Skybyte

Data Processing Agreement

Last updated: 3 May 2026Effective from: 3 May 2026

This Data Processing Agreement (“DPA”) governs the processing of personal data by Skybyte EOOD on behalf of, and in connection with services provided to, business customers (“Customer”). It supplements the Skybyte Terms of Service and is intended to satisfy the requirements of Article 28 GDPR where Skybyte acts as a processor for limited categories of Customer-controlled personal data, and to clearly delineate responsibilities where Skybyte acts as an independent controller for end-user data. A signed PDF copy is available on request — email [PLACEHOLDER: dpo@skybyte.com].

1. Parties

Skybyte EOOD, [PLACEHOLDER: REGISTERED ADDRESS], Sofia, Bulgaria, EIK [PLACEHOLDER: EIK NUMBER] (“Skybyte”), and the Customer identified in the underlying order or master agreement (“Customer”), together the “Parties”.

2. Subject Matter and Duration

Skybyte processes personal data to provide eSIM connectivity, billing, and related support services to the Customer. This DPA remains in force for as long as Skybyte processes personal data on behalf of the Customer.

3. Nature and Purpose of Processing

Provisioning of eSIM profiles, account management for designated end-users (where Customer purchases eSIMs on behalf of employees), invoicing, customer support, fraud prevention, and legal compliance.

4. Categories of Data Subjects and Personal Data

  • Data subjects: Customer’s authorised purchasers and, where the Customer designates them, employees or contractors who receive eSIMs.
  • Categories of data: name, business email, country, device type, eSIM identifiers (ICCID), data consumption, support correspondence.

5. Customer Obligations

  • Ensure a lawful basis exists for any personal data the Customer provides to Skybyte (e.g. employees’ business contact data).
  • Provide all required transparency information to the Customer’s data subjects (e.g. employees) regarding the processing performed by Skybyte.
  • Issue documented, lawful instructions for processing.
  • Promptly notify Skybyte of any data subject requests directed at the Customer that affect data Skybyte processes.

6. Skybyte Obligations

Skybyte shall:

  • Process personal data only on documented Customer instructions, except where required by EU or Member State law to which Skybyte is subject;
  • Ensure persons authorised to process personal data are bound by confidentiality;
  • Implement the technical and organisational measures set out in Section 9;
  • Assist the Customer in responding to data subject requests, in providing information for security and breach notifications, and in carrying out data protection impact assessments;
  • At Customer’s choice, delete or return all personal data after the end of the provision of services, save where storage is required by law.

7. Sub-processors

The Customer authorises Skybyte to engage the sub-processors listed at /legal/sub-processors. Skybyte will notify the Customer of any intended changes to its sub-processors with at least 30 days’ prior notice; the Customer may object on reasonable, GDPR-compliant grounds within that period.

8. International Transfers

Where personal data is transferred outside the EEA, Skybyte relies on the European Commission’s Standard Contractual Clauses (Decision 2021/914), supplemented by appropriate technical and organisational measures.

9. Security Measures

Skybyte maintains the technical and organisational measures described in Annex II of the SCCs, including encryption of data in transit and at rest, access control on a least-privilege basis, role-based administrative permissions, comprehensive audit logging, secret management via a managed vault, and a documented incident response process.

10. Data Subject Requests

Skybyte will promptly notify the Customer of any data subject request received that relates to personal data processed on behalf of the Customer, and will assist the Customer, by appropriate technical and organisational measures, in fulfilling its obligation to respond to such requests.

11. Personal Data Breaches

Skybyte will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer-controlled data, providing the information required under Article 33(3) GDPR to enable the Customer to fulfil its notification obligations.

12. Audits

Skybyte will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, on reasonable prior notice and subject to confidentiality. Where appropriate, this may be satisfied by provision of independent third-party audit reports.

13. Term and Termination

This DPA terminates automatically upon termination of the underlying services agreement. The obligations relating to confidentiality, return or deletion of data, and audit survive termination to the extent necessary.

14. Governing Law

This DPA is governed by the laws of the Republic of Bulgaria; the courts of Sofia have exclusive jurisdiction, without prejudice to mandatory data protection laws of the Customer’s jurisdiction.

Need a signed PDF copy? Email dpo@skybyte.com.