AutomationData Processing Agreement (DPA)
Last updated: 2026-02-26; Deutsch
This Data Processing Agreement (“DPA”) forms part of the agreement between SkyFlow9 Digital UG (haftungsbeschränkt) (“Processor”, “we”) and the customer (“Controller”, “you”) regarding the processing of Personal Data under the EU General Data Protection Regulation (“GDPR”).
1. Subject Matter and Duration
The subject matter is the provision of the Service (automationhub.cloud) including workflow automations, integrations, logging and usage tracking. Processing lasts for the term of the contract and any additional period required for legal retention or technical backup cycles.
2. Nature and Purpose of Processing
- Providing and operating the Service and connected automations (execution of configured workflows).
- Account administration and authentication.
- Usage metering (Tasks), billing-related records, and auditability of runs.
- Troubleshooting, error analysis, security monitoring, and service improvement.
- Support communications initiated by you.
3. Categories of Data Subjects and Personal Data
Data subjects may include: your users, employees, contractors, customers, subscribers, and other persons whose data you process via the Service.
Personal data may include:
- Account data: name, email address, login identifiers, billing address.
- Usage and technical data: logs, webhook payloads, timestamps, run history, error messages, identifiers related to connected services.
- Configuration data: settings required to run automations.
- Support data: content you submit via support forms/emails.
Special categories of personal data (Art. 9 GDPR): Not intended. You must not process special categories via the Service unless strictly necessary and you have a lawful basis and appropriate safeguards.
4. Controller Responsibilities
- You determine the purposes and means of processing and are responsible for having a lawful basis under GDPR.
- You ensure that you have rights/permissions to connect and process data from Third-Party Services.
- You configure automations and decide which data is processed. You should minimize the data you send through automations.
- You are responsible for backups of data stored in Third-Party Services (e.g., Trello/Google/YouTube/Kit).
5. Processor Obligations
- We process Personal Data only on documented instructions from you, as necessary to provide the Service.
- We ensure personnel authorized to process Personal Data are bound by confidentiality.
- We implement appropriate technical and organizational measures (“TOMs”) under Art. 32 GDPR.
- We will inform you if an instruction violates GDPR, to the extent permitted by law.
6. Technical and Organizational Measures (TOMs)
We maintain TOMs appropriate to risk, including (as applicable):
- Access control (least privilege), authentication, role separation for internal admin accounts.
- Transport encryption (TLS) and secure secrets handling for integrations.
- Logging and monitoring for security and troubleshooting.
- Regular patching and vulnerability management.
- Backups of platform infrastructure data necessary to operate the Service.
A detailed TOM annex can be provided upon request. (If you want, I can draft a TOM annex page/section tailored to your stack.)
7. Subprocessors
You authorize us to use subprocessors to provide the Service. A current list is available on request and/or on a dedicated page in the Service. We will impose data protection obligations on subprocessors at least equivalent to this DPA.
Current list: Subprocessors
Subprocessor updates: We may update our subprocessors as our services evolve. We will publish changes on this Subprocessors page. For material changes, we will notify customers by email in advance where reasonably possible. If you reasonably object to a new subprocessor on data protection grounds, you may terminate the affected paid services before the change becomes effective.
8. International Data Transfers
Some subprocessors may process data outside the EEA (e.g., in the United States). Where applicable, transfers are safeguarded by appropriate mechanisms (e.g., EU Standard Contractual Clauses) and additional measures where required.
9. Assistance with Data Subject Rights
Taking into account the nature of processing, we assist you in responding to data subject requests (access, deletion, rectification, etc.) to the extent you cannot fulfill them through the Service directly.
10. Personal Data Breach Notification
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA and provide information reasonably required for your notification obligations.
11. Deletion and Return
Upon termination of the Service, we will delete or return Personal Data processed under this DPA, unless retention is required by law or necessary for security, dispute resolution, or backup cycles. Usage/log history is typically retained up to 12 months unless you request earlier deletion where feasible, or longer retention is required by law.
12. Audit and Information
We will make available information necessary to demonstrate compliance with this DPA. Audits may be conducted on reasonable notice, during business hours, and subject to confidentiality and security requirements. We may provide third-party certifications or reports where available as an alternative.
13. Liability
Liability under this DPA follows the liability provisions in the Terms of Service, unless mandatory law requires otherwise.
14. Contact
For data protection requests related to this DPA, please contact us via the support form (login required) or the contact details in the Legal Notice.
Acceptance: By using the Service and accepting the Terms of Service, you also accept this DPA.