Legal

Data Processing Addendum

Last updated: 16 June 2026

Scope

This DPA applies when SkyPlexus.com processes personal data on behalf of a customer in connection with the paid SkyPlexus service. Customer is the controller and SkyPlexus.com is the processor for customer content submitted to the service.

Processing instructions

SkyPlexus.com processes personal data only to provide, secure, support, and improve SkyPlexus, and as otherwise documented in the agreement or required by law.

Security measures

• MFA-required access for registered users.
• Row-level security for application data.
• Least-privilege service access and separation of public and server secrets.
• Logging for abuse prevention, security monitoring, and incident response.

Sub-processors

Maintain a public sub-processor list before production launch. Current expected providers: Supabase, Vercel, Stripe, Cloudflare Turnstile, and transactional email providers.

International transfers

Use EU processing regions where available. Where transfers outside the EEA occur, implement appropriate safeguards such as Standard Contractual Clauses and transfer impact assessments.

Deletion and return

On termination, customer data will be deleted or returned according to the agreement unless retention is required by law.

This DPA is a draft framework. Confirm controller/processor roles, technical measures, and transfer safeguards with counsel.