Skip to main content
Skode -- AI-powered CRM and messaging platform

Data Processing Agreement

Last updated: March 15, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Skode Technologies Private Limited, a private limited company incorporated in India (CIN: U62011KL2026PTC102406) with registered office at Thirumangalath, Chelavur, Kozhikode – 673571, Kerala, India ("Skode," "Processor," "we," "us") and you ("Controller," "you," "your") for the use of our Services, as defined in our Terms of Service. This DPA applies to the extent that Skode processes Personal Data on your behalf in the course of providing the Services.

This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), Article 28 of the UK GDPR (as incorporated by the UK Data Protection Act 2018), and equivalent provisions under the Indian Digital Personal Data Protection Act, 2023 ("DPDPA"). It sets out the terms on which the Processor shall process Personal Data on behalf of the Controller.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Indian Digital Personal Data Protection Act, 2023.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Sub-Processor" means any third party engaged by Skode to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Security Incident" means any unauthorized or unlawful access, acquisition, use, disclosure, alteration, or destruction of Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

Skode processes Personal Data on behalf of the Controller to provide the Services, which include customer relationship management, invoicing, lead management, AI-powered analytics, and omnichannel messaging through Skode CRM and Skode Flow.

2.2 Categories of Data Subjects

  • Your customers and prospective customers (leads).
  • Your business contacts and partners.
  • Your employees and team members who use the Services.
  • End users who interact with your widgets, forms, or messaging channels.

2.3 Types of Personal Data

  • Contact information (name, email, phone number, address).
  • Business information (company name, job title, industry).
  • Communication records (emails, chat messages, call logs, notes).
  • Transaction data (invoices, payment history, deal information).
  • Usage data (interactions within the CRM, activity logs).
  • Any other Personal Data you choose to store in the Services.

2.4 Duration

Processing continues for the duration of your subscription to the Services, plus any retention period required to fulfill our obligations under this DPA and applicable law.

3. Obligations of the Processor

Skode shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality.
  • Implement appropriate technical and organizational measures to ensure the security of Personal Data.
  • Not engage a Sub-Processor without prior written authorization from the Controller (general or specific).
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
  • Assist the Controller in ensuring compliance with obligations related to security of processing, data protection impact assessments, and prior consultations with supervisory authorities.
  • At the Controller's choice, delete or return all Personal Data upon termination of the Services, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Data Subject Rights

Skode will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access to Personal Data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing.

We will promptly notify you if we receive a request from a Data Subject directly. We will not respond to Data Subject requests without your prior authorization, unless required by applicable law.

5. Security Measures

Skode implements and maintains appropriate technical and organisational security measures, including:

  • Encryption: Data is encrypted in transit using TLS 1.2 or higher. At rest, customer files stored on AWS S3 (Mumbai, ap-south-1) are protected by AWS-managed server-side encryption; payment-gateway credentials are Fernet-encrypted inside our database; user passwords are stored as PBKDF2-SHA256 hashes.
  • Access Controls: Role-based access controls with workspace (org_id) isolation and fail-closed query filters; SAML 2.0 and OIDC single sign-on for enterprise customers; principle of least privilege for administrative access. Two-factor authentication for end-user accounts is on our roadmap and not yet available.
  • AI Connector Security: API keys are stored as SHA-256 hashes with 90-day automatic expiry. Mutual TLS (mTLS) is validated on inbound requests from OpenAI Connectors (mtls.connectors.openai.com). Sensitive personal fields are pseudonymised server-side before being returned to third-party AI assistants.
  • Network Security: Rate limiting on public API endpoints (300 req/min sustained, 15 req/sec burst), per-workspace bulk-operation caps, and standard cloud network controls provided by AWS.
  • Monitoring: Application logging retained for 30 days; audit trail of AI Connector actions retained for 30 days (failed events retained longer for investigation).
  • Employee Training: Regular security awareness training for all personnel with access to Personal Data.
  • Physical Security: Services are hosted on Amazon Web Services in the Mumbai (ap-south-1) region. AWS operates that infrastructure within a SOC 2 Type II-attested environment; Skode Technologies Private Limited does not itself hold a SOC 2 attestation today.
  • Business Continuity: Regular backups, disaster-recovery plans, and business-continuity procedures.
  • Secure Development: Security-by-design principles in software development, including code review and security testing.

6. Sub-Processors

The Controller provides general written authorization for Skode to engage Sub-Processors for the purpose of providing the Services. A current list of Sub-Processors is maintained at /legal/sub-processors/.

Skode shall:

  • Notify the Controller of any intended changes to the list of Sub-Processors, providing an opportunity to object within 30 days of notification.
  • Ensure that any Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
  • Remain fully liable for the acts and omissions of its Sub-Processors.

If the Controller objects to a new Sub-Processor within the 30-day notice period and Skode cannot reasonably accommodate the objection, either party may terminate the affected Services with 30 days' written notice.

When you activate AI connectors, the following additional sub-processors may process your data: OpenAI, Inc. (ChatGPT connector), Anthropic, PBC (Claude connector), and Google LLC (Gemini connector). See our Sub-Processors page for full details.

7. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, Skode ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • UK International Data Transfer Agreement or Addendum, where applicable.
  • Binding Corporate Rules, where applicable.
  • Any other transfer mechanism recognized under applicable Data Protection Laws.

8. Data Breach Notification

In the event of a Security Incident, Skode shall comply with all applicable breach notification requirements, including jurisdiction-specific timelines:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the Security Incident (as required by GDPR Article 33 and UK GDPR).
  2. India CERT-In Requirement: For Security Incidents affecting data subjects located in India, Skode shall report the incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware of the incident, in accordance with CERT-In Directions dated April 28, 2022. This includes cyber security incidents such as unauthorized access to systems, data breaches, and data leaks. Skode shall simultaneously notify the Controller of any such report.
  3. Provide sufficient information to enable the Controller to meet its obligations to report the Security Incident to supervisory authorities and Data Subjects, including:
    • The nature of the Security Incident, including categories and approximate number of Data Subjects affected.
    • The likely consequences of the Security Incident.
    • The measures taken or proposed to address the Security Incident and mitigate its effects.
    • The name and contact details of a designated point of contact for further information.
  4. Take immediate steps to contain, investigate, and remediate the Security Incident.
  5. Cooperate with the Controller and provide reasonable assistance in investigating and resolving the Security Incident.

9. Audit Rights

Skode shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an independent auditor appointed by the Controller.

  • Audit requests must be made in writing with at least 30 days' prior notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with Skode's operations.
  • The Controller shall bear the cost of any audit, unless the audit reveals material non-compliance by Skode.
  • Skode may satisfy audit requests by providing security documentation, architectural descriptions, penetration-test summaries, and compliance attestations held by its upstream hosting and infrastructure providers (for example, AWS SOC 2 Type II reports for the Mumbai region). Skode Technologies Private Limited does not currently hold its own SOC 2 attestation; SOC 2 readiness is on our security roadmap.

10. Data Deletion and Return

Upon termination of the Services:

  • Skode will provide the Controller with the ability to export all Personal Data for 30 days following termination.
  • After the 30-day export period, Skode will delete all Personal Data within a further 90 days, subject to the limited carve-outs below.
  • Tax and accounting carve-out. Skode retains billing and invoice records for 7 years from the end of the relevant financial year, as required by the Indian Income-tax Act, 1961 and Section 36 of the Central Goods and Services Tax Act, 2017 (72-month statutory retention). Equivalent tax-retention obligations in other jurisdictions may also apply. These records are stored separately and are not used to provide the Services.
  • Legal-hold carve-out. Skode may retain Personal Data as necessary to comply with a binding legal process, preserve evidence of a reported Security Incident, or defend legal claims. Such retention is limited to the minimum period and scope required for that purpose.
  • Upon request, Skode will certify in writing that Personal Data has been deleted, identifying any records retained under a carve-out and the basis for that retention.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party excludes or limits its liability for breaches of its data protection obligations to the extent such limitation is prohibited by applicable Data Protection Laws.

12. Governing Law and Jurisdiction

This DPA, and any non-contractual obligations arising from or connected to it, are governed by and construed in accordance with the laws of India, without regard to conflict-of-law principles. The parties submit to the exclusive jurisdiction of the courts at Kozhikode, Kerala, India, with appeals lying to the Kerala High Court at Ernakulam, for any dispute arising out of or in connection with this DPA.

Nothing in this clause limits the rights of Data Subjects under the GDPR, UK GDPR, the Indian Digital Personal Data Protection Act, 2023, or any other applicable Data Protection Law to bring proceedings before a supervisory authority or court in the jurisdiction of their habitual residence or place of the alleged infringement.

Where EU or UK Data Subjects’ personal data is transferred outside the EEA or United Kingdom, the incorporated Standard Contractual Clauses (and UK Addendum, where applicable) are governed by the law and subject to the jurisdiction specified in those clauses, notwithstanding this section.

13. Contact

For questions or concerns regarding this DPA, please contact:

  • Email: privacy@skode.ai
  • Legal: legal@skode.ai
  • Post: Skode Technologies Private Limited, Thirumangalath, Chelavur, Kozhikode, Kozhikode – 673571, Kerala, India