries:
Legal Department
Email: legal@skemya.com
For urgent data protection matters, contact our DPO: dpo@skemya.com