Data Processing Agreement

Preamble

(A) The Customer engages Skybyte to provide eSIM connectivity and related services pursuant to the Terms of Service or a separately negotiated master services agreement (the “Principal Agreement”). (B) In performing those services, Skybyte processes certain personal data on the Customer’s behalf. (C) The parties enter into this DPA to set out the data-protection obligations applicable to that processing, in compliance with Article 28 GDPR and, to the extent applicable, the United Kingdom General Data Protection Regulation (“UK GDPR”). (D) This DPA prevails over any conflicting term in the Principal Agreement on data-protection matters.

1. Definitions

Capitalised terms used but not defined in this DPA bear the meanings given to them in Article 4 GDPR. In addition:

• “Customer Personal Data” means personal data that the Customer (or its end users acting on the Customer’s behalf) submits to, or generates in, the Skybyte service in the course of the Customer’s use of that service, and that Skybyte processes on the Customer’s behalf as processor.
• “Sub-processor” means a third party engaged by Skybyte to process Customer Personal Data on the Customer’s behalf.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914.
• “Personal Data Breach” has the meaning in Article 4(12) GDPR.
• “Restricted Transfer” means a transfer of Customer Personal Data to a country outside the European Economic Area that is not the subject of an adequacy decision of the European Commission.
• “TOMs” means the technical and organisational measures described in Appendix 2.

2. Parties and Roles

The Customer is the controller of Customer Personal Data. Skybyte is the processor of Customer Personal Data. Where Skybyte processes personal data of an end user that does not arise from a Customer’s use of the service (for example, when an individual buys a Plan directly from Skybyte for personal use), Skybyte is an independent controller of that personal data and processes it under its Privacy Policy, not under this DPA. Where the same individual is both an end user under the Privacy Policy and a data subject within the scope of this DPA (for example, an employee who travels under a corporate account and also holds a personal account), the two roles run in parallel and apply to the personal data processed under each respective relationship.

3. Subject Matter and Duration

The subject matter of the processing is the provision of eSIM-based mobile data connectivity, account management, billing, customer support, fraud prevention, and legal compliance, as more particularly described in Appendix 1. This DPA enters into force on the date the Customer accepts the Terms of Service or signs the Principal Agreement, whichever is earlier, and remains in force for the duration of that agreement. The provisions that by their nature should survive termination (in particular Sections 7, 10, 12–15) survive termination for as long as Skybyte retains any Customer Personal Data.

4. Scope and Instructions

Skybyte processes Customer Personal Data only on the documented instructions of the Customer. The Principal Agreement, the Terms of Service, the configuration of the service from time to time (including Plan selection, country configuration, and notification preferences), and any additional written instructions reasonably issued by the Customer constitute the documented instructions for the purposes of this DPA. Skybyte will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law, and may suspend execution until the instruction is amended or confirmed in writing.

Where Skybyte is required by Union or Member State law to process Customer Personal Data otherwise than on the Customer’s instructions, Skybyte will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5. Obligations of the Controller

The Customer represents, warrants, and undertakes that:

• it has, and will maintain throughout the term, a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the processing activities it instructs Skybyte to perform;
• it has provided, or will provide, all transparency information required by Articles 13 and 14 GDPR to its data subjects (in particular employees who receive corporate-issued eSIMs), including identifying Skybyte and its sub-processors as recipients of Customer Personal Data;
• its instructions to Skybyte comply with applicable law and do not require Skybyte to act in breach of any law or regulatory obligation to which Skybyte is subject;
• it will notify Skybyte without undue delay of any data subject rights request received by the Customer that relates to Customer Personal Data processed by Skybyte; and
• it is solely responsible for the accuracy, quality, and legality of the Customer Personal Data it submits to the service.

6. Obligations of the Processor

In addition to the specific obligations elsewhere in this DPA, Skybyte shall, in accordance with Article 28(3) GDPR:

• (a) Documented instructions. Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which Skybyte is subject (Section 4).
• (b) Confidentiality. Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Section 7).
• (c) Security. Take all measures required pursuant to Article 32 GDPR (Appendix 2 TOMs).
• (d) Sub-processors. Respect the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another processor (Section 8).
• (e) Assistance with data subject rights. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR (Section 11).
• (f) Assistance with security and DPIA obligations. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Skybyte.
• (g) Deletion or return. At the choice of the Customer, delete or return all Customer Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data (Section 14).
• (h) Demonstration of compliance. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Section 12).

Skybyte will appoint and maintain a contact for data-protection enquiries reachable at contact@banxs.com. Where Article 37 GDPR requires it, Skybyte will appoint a Data Protection Officer and publish the DPO’s contact details.

7. Confidentiality

Skybyte will treat all Customer Personal Data as confidential information of the Customer. Access to Customer Personal Data within Skybyte is restricted to personnel who need access to provide the service or to comply with law, on a least-privilege basis, with administrative actions recorded in the audit trail described in Appendix 2. §5. Personnel are bound by written confidentiality undertakings that survive the termination of their engagement with Skybyte. Confidentiality obligations are without prejudice to disclosures required by law, by a binding court order, or by a competent regulator, in which case Skybyte will, where lawful, notify the Customer in advance and cooperate with reasonable steps to protect the confidentiality of the data.

8. Sub-processors

The Customer grants Skybyte general authorisation to engage the sub-processors listed in Appendix 3 and at /legal/sub-processors (which is incorporated by reference and is the operative list at any given time). Skybyte will impose on each sub-processor, by means of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

Skybyte will give the Customer at least thirty (30) days’ prior written notice of any intended addition or replacement of a sub-processor that processes Customer Personal Data, including the identity of the sub-processor, the location of processing, and the categories of data concerned. The Customer may object on reasonable, GDPR-compliant grounds within that thirty-day period. If the parties cannot reach a mutually acceptable resolution within a further thirty (30) days, the Customer may, as its sole and exclusive remedy, terminate the affected services on written notice without penalty, and Skybyte will refund any pre-paid fees attributable to the unused portion of the affected service.

Skybyte remains fully liable to the Customer for the performance of the sub-processor’s data-protection obligations under this DPA, in accordance with Article 28(4) GDPR.

9. International Transfers

Where the provision of the service requires Skybyte to transfer Customer Personal Data from the European Economic Area to a third country that is not the subject of an adequacy decision (a Restricted Transfer), Skybyte relies on the Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 in their relevant module (controller-to-processor or processor-to-sub-processor, as applicable). The SCCs are deemed incorporated into this DPA by reference and apply to the relevant transfer with the following completions: docking clause not invoked; option 1.7(a) (clause-by-clause objection) applied; governing law Bulgaria; competent court the courts of Sofia; Annex I completed by the descriptions in Appendix 1 of this DPA; Annex II completed by the TOMs in Appendix 2; and Annex III completed by the sub-processor list in Appendix 3 (and at /legal/sub-processors).

For Restricted Transfers to the United Kingdom, the parties rely on the European Commission’s adequacy decision of 28 June 2021 in respect of the United Kingdom. For Restricted Transfers to recipients in the United States that are self-certified under the EU–US Data Privacy Framework, the parties rely on the Commission’s adequacy decision of 10 July 2023 in respect of those self-certified recipients. Where neither adequacy nor the DPF applies, Skybyte relies on the SCCs supplemented by the measures described in Appendix 2 (encryption in transit and at rest, key management, role-based access control, and the policies summarised in our Privacy Policy §12). Skybyte has performed a transfer impact assessment in line with the Court of Justice ruling in Case C-311/18 (Schrems II) and EDPB Recommendations 01/2020 and is satisfied that the supplementary measures provide an essentially equivalent level of protection for personal data in the destination country.

10. Personal Data Breaches

Skybyte will notify the Customer without undue delay, and in any event no later than twenty-four (24) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will provide, in stages where necessary and to the extent then known to Skybyte: (a) the nature of the breach including, where possible, the categories and approximate number of data subjects and personal-data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and (d) the contact point at Skybyte from whom further information can be obtained. The 24-hour window is deliberately shorter than the 72-hour notification window imposed on the Customer (as controller) by Article 33(1) GDPR, in order to give the Customer a meaningful opportunity to assess and notify within its own deadline.

Skybyte will cooperate with the Customer and follow the Customer’s reasonable instructions to assist the Customer in investigating, mitigating, and remediating the breach, including providing access to logs and evidence subject to the confidentiality obligations of other customers and applicable law. Skybyte will not communicate publicly about the breach in a manner that identifies the Customer without the Customer’s prior written consent, except where Skybyte is legally required to do so.

11. Data Subject Rights

Where Skybyte receives, directly from a data subject, a request to exercise rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, or rights related to automated decision-making) in respect of Customer Personal Data, Skybyte will (a) not respond to the request itself except to acknowledge receipt and to direct the data subject to the Customer; and (b) forward the request to the Customer without undue delay. Skybyte will, taking into account the nature of the processing and to the extent possible, assist the Customer by appropriate technical and organisational measures (including the data-export and deletion tools described in Appendix 2) to enable the Customer to fulfil its obligation to respond.

12. Audits and Inspections

Skybyte will make available to the Customer, on reasonable prior written request, the information necessary to demonstrate compliance with this DPA and Article 28 GDPR. The Customer may, no more than once in any twelve-month period (and in addition where required by a competent supervisory authority or in connection with a Personal Data Breach), conduct an audit of Skybyte’s compliance with this DPA, either itself or through an independent third-party auditor mandated by it (and not a competitor of Skybyte), subject to the following conditions: (a) at least thirty (30) days’ advance written notice; (b) reasonable steps to minimise disruption to Skybyte’s operations; (c) observance of the auditor’s confidentiality obligations to other Skybyte customers and to Skybyte’s own business; (d) the audit being conducted during normal business hours; and (e) the Customer bearing its own and the auditor’s costs (and reimbursing Skybyte’s reasonable internal costs at standard professional-services rates). Where Skybyte holds a current independent third-party attestation (for example, ISO/IEC 27001 or SOC 2 Type II) covering the relevant scope, the Customer agrees to accept that attestation in lieu of an on-site inspection unless the Customer can show a specific reason why the attestation is inadequate.

13. Liability and Indemnity

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Principal Agreement. For the avoidance of doubt, those limitations apply in aggregate to liability under the Principal Agreement and this DPA together; this DPA does not give rise to a separate liability cap. Nothing in this DPA limits or excludes either party’s liability where such limitation or exclusion is prohibited by applicable law (in particular Article 82 GDPR).

14. Term, Termination, and Return of Data

This DPA terminates automatically upon termination or expiry of the Principal Agreement. Within thirty (30) days of termination, at the Customer’s choice notified in writing within that period, Skybyte will either (a) return to the Customer all Customer Personal Data in a structured, commonly used, and machine-readable format, or (b) delete all Customer Personal Data in its possession or control. The Customer’s failure to make a choice within thirty (30) days is treated as an election to delete. Skybyte may retain Customer Personal Data after termination only to the extent and for as long as required by Union or Member State law (in particular VAT and accountancy retention obligations under Article 38 of the Bulgarian VAT Act and the Bulgarian Accountancy Act), and will continue to protect such retained data in accordance with this DPA.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Bulgaria. The courts of Sofia have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the mandatory jurisdiction of the competent supervisory authorities and to the data subject rights set out in Articles 77 to 79 GDPR.

16. Appendices

The Appendices that follow form an integral part of this DPA and complete the descriptions required by Article 28(3) GDPR and by Annexes I–III of the Standard Contractual Clauses (Implementing Decision (EU) 2021/914). They take precedence, in the event of conflict, over any general descriptions of processing or security measures that may appear elsewhere in the Principal Agreement.

Appendix 1 — Description of Processing

Subject matter: provision of eSIM-based mobile data connectivity, customer-account management, billing, support, fraud prevention, and legal compliance.

Duration: the duration of the Principal Agreement, plus the legally required retention windows described in our Privacy Policy §7.

Nature and purpose of processing: provisioning eSIM profiles to designated devices, maintaining account state, generating invoices, delivering notifications by e-mail and (where opted in) WhatsApp, providing customer support, detecting and preventing fraud, and fulfilling statutory obligations including VAT reporting and lawful-disclosure requests.

Type of personal data: identifiers (account ID, e-mail address, name where provided), commercial information (orders, invoices, payment status; payment-card data is processed only by our PCI-compliant payment processor and is not stored by Skybyte beyond a network token), service metadata (eSIM ICCID, country of activation, device type, data-consumption counters), support correspondence, and limited traffic and location metadata generated by the underlying carrier.

Categories of data subjects: the Customer’s authorised purchasers and end users (typically the Customer’s employees, contractors, or travellers designated by the Customer to receive eSIMs).

Sensitive data: none expected. The Customer must not submit special-category personal data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR) to the service.

Frequency of transfer: continuous, for the duration of the service.

Appendix 2 — Technical and Organisational Measures (TOMs)

Skybyte implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, in line with Article 32 GDPR. The measures listed below are baseline; specific measures are kept under continuous review.

1. Encryption in transit. All client-to-server and server-to-server traffic that carries Customer Personal Data uses TLS 1.3 (or TLS 1.2 where required by partner systems) with modern cipher suites and HSTS at the edge.
2. Encryption at rest. Customer Personal Data stored in the production database is encrypted at rest with AES-256, with disk-level encryption at the cloud-provider layer and additional column-level encryption for sensitive fields. Backups are encrypted with the same cipher.
3. Access control. Database-level Row-Level Security (RLS) policies enforce per-user data isolation in the application layer. Administrative access is granted on a least-privilege, time-bound basis and reviewed quarterly. All administrative access requires multi-factor authentication (2FA), and high-risk operations require an additional approval step.
4. Secret management. Application secrets and third-party API keys are stored in a managed secret vault, rotated on a documented schedule, and never committed to source control. Production secrets are inaccessible to non-production environments.
5. Audit logging. A comprehensive audit_log table records administrative actions, security-relevant events (including activation consent recorded for the Article 16(m) waiver), and access to Customer Personal Data. Records are retained for seven (7) years in line with Bulgarian AML and accountancy retention requirements; PII inside metadata is sanitised by a safeAuditMeta() helper before insertion.
6. Network security. Web Application Firewall (WAF), DDoS mitigation, rate-limiting on authentication and high-risk endpoints, and a strict Content Security Policy at the edge.
7. Vulnerability management. Dependencies are scanned on each build for known vulnerabilities; high and critical findings are triaged within five (5) and one (1) business day(s) respectively. Annual third-party penetration testing of the production application.
8. Backup and recovery. Encrypted point-in-time backups of the production database with documented Recovery Time Objective (RTO) of four (4) hours and Recovery Point Objective (RPO) of one (1) hour. Quarterly restore drills.
9. Incident response. Documented incident response runbook with on-call rotation, severity classification, and post-incident review. Personal Data Breach notification workflows are pre-built and tested against the 24-hour window in Section 10.
10. Personnel. Background checks where lawful, written confidentiality undertakings, mandatory annual data-protection and security training, and offboarding procedures that revoke access on the day of departure.
11. Physical security. Production infrastructure is hosted with sub-processors that operate ISO/IEC 27001-certified data centres with multi-layered physical access control, environmental controls, and 24×7 monitoring.
12. Pseudonymisation. Where compatible with the purpose of processing, identifiers are pseudonymised for analytics and observability, with re-identification keys held separately and accessible only to a restricted group of personnel.
13. Data minimisation. Default forms collect the minimum data needed; optional fields are clearly marked and processed under the lawful basis disclosed in the Privacy Policy.
14. Retention enforcement. Retention windows are enforced automatically by a scheduled cleanup job (Phase 10 retention cleanup cron) covering audit_log (7 years), webhook_events (1 year), consent_receipts (5 years), and closed support threads (3 years), keeping policy text and implementation aligned to a single source of truth.

Appendix 3 — List of Sub-processors

The current list is published, and updated as it changes, at /legal/sub-processors. The list at the date of this DPA is:

The full sub-processor table at /legal/sub-processors includes additional fields (data categories, safeguards, DPA reference, last reviewed date) and is the authoritative version. Notice of changes to this list is given in accordance with Section 8.