Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the agreement between ClearSky Imagery ApS (trading as ClearSKY and, in some contexts, ClearSKY Vision) and the Customer identified in the applicable Order Form, Master Terms of Service, or other binding agreement (the "Agreement").

This DPA applies only if and to the extent ClearSKY processes Personal Data on behalf of Customer as a processor in connection with the Services.

If there is a conflict between this DPA and the Agreement, this DPA controls solely with respect to the Processing of Personal Data under this DPA.

1. Definitions and interpretation

1.1 Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1.2 In this DPA:

• "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given in applicable Data Protection Law.
• "Data Protection Law" means applicable laws and regulations relating to privacy, security, and the Processing of Personal Data, including Regulation (EU) 2016/679 (GDPR) where applicable.
• "Sub-processor" means any third party engaged by ClearSKY or another Sub-processor to Process Personal Data on behalf of Customer under this DPA.

1.3 The terms "business customer", "Customer", and "controller" do not mean the same thing in all circumstances. The allocation of controller and processor roles depends on the actual Processing activities and applicable Data Protection Law.

2. Scope and roles

2.1 Customer acts as Controller, and ClearSKY acts as Processor, for the Personal Data described in Annex 1 to the extent ClearSKY Processes such Personal Data on Customer’s behalf in connection with the Services.

2.2 This DPA does not apply to Processing activities for which ClearSKY acts as Controller, including its own account administration, billing, security logging, service telemetry, product improvement, fraud prevention, legal compliance, and other Processing described in ClearSKY’s Privacy Policy.

2.3 Customer is responsible for ensuring that it has a valid legal basis to instruct ClearSKY to Process Personal Data under the Agreement and this DPA.

3. Customer instructions

3.1 ClearSKY will Process Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, Customer’s use of the Services, and Customer’s configuration of the Services, unless otherwise required by applicable law.

3.2 If applicable law requires ClearSKY to Process Personal Data other than on Customer’s instructions, ClearSKY will inform Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

3.3 Customer’s instructions must comply with Data Protection Law. ClearSKY may refuse to follow an instruction that it reasonably considers unlawful, technically impossible, or outside the scope of the Agreement.

3.4 ClearSKY will promptly inform Customer if, in ClearSKY’s opinion, an instruction infringes Data Protection Law. ClearSKY is not required to provide legal advice.

4. Confidentiality

4.1 ClearSKY will ensure that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

4.2 ClearSKY will limit access to Personal Data to those personnel, contractors, and Sub-processors who need such access to provide, secure, maintain, or support the Services in accordance with the Agreement and this DPA.

5. Security of processing

5.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks for the rights and freedoms of natural persons, ClearSKY will implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

5.2 Such measures may include, as appropriate, access controls, encryption in transit and at rest where suitable, logical segregation, resilience measures, logging, backup and recovery controls, vulnerability management, and incident response procedures.

5.3 Customer acknowledges that no security measure can guarantee absolute security and that security requirements should be assessed in light of the risks presented by the Processing and the nature of the Services used.

6. Sub-processing

6.1 Customer grants ClearSKY a general authorization to engage Sub-processors in connection with the Services.

6.2 ClearSKY will maintain information about its Sub-processors or Sub-processor categories in its documentation, trust materials, or upon reasonable request. Where ClearSKY relies on Customer’s general authorization under Section 6.1, ClearSKY will provide notice of intended additions or replacements of Sub-processors and give Customer a reasonable opportunity to object on documented data protection grounds before the new Sub-processor begins Processing Personal Data under this DPA. If Customer objects on documented reasonable data protection grounds and the parties cannot resolve the objection in good faith, ClearSKY may use commercially reasonable efforts to provide the affected Services without the new Sub-processor, and if that is not reasonably possible, either party may terminate the affected Services on written notice.

6.3 If ClearSKY engages a Sub-processor to Process Personal Data, ClearSKY will impose data protection obligations on the Sub-processor that are no less protective, in all material respects, than those set out in this DPA, to the extent applicable to the services provided by that Sub-processor.

6.4 ClearSKY remains responsible for the performance of its Sub-processors to the extent required by applicable law.

7. International transfers

7.1 ClearSKY may transfer or permit the transfer of Personal Data outside the EU/EEA only where such transfer is made in compliance with Data Protection Law.

7.2 Where required, ClearSKY will use an appropriate transfer mechanism, such as an adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful mechanism.

7.3 Customer authorizes ClearSKY to enter into such transfer mechanisms on Customer’s behalf where reasonably necessary to provide the Services lawfully.

8. Assistance to Customer

8.1 Taking into account the nature of the Processing and the information available to ClearSKY, ClearSKY will provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Data Protection Law.

8.2 If ClearSKY receives a request directly from a Data Subject relating to Personal Data Processed under this DPA, ClearSKY will, unless legally prohibited, direct the Data Subject to Customer and may notify Customer of the request.

8.3 Taking into account the nature of the Processing and the information available to ClearSKY, ClearSKY will provide reasonable assistance to Customer with Customer’s obligations relating to:

• security of Processing;
• notification and management of Personal Data Breaches;
• data protection impact assessments; and
• consultation with Supervisory Authorities, where required.

8.4 ClearSKY may charge reasonable costs for assistance under this Section to the extent such assistance is not already included in the Services and is requested by Customer beyond what is required by law or the Agreement.

9. Personal Data Breaches

9.1 ClearSKY will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.

9.2 ClearSKY’s notification will include, to the extent available at the time, information reasonably necessary for Customer to meet its obligations under Data Protection Law, such as the nature of the breach, the categories of affected data, likely consequences, and measures taken or proposed to address the breach.

9.3 ClearSKY may provide information in phases as it becomes available.

10. Deletion and return

10.1 Upon expiration or termination of the applicable Services, ClearSKY will, at Customer’s choice expressed through the Services, applicable documentation, or written request, delete or return Personal Data Processed under this DPA, unless applicable law requires further storage.

10.2 Customer acknowledges that the Services may include configuration-based retention settings, storage periods, backup cycles, and deletion workflows that affect how and when deletion or return can be completed.

10.3 ClearSKY may retain Personal Data only to the extent required by applicable law, required to maintain secure backup copies until overwritten in the ordinary course, or reasonably necessary to establish, exercise, or defend legal claims relating to the Agreement, provided that such retained Personal Data remains protected and subject to this DPA for so long as it is retained.

11. Audits and information

11.1 ClearSKY will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

11.2 To the extent required by Data Protection Law, Customer may, no more than once per calendar year and subject to reasonable confidentiality, security, and business continuity requirements, request an audit of ClearSKY’s relevant Processing activities under this DPA.

11.3 Any audit must be limited to what is reasonably necessary to demonstrate compliance, must avoid unreasonable disruption, and may be satisfied through existing third-party audit reports, certifications, questionnaires, or comparable materials where appropriate.

11.4 Customer will bear its own audit costs and reimburse ClearSKY for reasonable costs incurred in supporting audits, except where an audit reveals a material breach of this DPA.

12. Annex 1: Description of processing

12.1 Subject matter and duration. ClearSKY Processes Personal Data as necessary to provide the Services under the Agreement for the duration of the applicable Services and any related retention, deletion, or transition period.

12.2 Nature and purpose of the Processing. Providing hosted software, APIs, account-based services, geospatial/data-processing services, support, storage, delivery, security, and related service operations in accordance with the Agreement and Customer’s instructions.

12.3 Categories of Data Subjects. Customer’s users, employees, contractors, affiliates, end users, business contacts, and other persons whose Personal Data is included in Customer Data or otherwise submitted to the Services by or on behalf of Customer.

12.4 Categories of Personal Data. Depending on the Services used and Customer’s configuration, Personal Data may include:

• account identifiers and login-related data;
• contact details such as name, email address, organization, or role;
• support communications and support attachments;
• service inputs such as AOIs, geometries, tile selections, filenames, labels, metadata, and configurations;
• service-generated metadata, delivery metadata, and usage metadata; and
• any other Personal Data that Customer or its users choose to submit to the Services.

12.5 Special categories of data. ClearSKY does not require Customer to submit special categories of Personal Data and Customer must not do so unless expressly agreed in writing and supported by the Services.

13. Annex 2: Security measures summary

Depending on the Services used and the risk profile of the Processing, ClearSKY’s measures may include:

• role-based or need-to-know access controls;
• authentication and credential management controls;
• encryption in transit and, where appropriate, at rest;
• logging, monitoring, and incident response processes;
• backup, recovery, and resilience measures;
• vendor and Sub-processor management processes; and
• organizational confidentiality and security policies.

14. Contact

Questions regarding this DPA may be sent to [email protected].