Log in

Appendix
DATA PROCESSING 

This Annex is fully integrated to the General Terms and Conditions. It is deemed accepted as soon as the Client agrees to the General Terms and Conditions. 

In accordance with Article 15 of the General Terms of Service, Skello acts as a Processor for the Client, who remains the Controller of the processing under the Contract.

1. Name and contact details of the Data Protection Officer (DPO)

Skello’s DPO contact details: Carole Franco, privacy@skello.io.

The Client shall send to Skello’s DPO its own DPO contact details.

2. Processing of Personal Data as a Processor

For the performance of the Contract, Skello is authorized to process, on behalf of the Client, the Personal Data necessary to provide the Services the Client has subscribed to as described in the Contract.

The Personal Data processed includes data relating to:

  • the Client's employees, staff members, and representatives;
  • the Solution’s authorized users;
  • prospects integrated by the Client;
  • HR administrators and managers designated by the Client.

The Personal Data concerned includes:

  • identification data (last name, first name, email address, postal address, phone numbers, login credentials, IP address);
  • employment-related data (position, working hours, schedules, absences, employment contracts, status, remuneration);
  • contractual data (contracts, amendments, documents related to the employment relationship);
  • payroll and time-tracking data (variable pay elements, hours worked, absences, leave, sick leave);
  • any data entered by the Client into the Solution.

The processing is carried out for the following purposes:

  • provision and operation of the Solution and Services;
  • management and monitoring of schedules and work time;
  • management of variable payroll elements;
  • data hosting, backup, and storage;
  • technical support and assistance;
  • notifications and communication to Users;
  • transmission to the Client's service providers when necessary for the performance of the Services.

The legal basis for the Processing is:

  • the performance of the Contract between the Client and Skello;
  • the Client's legal obligations;
  • the Client's documented instructions.

Personal Data is stored for the duration of the Contract and, upon its expiration, is archived for three years, unless the Client issues an express deletion instruction or there is a legal obligation to retain it.

3. Technical and Organizational Measures 

Skello implements all appropriate technical and organizational measures to ensure a level of security suitable for the risks associated with the Processing, in accordance with Article 32 of the GDPR (General Data Protection Regulation).

3.1. Governance and Compliance

  • Data is hosted on AWS, which is certified ISO 27001, ISO 27017, and ISO 27018.
  • Security is supervised by a dedicated Manager and is subject to regular compliance audits.

3.2. Access Control (Skello Personnel)

  • Access rights are assigned based on the principle of least privilege.
  • There is a strict procedure for managing account lifecycles (creation, modification, immediate deletion upon departure).
  • Authentication is done via SSO, complex passwords, and regular renewal.

3.3. Access Control (Solution Users)

  • Authentication is via username and password, with robustness requirements.
  • An RBAC (Role-Based Access Control) system is in place to limit access to only the data necessary for the user's profile.

3.4. Confidentiality and Training

  • All employees have a contractual confidentiality obligation.
  • Ongoing training is provided on data protection and cybersecurity.

3.5. System and Data Security

  • Data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher).
  • Development, testing, and production environments are segmented.
  • The infrastructure is monitored for intrusion detection.

3.6. Availability and Business Continuity

  • Daily data backups.
  • Multi-AZ redundancy ensured by AWS.
  • Disaster recovery and business continuity plans are tested regularly.

3.7. Traceability and Audit

  • Logging of access and sensitive actions.
  • Information necessary to demonstrate compliance is made available.
  • The Client can audit according to the terms specified in the Contract.

Skello commits to maintaining and adapting these measures based on the evolution of technology, risks, and regulations.

4. List of Sub-Processors

Skello uses the following service providers, who act as Sub-processors when using the Solution and Services.

Skello has verified that the selected Sub-processors comply with the GDPR and has framed the processing of Personal Data in accordance with Article 28 of the GDPR.

© Skello, 69-71 Beaubourg Street,
75003 Paris
Paramètres des cookies