Data Processing Agreement
Effective Date: May 29, 2026.
This Data Processing Agreement (the "DPA") forms part of and supplements the Skillsail Terms and Conditions. If Skillsail processes Customer Personal Data on behalf of your organization, your acceptance of the Terms also constitutes acceptance of this DPA on behalf of that organization.
This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1 ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this DPA. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.
Key Terms
The key legal terms of the DPA are as follows:
| Agreement | This DPA supplements the following agreement: https://skillsail.com/legal/terms |
|---|---|
| Approved Subprocessors | https://skillsail.com/legal/subprocessors |
| Provider Security Contact | nico@skillsail.com Elektrastraße 11 München, Germany 81925 Germany |
| Security Policy | As defined in the Agreement. |
| Changes to the Agreement | |
| Governing Law and Chosen Courts | Notwithstanding the governing law or similar clauses of the Agreement, all interpretations and disputes about this DPA will be governed by the laws of the Governing State without regard to its conflict of laws provisions. In addition, and notwithstanding the forum selection, jurisdiction, or similar clauses of the Agreement, the parties agree to bring any legal suit, action, or proceeding about this DPA in, and each party irrevocably submits to the exclusive jurisdiction of, the courts of the Governing State. Governing State means: Germany |
| Service Provider Relationship | To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA. |
| Restricted Transfers | |
| Governing Member State | EEA Transfers: Germany UK Transfers: England |
Annex I(A) List of Parties
| Data Exporter | Name: the Customer signing this DPA Activities relevant to transfer: See Annex 1(B) Role: Controller |
|---|---|
| Data Importer | Name: the Provider signing this DPA Contact person: Nico Schriever, CEO Address: Elektrastraße 11, München, Germany 81925, Germany Activities relevant to transfer: See Annex 1(B) Role: Processor |
Annex I(B) Description of Transfer and Processing Activities
| Service | The Service is: Skillsail Platform, an AI-powered eLearning content creation, hosting, sharing, and export service, including related support services. |
|---|---|
| Categories of Data Subjects | Customer's end users or customers Customer's employees |
| Categories of Personal Data | Name Contact information such as email, phone number, or address User activity and analysis such as device information or IP address Location information |
| Special Category Data | Is special category data (as defined in Article 9 of the GDPR) Processed? No |
| Frequency of Transfer | Continuous |
| Nature and Purpose of Processing | Receiving data, including collection, accessing, retrieval, recording, and data entry Holding data, including storage, organization, and structuring Using data, including analysis, consultation, testing, automated decision making, and profiling Protecting data, including restricting, encrypting, and security testing Sharing data, including disclosure, dissemination, allowing access, or otherwise making available Returning data to the data exporter or data subject |
| Duration of Processing | Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws. |
Annex I(C)
| Competent Supervisory Authority | The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum. |
|---|
Annex II
| Technical and Organizational Security Measures | See Security Policy User identification and authorization process and protection: Use of passwordless login processes and single sign on where possible. Protecting Customer Personal Data during transmission (in transit): All customer-facing websites are only available via https. Events logging: Error and issue logging to ensure problems can be detected and remediated in a timely manner. Ensuring data minimization: Unused user accounts are removed after certain time periods. Ensuring data quality: We correct inaccurate information in our systems as soon as we are made aware of data discrepancies. In most cases, customers can adjust and update their user data in their own customer portal. Allowing data portability and erasure: Customers can request account deletion via a button in their account or request it by contacting support. A data extract can be requested from customer support as well. |
|---|---|
| Other Changes to the DPA Standard Terms Additional modifications or customizations |
Acceptance and Provider Details
Provider and Customer have not changed the DPA Standard Terms except for the details on the Cover Page above. For online self-service customers, Customer agrees to enter into this DPA by accepting the Agreement; no separate signature is required for this online DPA. If Provider and Customer execute a separately signed data processing agreement, that separately signed agreement controls for the Customer that signed it.
| Provider | Skillsail GmbH |
|---|---|
| Print Name | Nico Schriever |
| Title | CEO |
| Legal Notice Address | Elektrastraße 11 München, Germany 81925 Germany |
Subprocessors
The current list of Approved Subprocessors is maintained on our Subprocessors page.
Source and License
This DPA is based on the Common Paper Data Processing Agreement, including the Common Paper DPA Standard Terms Version 1.1, and is used and modified under the Creative Commons Attribution 4.0 International License. It has been customized for Skillsail GmbH. Common Paper is not a party to this DPA.