Datum: 7th im Mai 2025

This Data Processing Addendum („DPA”) is supplementary to, and forms part of, SkyCivs Terms of Service, as updated from time to time, or the agreement the Terms of Service constitute (Die "Vereinbarung”) as between SkyCiv Pty Ltd ABN 73 605 703 071 von 510 / 55 Holt Street Surry Hills 2010 NSW Australia and the entity or person(s) identified as the customer in the relevant Order referencing this DPA (so zutreffend) („Subscriber”). This DPA applies where and to the extent that SkyCiv is acting as a Processor or service provider (so zutreffend) of Personal Data on behalf of Subscriber under the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict.

1. Definitions and Interpretation

In this DPA, the following terms shall have the following meanings:

(ein) Applicable Privacy Laws means means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable: (ich) European Privacy Laws; (ii) the Australian Privacy Act 1988 (Cth) („Australian Privacy Laws”); (iii) the New Zealand Privacy Act 2020; (iv) the Philippines Republic Act No. 10173; (v) the Brazilian Data Protection Law (Brasilien) Nein. 13,709/2018 (Portugiesisch: Lei Geral de Proteção de Dados Pessoais) (Die "LGP”); (vi) the California Consumer Privacy Act of 2018 and its regulations (Die "CCPA”); und (vii) the Virginia Consumer Data Protection Act of 2021(bleibt die „VCDPA”); in each case as amended, superseded or replaced from time to time.

(b) Data Subject means an identified or identifiable individual whose Personal Data is processed.

(c) European Privacy Laws meint: (ich) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (Die "GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (Die "UK GDPR”); (iii) the Swiss Federal Data Protection Act of 19 Juni 1992 and its corresponding ordinances (Die "Swiss DPA”); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; und (v) any national law made under or pursuant to items (ich) - (iv); in each case as amended, superseded or replaced from time to time.

(d) Personal Data means any information relating to an identified or identifiable individual or any other information defined as “personal data” or “personal information” under Applicable Privacy Laws.

(e) Restricted Transfer meint (ich) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, Eine Übertragung personenbezogener Daten aus Großbritannien in ein anderes Land, das nicht auf Angemessenheit der Vorschriften gemäß § 17A der britischen DSGVO basiert; und (iii) wo die Schweizer DPA gilt, Eine Übertragung personenbezogener Daten in ein Land außerhalb der Schweiz, das nicht in der Liste der vom Schweizer föderalen Datenschutz- und Informationskommissar veröffentlichten Gerichtsbarkeiten enthalten ist.

(f) SCCS bedeutet die standardmäßigen vertraglichen Klauseln, die der Entscheidung der Europäischen Kommission beigefügt sind (MICH) 2021/914 von 4 Juni 2021, wie kann geändert werden, superseded or replaced from time to time.

(G) UK Addendum means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(Ein) of the UK Data Protection Act 2018, wie kann geändert werden, superseded or replaced from time to time.

(h) The terms “Controller”, „Processor”, „Data Subject” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “Verfahren”, „Prozesse” and “processed” shall be interpreted accordingly) and the terms “Unternehmen” and “Service Provider” have the meanings given to them in the CCPA.

(ich) Any capitalised terms used but not defined in this DPA shall have the meanings given to them under the Agreement.

2. Processing of Personal Data

(ein) Relationship of the parties

Subscriber is a Controller or Business (so zutreffend) of the Personal Data described in Annex 1B (Die "Daten”) and SkyCiv shall process the Data solely as a Processor or Service Provider (so zutreffend) on behalf of Subscriber. Skyciv und Abonnent entsprechen jeweils ihren jeweiligen Verpflichtungen im Rahmen der geltenden Datenschutzgesetze und weiteren Leitlinien der Datenschutzbehörden in Bezug auf diese Verarbeitung. Wenn die Konzepte von Controller und Prozessor nicht ausdrücklich durch die anwendbaren Datenschutzgesetze in Betracht gezogen werden, Die Verpflichtungen der Parteien im Zusammenhang mit dieser DPA werden nach diesen geltenden Datenschutzgesetzen ausgelegt, um so eng wie möglich mit dem Umfang dieser Rollen ausgerichtet zu sein, während sie weiterhin voll mit diesen geltenden Datenschutzgesetzen einhalten.

(b) Zweckbeschränkung

Skyciv verarbeitet die Daten nach Bedarf, um ihre Verpflichtungen aus der Vereinbarung zu erfüllen, und entsprechend den dokumentierten Anweisungen des Abonnenten strikt (Die "Zulässiger Zweck”). Skyciv soll nicht: (ich) zurückbehalten, benutzen, disclose or otherwise process the Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to SkyCiv; oder (ii) “sell” the Data within the meaning of the CCPA, VCDPA or otherwise. SkyCiv shall immediately inform Subscriber if it becomes aware that Subscriber’s processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Subscriber’s compliance with Applicable Privacy Laws. The parties acknowledge that Subscriber’s transfer of Data to SkyCiv is not a “sale” of Personal Data within the meaning of Applicable Privacy Laws and SkyCiv provides no monetary or other valuable consideration to Subscriber in exchange for the Data.

(c) International transfers

To the extent that SkyCiv transfers the Data (or permits the Data to be transferred) to a country other than the country in which the Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Data to a recipient that has executed standard contractual clauses adopted by the European Commission, UK Secretary of State or Information Commissioner’s Office or Brazilian Data Protection Authority (so zutreffend) or transferring the Data to a recipient that has executed a contract with SkyCiv that ensures the Data will be protected to the standard required by Applicable Privacy Laws. SkyCiv will also protect the Data in a way that overall provides comparable safeguards to the country in which the Data was first collected.

(d) Standard contractual clauses

To the extent that the transfer of Data from Subscriber to SkyCiv involves a Restricted Transfer, the SCCs shall be incorporated by reference and form an integral part of this DPA with Subscriber as “data exporter” and SkyCiv as “data importer”. For the purposes of the SCCs: (ich) the module two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted in their entirety; (ii) in Clause 9, Option 2 shall apply; (iii) in Clause 11, the optional language shall be deleted; (iv) in Clause 17, Option 1 shall apply and the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) the Annexes of the SCCs shall be populated with the information set out in the Annexures to this DPA; und (vii) if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

(ich) UK transfers

In relation to Data that is protected by the UK GDPR, the SCCs as incorporated under clause 2(d) shall apply with the following modifications: (ich) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tabellen 1 zu 3 in Part 1 des britischen Nachtrags gilt unter Verwendung der Informationen in den Anhängen dieser DPA; (iii) Tabelle 4 in Part 1 des britischen Nachtrags gilt durch Auswahl der Auswahl “Importeur”; und (iv) Jeder Konflikt zwischen dem SCCs und dem britischen Nachtrag wird gemäß Abschnitt gelöst 10 und Abschnitt 11 des britischen Nachtrags.

(ii) Schweizer Transfers

In Bezug auf Daten, die durch die Schweizer DPA geschützt sind, the SCCs as incorporated under clause 2(d) shall apply with the following modifications: (ich) Verweise auf „Regulierung (MICH) 2016/679”Soll als Referenz aus dem Schweizer DPA ausgelegt werden; (ii) Verweise auf „EU,"Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; und (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.

(e) Confidentiality of processing

SkyCiv shall ensure that any person that it authorises to process the Data (including SkyCiv’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). SkyCiv shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

(f) Sicherheit

SkyCiv shall implement appropriate technical and organisational measures to protect the Data from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to the Data (a “Security Incident”). Der Abonnent erkennt an, dass Skyciv seine Sicherheitsmaßnahmen von Zeit zu Zeit aktualisieren oder ändern kann, indem sie diese auf der Skyciv -Website veröffentlichen, vorausgesetzt, dass solche Aktualisierungen und Änderungen nicht zu einem Abbau des Gesamtsicherheitsniveaus führen.

(G) Unterbearbeitung

Der Abonnent ermächtigt Skyciv, Drittprozessoren zu engagieren ("Subprozessoren") Um die Daten für den zulässigen Zweck zu verarbeiten:

(ich) Skyciv gibt zumindest eine angemessene vorherige Ankündigung 14 Tage vor dem vorgeschlagenen Hinzufügen oder Austausch eines Subprozessors durch Veröffentlichung von Details auf der Skyciv -Website, Um den Abonnenten zu ermöglichen, angemessene Einwände aus Gründen des Datenschutzes zu erheben.

(ii) Skyciv legt Datenschutzbegriffe für einen Subprozessor auf, der von ihm teilnimmt, die sicherstellen, dass im Rahmen dieser DPA und Skyciv im Wesentlichen den gleichen Schutzstandard für einen Verstoß dieser DPA haftbar gemacht wird, die durch eine Handlung verursacht werden, Fehler oder Auslass seiner Subprozessoren.

SkyCiv’s current Subprocessors are identified Hier. For the purposes of Clause 9(c) of the SCCs, Subscriber acknowledges that SkyCiv may be restricted from disclosing Subprocessor agreements to Subscriber due to confidentiality obligations. Where SkyCiv cannot disclose a Subprocessor agreement to Subscriber, Subscriber shall provide all information (on a confidential basis) it reasonably can in connection with such agreement.

(h) Cooperation and Data Subjects’ rights

SkyCiv shall provide all reasonable and timely assistance to Subscriber to enable Subscriber to respond to: (ich) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, so zutreffend); und (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with SkyCiv’s processing of the Data. In the event that any such request, correspondence, Anfrage oder Beschwerde wird direkt an Skyciv vorgenommen, Skyciv soll den Abonnenten unverzüglich informieren.

(ich) Bewertung der Datenschutzauswirkungen

Skyciv muss Abonnenten alle angemessenen und rechtzeitigen Unterstützung zur Verfügung stellen, wie der Abonnent erforderlich ist, um seine Verpflichtung nach den geltenden Datenschutzgesetzen zur Durchführung von Datenschutzbewertungen und zur Durchführung von Datenschutzbewertungen und der Einhaltung der Verpflichtungen zu erfüllen., Entwurfsbestimmungen für beide zulässige Spannungsbemessungen einbeziehen, sich an die relevante Datenschutzbehörde wenden.

(j) Sicherheitsvorfälle

Nach dem Bewusstsein eines Sicherheitsvorfalls, SkyCiv shall inform Subscriber without undue delay and shall provide all such timely information and cooperation as Subscriber may reasonably require in order for Subscriber to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Privacy Laws. Skyciv muss alle Maßnahmen und Maßnahmen, die für die Behebung der Auswirkungen des Sicherheitsvorfalls vernünftigerweise erforderlich sind. Der Abonnent kommuniziert oder veröffentlichen weder eine Mitteilung oder Zulassung von Haftung zu Sicherheitsvorfällen, die Skyciv direkt oder indirekt identifizieren (einschließlich eines rechtlichen Verfahrens oder in einer Benachrichtigung an die Regulierungsbehörden oder betroffenen betroffenen betroffenen Personen) without SkyCiv’s prior approval, unless Subscriber is compelled to do so under applicable law. In any event, Subscriber shall provide SkyCiv with reasonable prior written notice of any such communication or publication.

(k) Deletion or return of Data

Upon termination or expiry of the Agreement, SkyCiv shall (at Subscriber’s election) destroy or return to Subscriber all Data (including all copies of the Data) in its possession or control. This requirement shall not apply to the extent that SkyCiv is required by any law to retain some or all of the Data, in which event SkyCiv shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

 

ANNEXURES

ANNEXURE 1A – List of Parties

Data exporter(s):

Name: The entity identified as the “Subscriber” on the Order or the name specified in the Subscriber’s account.

Address: The Subscriber’s billing address specified on the Order or the address specified in the Subscriber’s account.

Contact person’s name, position and contact details: The primary contact name, primary contact position and primary contact email specified on the Order or the contact information specified in the Subscriber’s account.

Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilising the data importer’s services on skyciv.com and platform.skyciv.com to create engineering designs, perform engineering calculations and testing (including in relation to design, Analyse, Simulation, Schätzung, testing and other related activities) and generate related documents and other related content.

Role (controller/processor): Controller.

Data importer(s):

Name: SkyCiv Pty Ltd ABN 73 605 703 071.

Address: 510 / 55 Holt Street Surry Hills, NSW 2010, Sydney Australia

Contact person’s name, position and contact details: CEO, Sam Carigliano, [email protected].

Activities relevant to the data transferred under these Clauses: The data importer operates a graphic design platform used to create engineering designs, perform engineering calculations and testing (including in relation to design, Analyse, Simulation, Schätzung, testing and other related activities) and generate related documents and other related content.

Role (controller/processor): Processor.

 

ANNEXURE 1B – Description of Transfer

Categories of data subjects:

Users of the Platform pursuant to the Agreement between SkyCiv and Subscriber, which may include Subscriber’s employees, contractors or agents.

Third party individuals whose information is included in Output created in the Platform by Subscriber or Users.

Categories of personal data: The categories of personal data are determined and controller by Subscriber in its sole discretion and may include:

Access credentials of Users;

Contact details of Users (z.B. Name, E-Mail-Addresse, Telefonnummer); und

Any other User Content or personal data that Subscriber or Users transmit to the Platform and/or include in Output created in the Service.

Sensitive data transferred (wenn anwendbar) and applied restrictions or safeguards:

Any sensitive data included by Subscriber or Users in Output created in the Platform, the extent of which is determined and controlled by Subscriber in its sole discretion. See Annexure 2 for applied restrictions and safeguards.

Frequency of the transfer: Kontinuierlich

Nature of the processing: Processing of the Subscriber’s and Users’ usernames, passwords and contact details in order to access and manage the Platform and User Content to the Platform.

Zweck(s) of the data transfer and further processing: Provision of the Platform pursuant to the Agreement.

Period for which the personal data will be retained, oder, if that is not possible, the criteria used to determine that period: The personal data will be retained until termination or expiry of the Agreement, in accordance with clause 2(k) of this DPA.

 

ANNEXURE 1C – Competent Supervisory Authority

The supervisory authority of the EEA Member State in which Subscriber is established or, if Subscriber is not established in the EEA, the EEA Member State in which Subscriber’s representative is established or in which Subscriber’s End Users are predominantly located.

 

ANNEXURE 2 – Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data

Refer to SkyCiv’s security documentation.

 

ANNEXURE 3 – List of Sub-Processors

The Subscriber has authorised the use of the sub-processors set out at this url: List of Sub-Processes.