Skillplate
  • Compare
  • Integrations
  • Reviews
  • Pricing
Log inStart FreeStart free

Skillplate Data Processing Addendum

Last updated: 11.06.2026
This Data Processing Addendum (“DPA”) forms part of the Skillplate Terms of Service available at https://skillplate.com/legal/terms, or any other written agreement between Skillplate and the Customer that governs the Customer’s use of the Skillplate services (the “Agreement”).
This DPA applies where Skillplate processes Customer Personal Data on behalf of the Customer in connection with the Skillplate services.
By using the Skillplate services, or by entering into the Agreement with Skillplate, the Customer agrees to this DPA.

1. Parties

This DPA is entered into between:
Skillplate Inc.
228 Park Ave S PMB 24982 New York, New York 10003-1502, New York, NY 10003 US
(“Skillplate,” “Processor,” “Service Provider,” “Contractor,” “we,” “us,” or “our”)
and
The customer, creator, business, organization, or other person using the Skillplate services
(“Customer,” “Controller,” “Business,” “you,” or “your”).
Skillplate and the Customer are together referred to as the “Parties.”

2. Definitions

For the purposes of this DPA:
“Agreement” means the Skillplate Terms of Service and any applicable order form, subscription agreement, enterprise agreement, or other written agreement between the Parties.
“Applicable Data Protection Laws” means all privacy and data protection laws applicable to the processing of Customer Personal Data under the Agreement, including where applicable the GDPR, UK GDPR, Swiss Federal Act on Data Protection, CCPA/CPRA, and other applicable privacy laws.
“CCPA/CPRA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.
“Customer Personal Data” means any Personal Data that Skillplate processes on behalf of the Customer in connection with the services.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
“GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation.
“Personal Data,” “Personal Data Breach,” “Processing,” “Controller,” “Processor,” and “Supervisory Authority” have the meanings given to them under Applicable Data Protection Laws.
“Services” means the Skillplate platform, websites, applications, software, APIs, hosting, support, analytics, payment-related integrations, product creation tools, course tools, community tools, website builder, checkout tools, CRM tools, AI-assisted features, and related services provided by Skillplate.
“Subprocessor” means any third party engaged by Skillplate to process Customer Personal Data on behalf of the Customer.

3. Roles of the Parties

3.1The Parties acknowledge that, for Customer Personal Data processed under this DPA:

  • (a) the Customer acts as the Controller or Business; and
  • (b) Skillplate acts as the Processor, Service Provider, or Contractor.

3.2The Customer determines the purposes and means of processing Customer Personal Data.

3.3Skillplate processes Customer Personal Data only on behalf of the Customer and only as necessary to provide the Services, comply with the Agreement, comply with documented instructions, and meet applicable legal obligations.

3.4If the Customer is itself acting as a processor on behalf of another controller, the Customer represents that its instructions to Skillplate are authorized by the relevant controller.

4. Scope of Processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Schedule 1 of this DPA.

5. Customer Instructions

5.1The Customer instructs Skillplate to process Customer Personal Data as necessary to:

  • (a) provide, maintain, secure, and improve the Services;
  • (b) create, host, deliver, and manage the Customer’s digital products, websites, pages, courses, communities, downloads, bundles, events, CRM records, checkout flows, and related business operations;
  • (c) provide customer support;
  • (d) process payments and transactions through integrated payment providers;
  • (e) provide analytics, reporting, automation, AI-assisted product creation, and platform functionality;
  • (f) comply with the Agreement; and
  • (g) comply with applicable law.

5.2Skillplate will not process Customer Personal Data except on documented instructions from the Customer, unless required by applicable law. If Skillplate is required by law to process Customer Personal Data outside the Customer’s instructions, Skillplate will notify the Customer before such processing unless the law prohibits such notice.

5.3The Agreement, this DPA, the Customer’s use of the Services, configuration settings, support requests, and written instructions constitute the Customer’s documented instructions.

5.4Skillplate may suspend or refuse processing instructions that, in Skillplate’s reasonable opinion, violate Applicable Data Protection Laws, the Agreement, or the rights of third parties.

6. Customer Responsibilities

6.1The Customer is responsible for:

  • (a) ensuring that it has a valid legal basis for collecting and processing Customer Personal Data;
  • (b) providing all required notices to Data Subjects;
  • (c) obtaining all required consents, permissions, and authorizations;
  • (d) ensuring that its use of the Services complies with Applicable Data Protection Laws;
  • (e) ensuring that its instructions to Skillplate are lawful;
  • (f) responding to Data Subject requests unless Skillplate is legally required to respond directly;
  • (g) configuring the Services in a privacy-compliant manner; and
  • (h) ensuring that Customer Personal Data submitted to the Services is accurate, lawful, and appropriate.

6.2The Customer will not submit to the Services any Sensitive Personal Data unless the Agreement permits it and the Customer has ensured that such processing complies with Applicable Data Protection Laws.

7. Skillplate Personnel

7.1Skillplate will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations.

7.2Skillplate will limit access to Customer Personal Data to personnel, contractors, and subprocessors who need such access to provide the Services.

7.3Skillplate will take reasonable steps to ensure the reliability of personnel who process Customer Personal Data.

8. Security Measures

8.1Skillplate will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

8.2These measures will take into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risk to Data Subjects.

8.3Skillplate’s security measures may include, as appropriate:

  • (a) access controls and authentication;
  • (b) role-based access restrictions;
  • (c) encryption in transit;
  • (d) encryption at rest where technically and commercially appropriate;
  • (e) secure hosting infrastructure;
  • (f) network and application security controls;
  • (g) logging and monitoring;
  • (h) backup and disaster recovery measures;
  • (i) vulnerability management;
  • (j) internal confidentiality obligations;
  • (k) employee and contractor access limitation;
  • (l) incident response procedures; and
  • (m) regular review of security practices.

8.4The Customer acknowledges that no system can be guaranteed to be completely secure, but Skillplate will maintain commercially reasonable measures appropriate to the nature of the Services.

9. Subprocessors

9.1The Customer gives Skillplate general authorization to engage Subprocessors to process Customer Personal Data in connection with the Services.

9.2Skillplate will maintain a list of Subprocessors at: https://skillplate.com/legal/subprocessors or another URL made available by Skillplate.

9.3Skillplate will impose data protection obligations on each Subprocessor that are substantially similar to those imposed on Skillplate under this DPA.

9.4Skillplate remains responsible for the performance of its Subprocessors’ data protection obligations to the extent required by Applicable Data Protection Laws.

9.5Skillplate may update its Subprocessor list from time to time. Where required by Applicable Data Protection Laws, Skillplate will provide notice of new Subprocessors by updating the Subprocessor page, email, in-product notice, or another reasonable method.

9.6The Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Skillplate in writing within thirty (30) days after notice. If the Parties cannot resolve the objection, the Customer may stop using the affected Services or terminate the affected portion of the Services in accordance with the Agreement.

10. Data Subject Requests

10.1Taking into account the nature of the processing, Skillplate will provide reasonable assistance to the Customer, insofar as possible, to help the Customer respond to Data Subject requests under Applicable Data Protection Laws.

10.2If Skillplate receives a Data Subject request relating to Customer Personal Data, Skillplate will, where legally permitted and where the request identifies the Customer, either:

  • (a) direct the Data Subject to contact the Customer; or
  • (b) notify the Customer of the request.

10.3Skillplate will not respond to a Data Subject request on behalf of the Customer unless instructed by the Customer or required by applicable law.

10.4The Customer is responsible for verifying the identity of the Data Subject and determining whether and how to respond to the request.

11. Personal Data Breach

11.1Skillplate will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

11.2Skillplate’s notice will include available information reasonably necessary for the Customer to meet its breach notification obligations, which may include:

  • (a) the nature of the breach;
  • (b) the categories and approximate number of affected Data Subjects, where known;
  • (c) the categories and approximate number of affected records, where known;
  • (d) likely consequences of the breach, where known;
  • (e) measures taken or proposed to address the breach; and
  • (f) contact information for follow-up.

11.3Skillplate will take reasonable steps to investigate, mitigate, and remediate the Personal Data Breach.

11.4Skillplate’s notification of or response to a Personal Data Breach is not an admission of fault or liability.

12. Data Protection Impact Assessments and Prior Consultation

12.1Taking into account the nature of processing and the information available to Skillplate, Skillplate will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by Applicable Data Protection Laws.

12.2Skillplate may charge reasonable fees for assistance that exceeds standard support or requires significant engineering, legal, or operational resources, unless such assistance is required due to Skillplate’s breach of this DPA.

13. Deletion and Return of Customer Personal Data

13.1Upon termination or expiration of the Agreement, Skillplate will delete or return Customer Personal Data in accordance with the Agreement, this DPA, and the functionality of the Services.

13.2Unless otherwise required by law, Skillplate will delete Customer Personal Data within a commercially reasonable period after termination, account closure, or written deletion request.

13.3Skillplate may retain Customer Personal Data to the extent required or permitted by law, including for legal, tax, accounting, fraud prevention, security, backup, dispute resolution, or compliance purposes.

13.4Customer Personal Data stored in backups may remain for a limited period until overwritten or deleted according to Skillplate’s backup retention practices, provided that such data remains protected under this DPA.

14. Audits and Compliance Information

14.1Skillplate will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and commercial sensitivity restrictions.

14.2The Customer may request an audit no more than once per year, unless required by a Supervisory Authority or following a confirmed Personal Data Breach affecting Customer Personal Data.

14.3Audits must be conducted:

  • (a) during normal business hours;
  • (b) with reasonable prior written notice;
  • (c) in a manner that does not disrupt Skillplate’s operations;
  • (d) by an independent auditor reasonably acceptable to Skillplate; and
  • (e) subject to confidentiality obligations.

14.4The Customer will bear the costs of any audit unless the audit reveals a material breach of this DPA by Skillplate.

14.5Skillplate may satisfy audit obligations by providing security reports, certifications, questionnaires, summaries, policies, or other documentation where such materials reasonably demonstrate compliance.

15. International Data Transfers

15.1Skillplate may process and transfer Customer Personal Data in countries where Skillplate, its affiliates, personnel, or Subprocessors operate.

15.2Where Customer Personal Data protected by the GDPR, UK GDPR, or Swiss data protection law is transferred to a country that has not been recognized as providing an adequate level of protection, Skillplate will ensure that an appropriate transfer mechanism is in place.

15.3Such transfer mechanism may include:

  • (a) an adequacy decision;
  • (b) the EU Standard Contractual Clauses;
  • (c) the UK International Data Transfer Addendum or UK International Data Transfer Agreement;
  • (d) the Swiss addendum or Swiss-recognized transfer mechanism; or
  • (e) another lawful transfer mechanism under Applicable Data Protection Laws.

15.4Where the EU Standard Contractual Clauses apply, they are incorporated into this DPA by reference and apply as follows:

  • (a) Module Two applies where the Customer is a Controller and Skillplate is a Processor;
  • (b) Module Three applies where the Customer is a Processor and Skillplate is a Subprocessor;
  • (c) the Customer is the data exporter;
  • (d) Skillplate is the data importer;
  • (e) the optional docking clause applies;
  • (f) the governing law is the law of Ireland, unless another EU Member State law is required;
  • (g) the competent supervisory authority is determined in accordance with the Standard Contractual Clauses; and
  • (h) the details of processing are described in Schedule 1 and Schedule 2 of this DPA.

15.5If there is a conflict between this DPA and applicable Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of the conflict.

16. CCPA/CPRA Service Provider and Contractor Terms

16.1To the extent the CCPA/CPRA applies, the Parties acknowledge that the Customer is a Business and Skillplate is a Service Provider or Contractor.

16.2Skillplate will process Personal Information only for the limited and specified business purposes described in the Agreement and this DPA.

16.3Skillplate will not:

  • (a) sell or share Customer Personal Data;
  • (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA;
  • (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between Skillplate and the Customer;
  • (d) combine Customer Personal Data with Personal Information received from other sources, except as permitted by the CCPA/CPRA; or
  • (e) use Customer Personal Data for cross-context behavioral advertising, except as expressly instructed by the Customer and permitted by law.

16.4Skillplate will comply with applicable obligations under the CCPA/CPRA and will provide the same level of privacy protection required by the CCPA/CPRA.

16.5Skillplate will notify the Customer if Skillplate determines that it can no longer meet its obligations under the CCPA/CPRA.

16.6The Customer has the right to take reasonable and appropriate steps to help ensure that Skillplate uses Customer Personal Data in a manner consistent with the Customer’s obligations under the CCPA/CPRA.

16.7The Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

16.8Skillplate will require Subprocessors that process Customer Personal Data subject to the CCPA/CPRA to comply with equivalent restrictions.

17. AI-Assisted Features

17.1The Services may include AI-assisted features that help Customers create, edit, generate, structure, or improve digital products, course content, websites, landing pages, marketing materials, product descriptions, automations, and related business assets.

17.2Where Customer Personal Data is processed through AI-assisted features, Skillplate will process such data in accordance with this DPA.

17.3The Customer is responsible for ensuring that it has the right to submit any Personal Data, content, files, prompts, customer information, or business materials to AI-assisted features.

17.4Skillplate will not use Customer Personal Data to train third-party foundation models unless expressly stated in the Agreement, Privacy Policy, product settings, or another written agreement with the Customer.

17.5Skillplate may use aggregated, anonymized, or de-identified data to improve the Services, provided such data does not identify the Customer, Data Subjects, or any individual.

18. Confidentiality

18.1Each Party will keep confidential any non-public information it receives from the other Party in connection with this DPA.

18.2Confidential information may be disclosed only:

  • (a) with the other Party’s written consent;
  • (b) to personnel, contractors, advisors, or subprocessors who need to know the information and are bound by confidentiality obligations;
  • (c) as required by law; or
  • (d) as necessary to enforce the Agreement or this DPA.

19. Liability

19.1Each Party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.

19.2Nothing in this DPA limits liability that cannot legally be limited.

20. Order of Precedence

20.1If there is a conflict between this DPA and the Agreement, this DPA will control with respect to the processing of Customer Personal Data.

20.2If there is a conflict between this DPA and applicable Standard Contractual Clauses, the Standard Contractual Clauses will control to the extent of the conflict.

21. Governing Law and Jurisdiction

21.1This DPA is governed by the governing law specified in the Agreement.

21.2If the Agreement does not specify a governing law, this DPA is governed by the laws of the State of Delaware, United States, unless Applicable Data Protection Laws require otherwise.

21.3Any dispute arising out of or relating to this DPA will be resolved in accordance with the dispute resolution and jurisdiction provisions of the Agreement.

21.4If Applicable Data Protection Laws require a different governing law, jurisdiction, supervisory authority, or forum for a specific data protection matter, those requirements will apply to the extent required by law.

22. Effectiveness and Acceptance

22.1This DPA forms part of the Agreement between Skillplate and the Customer and is incorporated by reference into the Skillplate Terms of Service.

22.2This DPA becomes effective when the Customer agrees to the Agreement, creates an account, logs in, uses the Services, signs an order form, or otherwise enters into a written agreement with Skillplate.

22.3No separate signature is required for this DPA to be binding unless Skillplate and the Customer separately agree otherwise in writing.

22.4If Skillplate and the Customer enter into a separately signed DPA, order form, enterprise agreement, or data protection agreement, the signed agreement will control to the extent it expressly conflicts with this online DPA.

Schedule 1 — Details of Processing

1. Subject Matter
Skillplate’s processing of Customer Personal Data in connection with providing the Skillplate Services to the Customer.

2. Duration
For the duration of the Agreement, and thereafter as necessary for deletion, return, backup retention, legal compliance, dispute resolution, fraud prevention, security, accounting, and legitimate business purposes permitted by law.

3. Nature and Purpose of Processing
Skillplate processes Customer Personal Data to provide, maintain, secure, support, and improve the Services, including:

  • (a) account creation and management;
  • (b) creator, customer, student, member, and subscriber management;
  • (c) hosting and delivering digital products, courses, communities, downloads, bundles, events, websites, pages, and checkout flows;
  • (d) processing transactions through payment integrations;
  • (e) CRM, analytics, reporting, automation, email, notifications, and customer support;
  • (f) AI-assisted generation, editing, structuring, and optimization of content and business assets;
  • (g) fraud prevention, abuse detection, platform security, and compliance;
  • (h) troubleshooting and technical support; and
  • (i) fulfilling the Agreement.

4. Categories of Data Subjects
Customer Personal Data may relate to:

  • (a) Customers and their authorized users;
  • (b) creators, founders, administrators, employees, contractors, and team members;
  • (c) students, members, subscribers, buyers, leads, prospects, and end users;
  • (d) affiliates and referral partners;
  • (e) support contacts;
  • (f) website visitors; and
  • (g) other individuals whose Personal Data is submitted to the Services.

5. Categories of Personal Data
Customer Personal Data may include:

  • (a) name;
  • (b) email address;
  • (c) phone number;
  • (d) billing information;
  • (e) account credentials and identifiers;
  • (f) user profile information;
  • (g) business information;
  • (h) course, product, community, download, coaching, event, or membership data;
  • (i) transaction and subscription information;
  • (j) customer support messages;
  • (k) CRM records, lead records, tags, notes, and communications;
  • (l) IP address, device data, browser data, log data, and usage data;
  • (m) website, landing page, and checkout interaction data;
  • (n) content, files, images, videos, text, prompts, responses, comments, reviews, and other materials submitted to the Services; and
  • (o) other Personal Data submitted by or on behalf of the Customer.

6. Sensitive Personal Data
The Services are not intended for processing Sensitive Personal Data unless expressly permitted by the Agreement or enabled by the Customer in compliance with Applicable Data Protection Laws.
Sensitive Personal Data may include special categories of data under GDPR, government identifiers, financial account data, children’s data, health data, biometric data, precise geolocation, or other sensitive information under Applicable Data Protection Laws.
The Customer is responsible for ensuring that any Sensitive Personal Data submitted to the Services is lawful and appropriately protected.

7. Frequency of Processing
Continuous, as initiated by the Customer and as necessary to provide the Services.

Schedule 2 — Technical and Organizational Measures

Skillplate will maintain appropriate technical and organizational measures designed to protect Customer Personal Data, which may include:

1. Access Control

  • (a) role-based access controls;
  • (b) authentication requirements;
  • (c) limited personnel access based on business need;
  • (d) periodic access review where appropriate; and
  • (e) revocation of access when no longer needed.

2. Transmission Security

  • (a) encryption in transit using HTTPS/TLS or equivalent technologies;
  • (b) secure API communication where applicable; and
  • (c) protection against unauthorized interception where commercially reasonable.

3. Storage Security

  • (a) secure cloud hosting infrastructure;
  • (b) encryption at rest where technically and commercially appropriate;
  • (c) restricted database and storage access; and
  • (d) backup and recovery controls.

4. Application Security

  • (a) vulnerability management;
  • (b) secure development practices;
  • (c) testing and review of material platform changes where appropriate;
  • (d) logging and monitoring; and
  • (e) measures designed to reduce unauthorized access, abuse, and misuse.

5. Availability and Resilience

  • (a) backup processes;
  • (b) disaster recovery practices;
  • (c) monitoring of critical systems; and
  • (d) incident response procedures.

6. Confidentiality

  • (a) confidentiality obligations for personnel;
  • (b) limited access to Customer Personal Data; and
  • (c) internal policies governing handling of data.

7. Incident Response

  • (a) procedures for identifying, investigating, mitigating, and remediating security incidents;
  • (b) escalation processes; and
  • (c) customer notification where required by this DPA or Applicable Data Protection Laws.

8. Subprocessor Controls

  • (a) due diligence on material Subprocessors;
  • (b) written agreements with Subprocessors;
  • (c) data protection obligations substantially similar to this DPA; and
  • (d) ongoing management of Subprocessors.

Schedule 3 — Authorized Subprocessors

Skillplate may use Subprocessors to provide the Services.
The current list of Subprocessors is available at: https://skillplate.com/legal/subprocessors
The Subprocessor list may include providers for:

  • (a) cloud hosting and infrastructure;
  • (b) database hosting;
  • (c) email delivery;
  • (d) payment processing;
  • (e) analytics;
  • (f) customer support;
  • (g) error monitoring;
  • (h) AI-assisted features;
  • (i) file storage;
  • (j) automation;
  • (k) communications; and
  • (l) security and fraud prevention.

Skillplate will update the Subprocessor list from time to time as required by this DPA.

Skillplate
  • Compare
  • Integrations
  • Reviews
  • Pricing
Privacy PolicyCookie PolicyTerms of ServiceDPASubprocessors
FAQHelpRoadmapChangelogAPI Docs
All Rights Reserved 2026