This Agreement was last revised on October 22, 2025 and replaces all previous versions.
Preamble
This Data Processing Agreement (“Agreement”) forms part of the YourSky.blue Terms of Service available at https://yoursky.blue/legal/software-as-a-service-agreement or any other SaaS Subscription Agreement entered into between the Customer and YourSky.blue LLC (the “Principal Agreement”).
It applies automatically and without signature to Customers who subscribe to and use the Services.
1. Roles of the Parties
The Customer acts as the Data Controller (“Controller”).
YourSky.blue LLC acts as the Data Processor (“Processor”).
Both Parties shall comply with the General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and other applicable laws.
2. Subject Matter
This Agreement governs the processing of Personal Data that Controller uploads, stores, or otherwise makes available when using Processor SaaS services.
3. Categories of Data
Depending on Controller use, the Processor may process:
- User credentials (names, emails, login data),
- Project/application data,
- Technical logs and usage metadata,
- Billing details (if provided).
The Processor does not use Customer Data (as defined herein) for its own purposes, except where required to comply with billing, payment, accounting, tax, or other legal obligations as an independent Controller.
4. Sub-Processors
Processor engages, or may engage, trusted Sub-processors listed at https://yoursky.blue/legal/subprocessors.
By subscribing to the Services, the Customer acknowledges and agrees that:
- Sub-processors may change from time to time.
- The Processor shall provide notice of any intended addition or replacement of a Sub-processor by updating the Sub-Processors page and, where feasible, by email to the Customer’s designated contact at least 30 calendar days prior to engaging the Sub-processor (the “Notification Window”).
- The Controller has 14 calendar days from receipt of such notice to raise any reasoned objection in writing to the Processor. For new customers or new contracts entered into after a change to the Sub-Processors list, the updated list shall apply immediately upon subscription, and the Notification Window and objection procedure do not apply.
- Only sub-processors with access to Customer Personal Data are listed; monitoring or infrastructure services without access to Personal Data are not included.
Consequence of Objection.
If the Controller submits a timely and reasoned objection to the use of a new or replacement Sub-processor, the Processor shall use commercially reasonable efforts to modify the provision of the Services or recommend a suitable, compliant alternative to avoid the processing of Controller Personal Data by the objected-to Sub-processor.
If the Processor is unable to resolve the objection before the end of the Notification Window, the Controller may terminate the specific portion of the SaaS Agreement relevant to the processing activities of the objected-to Sub-processor, effective at the end of the Notification Window, upon written notice to the Processor.
The Processor shall refund any pre-paid fees covering the remainder of the terminated service period, subject to the administrative fee in the SaaS Agreement, unless prohibited by law. The Processor shall not otherwise be liable to the Controller for such termination.
5. Security Measures
Processor maintains appropriate technical and organizational measures to protect Personal Data, taking into account the nature of the processing and associated risks, including:
- Data encryption at rest and in transit,
- Access controls and authentication,
- Logging and monitoring,
- Backups and recovery procedures,
- Hosting of business data primarily in Switzerland; administrative or billing data may be processed in EU/global locations under appropriate safeguards.
6. Data Subject Rights
Processor assists Controller in handling data subject requests (access, correction, deletion, portability), to the extent reasonably possible.
- Controller may submit requests via email or support portal.
- Requests will be addressed within 30 days where reasonably feasible.
- Fees may apply only for excessive or manifestly unfounded requests.
7. Data Breach
Processor will notify Controller without undue delay and within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8. Data Transfers
Business data stored in the SaaS service is processed exclusively in Switzerland.
Should Customer Personal Data be transferred outside Switzerland or the European Economic Area (EEA) in the future, Processor will ensure that appropriate safeguards are in place, such as EU-approved Standard Contractual Clauses (SCCs), or obtain explicit Customer consent before any transfer.
9. Data Retention and Deletion
Upon subscription termination, Customer data will be disabled.
Data is retained for 7 days (“redemption period”), after which it is permanently deleted unless recovery is requested (CHF 250 fee).
Legally required records (e.g., invoices) are retained for 10 years.
10. Audit Rights
Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws.
Disclosure of information may be subject to a confidentiality agreement (NDA) and operational constraints.
On-site audits are only permitted where required by law.
11. Confidentiality
Both Parties shall keep all data and related information strictly confidential, unless disclosure is required by law.
12. Governing Law
This Agreement is governed by the laws of Switzerland.
Place of jurisdiction: Conthey, Switzerland.
Final Provisions
By subscribing to and using the Services, the Customer accepts and is bound by this Data Processing Agreement.