This Data Protection Policy describes how SK21 S.A. handles personal data entrusted to us by clients during the course of service delivery. It reflects our commitment to responsible data stewardship and compliance with applicable data protection law.
Our commitment
SK21 S.A. processes client data only to the extent necessary to deliver agreed services. We apply the principles of data minimisation, purpose limitation, and storage limitation. We do not use client data for any purpose beyond the scope of the engagement without explicit written consent.
Data we may process
Depending on the nature of the engagement, SK21 S.A. may process: employee or user data contained in client systems we are asked to work on; infrastructure credentials and configuration data; application logs; business data in databases, files, or APIs. All such data is treated as confidential and handled under the terms of the applicable service agreement.
Subprocessors
SK21 S.A. may use the following subprocessors in the course of delivering services: Google Cloud Platform (GCP) for infrastructure and compute; GitHub for version control; Slack and email for communication. We ensure subprocessors provide adequate data protection guarantees. We will inform clients of any intended changes to subprocessors that may affect client data.
Security measures
We apply appropriate technical and organisational measures to protect data against unauthorised access, loss, or destruction. These include: access controls and least privilege principles; encrypted storage and transit (TLS); secure credential management; and regular review of access permissions. Engineers working with client data operate under confidentiality obligations.
Data retention
Upon completion or termination of an engagement, SK21 S.A. will return or securely delete all client data within 30 days unless a longer retention period is required by law or agreed in writing. Access to client systems and credentials is revoked immediately upon engagement end.
Breach notification
In the event of a data breach that affects client personal data, SK21 S.A. will notify the affected client without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: the nature of the breach; the categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed to address the breach.
Contact
For data protection enquiries, to request a Data Processing Agreement (DPA), or to report a concern, please contact us at [email protected]. We aim to respond to all data protection requests within 5 business days.