Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Sky Vista Consulting ("Processor") and the customer agency ("Controller") for the use of Rankrop™ (the "Service"), and reflects the parties' agreement with respect to the terms governing the processing of Personal Data, as defined below.

1. Definitions

Personal Data, Controller, Processor, Data Subject, Processing have the meanings given them in the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.

Standard Contractual Clauses (SCCs) means the European Commission's standard contractual clauses adopted pursuant to Commission Implementing Decision (EU) 2021/914.

2. Scope

This DPA applies to Personal Data that the Controller submits to the Service. The Processor will process such data only on the Controller's documented instructions, including with respect to international transfers.

3. Categories of data

The categories of Personal Data processed may include:

• Identification data: name, email, IP address, account credentials
• Customer/client data: contact details, business names, addresses, phone numbers
• Usage data: actions in the Service, audit log entries
• Communication data: support tickets, comments

Special categories of Personal Data (e.g., health, religion, biometrics) should not be submitted to the Service.

4. Categories of data subjects

• The Controller's personnel (workspace users)
• The Controller's customers and their contacts (where stored as Clients in the Service)
• Other individuals whose Personal Data is submitted by the Controller

5. Sub-processors

The Controller authorizes the Processor to engage sub-processors listed below. Material changes to this list will be notified at least 30 days before the change.

6. International transfers

Where Personal Data is transferred from the EU/UK/Switzerland to the USA or other countries without an adequacy decision, the parties rely on the SCCs (Module 2: Controller to Processor) which are deemed incorporated by reference into this DPA.

7. Security measures

The Processor implements technical and organizational measures appropriate to the risk, including:

• TLS 1.3 encryption for data in transit
• AES-256 encryption at rest for sensitive fields
• Per-workspace data isolation enforced at the database level
• Two-factor authentication for all accounts
• Access controls and audit logging
• Regular security patching and dependency updates
• Daily encrypted backups

See /security for the full description.

8. Data subject requests

The Processor will assist the Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Most requests can be fulfilled directly via the Service (CSV exports, account deletion). For requests requiring assistance, contact privacy@skyvistaconsulting.com.

9. Personal data breaches

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Controller's data.

10. Audits

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA. Annual third-party audit reports (when available) will be shared on request.

11. Deletion / return of data

Upon termination of the Service, the Controller may export all Personal Data via CSV within 30 days. After that period, the Processor will delete all Personal Data within 60 days unless legally required to retain it.

12. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to Personal Data matters.

13. Signing

This DPA is effective upon the Controller's acceptance of the Service's Terms. Customers requiring a signed copy of the DPA should email legal@skyvistaconsulting.com — we'll execute the SCCs and return a counter-signed copy.

---

Sky Vista Consulting
Las Vegas, Nevada, USA
legal@skyvistaconsulting.com