Effective Date: 2026/06/19
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Terms of Service (the “Agreement”) between Avlanche Pty Ltd, of 132 Bower Street, Manly, NSW, Australia, operating the Skippz platform (“Skippz”, “we”, “us”, or “Processor”), and the customer agreeing to the Agreement (“Customer”, “you”, or “Controller”).
This DPA applies where, and to the extent that, Skippz processes Personal Data on behalf of the Customer in the course of providing the Service, and where that processing is subject to the GDPR or equivalent data protection law. Where this DPA conflicts with the Agreement on the subject of data processing, this DPA prevails.
1. Definitions
Terms such as “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have the meanings given in the GDPR. “GDPR” means Regulation (EU) 2016/679, and, where applicable, the UK GDPR and the Data Protection Act 2018. “Customer Personal Data” means Personal Data contained in or derived from the Content and other data that Skippz processes on the Customer’s behalf under the Agreement. “Subprocessor” means any third party engaged by Skippz to process Customer Personal Data.
2. Roles of the Parties
For Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of its own controller) and Skippz is the Processor.
Skippz separately acts as an independent Controller of account, billing, support, and usage data that it determines the purposes and means of, as described in the Skippz Privacy Policy. That processing is governed by the Privacy Policy and not by this DPA.
3. Scope and Details of Processing
Skippz will process Customer Personal Data only to provide, maintain, secure, and support the Service, and only in accordance with this DPA and the Customer’s documented instructions. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.
The Agreement, the Customer’s use and configuration of the Service, and this DPA constitute the Customer’s complete and documented instructions. If Skippz is required by law to process Customer Personal Data otherwise, it will, where legally permitted, inform the Customer before doing so.
4. Skippz Obligations
Skippz will:
(a) Instructions. Process Customer Personal Data only on the Customer’s documented instructions, including regarding international transfers, unless required otherwise by applicable law.
(b) Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
(c) Security. Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing, as described in Annex 2.
(d) Subprocessors. Comply with the conditions in Section 5 when engaging Subprocessors.
(e) Data Subject requests. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights. If Skippz receives such a request directly relating to Customer Personal Data, it will, where permitted by law, direct the Data Subject to the Customer rather than respond itself.
(f) Assistance. Provide the Customer with reasonable assistance with data protection impact assessments, prior consultations with Supervisory Authorities, and security obligations, taking into account the information available to Skippz.
(g) Breach notification. Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide the Customer with information reasonably available to it to assist the Customer in meeting its own breach obligations.
(h) Deletion or return. On termination or expiry of the Agreement, delete or return Customer Personal Data in accordance with the retention and deletion provisions of the Agreement and the Privacy Policy, except where retention is required by law. The standard deletion and grace-period mechanics in the Agreement satisfy this obligation unless the Customer instructs otherwise in writing before the end of the grace period.
(i) Records and audits. Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires an audit, the Customer may, on at least 30 days’ written notice, no more than once in any 12-month period (unless required by a Supervisory Authority), and subject to confidentiality, conduct or appoint an independent auditor to conduct an audit during business hours, in a manner that does not disrupt the Service or compromise the security or data of other customers. The Customer bears its own and Skippz’s reasonable costs of any such audit.
5. Subprocessors
The Customer provides a general authorisation for Skippz to engage Subprocessors to process Customer Personal Data in order to provide the Service. Skippz uses the categories of Subprocessors described in Annex 3, and a current list of named Subprocessors is available on request at support@skippz.com.
Skippz will impose data protection obligations on each Subprocessor that are substantially the same as those in this DPA, and remains responsible for its Subprocessors’ performance.
Skippz will give the Customer reasonable notice of any intended addition or replacement of a Subprocessor. The Customer may object on reasonable data-protection grounds within 14 days of notice. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.
6. International Transfers
Skippz and certain Subprocessors are located outside the European Economic Area, including in Australia and the United States. Where Skippz transfers Customer Personal Data to a country that has not received an adequacy decision, the transfer is made under an appropriate transfer mechanism, including the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and, where the UK GDPR applies, the UK International Data Transfer Addendum. Those clauses are incorporated into this DPA by reference and apply to such transfers, with Skippz as data importer and the Customer as data exporter.
7. Customer Obligations
The Customer warrants that it has a lawful basis for the processing of Customer Personal Data, that its instructions are lawful, and that it has provided all required notices and obtained all required consents from Data Subjects, including any individuals appearing in or submitting data through the Content. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired it.
8. Liability
Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
9. Term, Governing Law, and General
This DPA takes effect when the Customer accepts the Agreement and continues for as long as Skippz processes Customer Personal Data. This DPA is governed by the same law and subject to the same jurisdiction as the Agreement, except where mandatory data protection law requires otherwise. If any provision is found unenforceable, the remainder continues in effect.
Annex 1 — Details of Processing
Subject matter. Provision of the Skippz video hosting and delivery Service.
Duration. For the term of the Agreement and any retention or grace period described in the Agreement and Privacy Policy.
Nature and purpose. Hosting, storing, encoding, transcoding, caching, delivering, analysing, and supporting the Customer’s Content and related activity, in order to provide the Service.
Types of Personal Data (as determined by the Customer through its use of the Service):
Personal data of individuals appearing or audible in uploaded Content, such as images, likenesses, and voices.
Viewer data generated during playback, such as IP address, approximate location, device and browser information, and playback behaviour.
Personal data submitted by the Customer’s viewers or contacts through forms, calls-to-action, or Spotlights.
Any other Personal Data the Customer chooses to include in its Content or account.
Categories of Data Subjects:
The Customer’s viewers and end users.
Individuals appearing in or referenced by the Customer’s Content.
The Customer’s contacts, leads, or customers who submit data through the Service.
Annex 2 — Technical and Organisational Security Measures
Skippz maintains measures appropriate to the nature of the Service, including:
Encryption of account data at rest and use of encrypted transport (TLS) for data in transit.
Access controls that prevent Skippz staff from signing in to customer Accounts or reading customer credentials, which are stored only in hashed or encrypted form.
Support for two-factor authentication on customer Accounts.
Use of reputable infrastructure and Subprocessors with their own security and data protection commitments.
Logical separation of customer data and restriction of internal access on a need-to-know basis.
Prompt and permanent deletion of Content on deletion or at the end of the retention and grace periods described in the Agreement, without retained backups of deleted Content.
Procedures to detect and respond to Personal Data Breaches and to notify the Customer without undue delay.
These measures may be updated over time, provided the level of protection is not materially reduced.
Annex 3 — Categories of Subprocessors
| Category | Purpose | Location |
| Cloud storage and hosting | Storage of Content and operation of the Service | United States and other regions |
| Content delivery network and edge | Delivery and caching of Content to viewers | Global |
| Payment processing | Billing and subscription management | As determined by the provider |
| AI transcription and language services | Generating captions, transcripts, and chapters | United States |
| Customer support tooling | Support tickets, help centre, and roadmap | As determined by the provider |
| Analytics and behavioural analytics | Service and marketing analytics | As determined by the provider |
A current list of named Subprocessors within these categories is available on request at support@skippz.com.
Contact for data protection matters: support@skippz.com Avlanche Pty Ltd, 132 Bower Street, Manly, NSW, Australia
