Data Processing Addendum

This Addendum forms part of the Terms of Service and applies where SkyQon processes personal data on the Customer’s behalf. Processor: SkyQon, based in Belgium. Last updated: 22 May 2026.

1. Roles

For Customer account and contact data and the certificate/endpoint metadata processed by the SkyQon on the Customer’s instruction, the Customer is the controller and SkyQon is the processor. Paddle acts as an independent controller and Merchant of Record for payment data, which is outside the scope of SkyQon’s processing under this Addendum.

2. Subject-matter & duration

SkyQon processes Customer personal data for the duration of the subscription (and any free trial) plus the retention window set out in the Privacy Policy, after which it is deleted or returned in accordance with clause 9.

3. Nature & purpose of processing

Storing Customer account and contact details; scheduled TLS/SSL, DNS and email-authentication scanning of the Customer-authorised public endpoints; generating and delivering expiry and misconfiguration alerts and tier-dependent reports; and providing support.

4. Categories of data & data subjects

Identification and contact data (names, work email addresses, company) of the Customer’s staff and nominated alert recipients; configuration data (nominated domains, hosts and ports); certificate, DNS and TLS metadata observed at those endpoints; and technical log data including IP address. No payment-card data is processed by SkyQon. Data subjects are the Customer’s staff, administrators and nominated contacts.

5. Sub-processors

The Customer authorises the following sub-processors:

  • Hostinger — hosting of the public marketing site and the lead-capture endpoint — EU.
  • Hetzner Online GmbH — hosting of the production monitoring application and its database — EU (Germany/Finland).
  • Brevo (Sendinblue) — transactional and alert email delivery — EU.
  • Paddle.com Market Limited — Merchant of Record / payment processing (independent controller for payment data).

SkyQon will give at least 30 days’ notice of any intended addition or replacement of a sub-processor (by email to the account contact and/or by notice on monitor.skyqon.com). The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection the Customer may terminate the affected service.

6. Security measures

Technical and organisational measures implementing Article 32 GDPR include: tenant isolation enforced by database row-level security; encryption of data in transit (TLS); access restricted to authorised personnel on a least-privilege basis; audit logging; and regular backups with integrity verification. Measures may be updated to maintain an appropriate level of security.

7. International transfers

Processing takes place in the EU/EEA. Where any sub-processor processes personal data outside the EEA, SkyQon relies on an adequacy decision or on EU Standard Contractual Clauses with appropriate supplementary measures.

8. Assistance, breach notification & audit

SkyQon will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal-data breach affecting Customer personal data, and will provide reasonable assistance with data-subject requests, data-protection impact assessments and prior consultations. SkyQon will make available information reasonably necessary to demonstrate compliance with Article 28 and will allow for and contribute to audits, including inspections, on reasonable prior notice and subject to confidentiality.

9. Return & deletion

On termination or expiry, and at the Customer’s choice, SkyQon will return or delete Customer personal data within 30 days, save where retention is required by law; backups are purged on their normal rotation cycle.

Contact for data-protection matters: [email protected].