Data Processing Agreement
Effective date: 9 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Developer Jones AB ("SkyState", "Processor") and the customer that accepts those Terms ("Customer", "Controller"). It applies only where, and to the extent that, SkyState processes customer-controlled state data containing personal data on the Customer's behalf. By accepting the Terms of Service, a Customer acting as a controller accepts this DPA to the extent it applies. No separate signature is required; the Customer may request a counter-signed copy by contacting support@skystate.io.
This DPA governs only SkyState's role as a processor of customer-controlled state data — the identifiers and state content a Customer stores in SkyState about its own end users. SkyState's processing of the Customer's own account, billing, and support data, where SkyState is the controller, is governed by the Privacy Policy, not this DPA.
1. Definitions
"GDPR" means Regulation (EU) 2016/679. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings given in the GDPR. "Customer Personal Data" means personal data contained in customer-controlled state data that SkyState processes on the Customer's behalf under the Terms of Service. "Service" means the SkyState service as described in the Terms of Service.
2. Roles of the parties
For Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and SkyState is the Processor. Where the Customer is itself a processor, the Customer warrants that its own controller has authorised the processing and sub-processing described in this DPA. Each party complies with its own obligations under applicable data-protection law.
3. Scope and instructions
SkyState processes Customer Personal Data only on the Customer's documented instructions, including as set out in this DPA and the Terms of Service, and as necessary to provide, secure, support, and maintain the Service. The Customer's use of the Service constitutes its instructions. SkyState informs the Customer if, in its opinion, an instruction infringes applicable data-protection law, unless prohibited from doing so by law. SkyState does not sell Customer Personal Data and does not process it for its own purposes.
4. Details of processing
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex 1.
5. Confidentiality
SkyState ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as instructed.
6. Security measures
SkyState implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The measures are described in Annex 2.
7. Sub-processors
The Customer provides general authorisation for SkyState to engage Sub-processors to process Customer Personal Data. SkyState's current Sub-processors that process Customer Personal Data are listed on the Sub-processors page and in Annex 3. SkyState imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains responsible for its Sub-processors' performance. SkyState will give notice of intended changes to its Sub-processors by updating the Sub-processors page; the Customer may object on reasonable data-protection grounds by contacting support@skystate.io, and where an objection cannot be resolved, the Customer may terminate the affected Service.
8. Data subject requests
Taking into account the nature of the processing, SkyState assists the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights. SkyState provides the Customer with the means to access, correct, export, and delete Customer Personal Data through the Service. Where SkyState receives a request directly from a data subject relating to Customer Personal Data, it directs the data subject to the Customer and does not respond on the Customer's behalf except on the Customer's instruction or as required by law.
9. Security incidents
SkyState notifies the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and provides information reasonably available to it to help the Customer meet its own breach-notification obligations.
10. Deletion and return
On termination of the Service, or earlier on the Customer's instruction through the Service, SkyState deletes Customer Personal Data, subject to backup, security, and legal-retention limits described in the Privacy Policy. Backups are overwritten or expired on their ordinary retention cycle.
11. Audits and compliance
SkyState makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To the extent compatible with security and other customers' confidentiality, SkyState may satisfy this obligation by providing relevant documentation about its measures and its providers' certifications.
12. International transfers
The primary store for Customer Personal Data is located in the EU/EEA. Where Customer Personal Data is transferred outside the EU/EEA, SkyState relies on an appropriate transfer mechanism such as the European Commission standard contractual clauses, an adequacy decision, or its providers' equivalent transfer terms. Transfer details are described in Annex 4.
Annex 1 — Processing details
- Subject matter: processing of Customer Personal Data to provide the SkyState state-management Service.
- Nature and purpose: store, retrieve, update, delete, transmit, back up, and log customer-controlled state data on the Customer's behalf.
- Duration: the term of the Customer's subscription, plus the backup-retention period described in the Privacy Policy.
- Types of personal data: end-user identifiers and any state content the Customer chooses to store about its end users, including any personal data the Customer places in per-user or public state. The Service is not intended for special-category or other regulated personal data unless agreed in writing.
- Categories of data subjects: the Customer's own end users, visitors, employees, or other individuals about whom the Customer stores state.
Annex 2 — Security measures
- Encryption of data in transit (TLS) and at rest (managed-database encryption).
- Secrets held in a managed secret store; no credentials in source or configuration.
- Per-account, ownership-checked data isolation so each account can access only its own data.
- Audit logging of access and administrative actions.
- Least-privilege identity and access management for operational access.
- Regular patching and dependency maintenance of the Service and its infrastructure.
Annex 3 — Sub-processors
The Sub-processors that process Customer Personal Data:
| Sub-processor | Purpose | Location / transfer |
|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL) | Hosting and Postgres storage | europe-west1 (EEA) |
| Firebase (Google) | End-user authentication | Google infrastructure (global); EU Standard Contractual Clauses |
Payment (Creem) and transactional email (Resend) providers process only the Customer's own account and billing data, not Customer Personal Data, and are disclosed in the Privacy Policy rather than this Annex. The full provider list is on the Sub-processors page.
Annex 4 — International transfers
The primary store (Google Cloud, Cloud Run and Cloud SQL) is located in europe-west1 within the EEA, so no additional transfer mechanism is required for it. End-user authentication (Firebase, Google) may involve processing on Google's global infrastructure; such transfers are covered by Google's standard contractual clauses incorporated into the Google Cloud and Firebase terms.
See also: Privacy Policy · Terms of Service · Sub-processors