Information for DPOs and legal teams
As a DAM service provider specialized for visuals, Skyfish processes customer data in the form of images, videos, and other media files. Some of this material may contain personal data and is therefore subject to the GDPR.
As a data processor, Skyfish ensures that all handling of personal data complies with EU data protection standards, and that every customer can document this compliance through our audit reports and agreements.
As a DAM service provider specialized for visuals, Skyfish processes customer data in the form of images, videos, and other media files. Some of this material may contain personal data and is therefore subject to the GDPR.
As a data processor, Skyfish ensures that all handling of personal data complies with EU data protection standards, and that every customer can document this compliance through our audit reports and agreements.
As the DPO or legal team, your role is to confirm that third-party providers meet the necessary standards for data protection and security.
We proactively support your assessment by maintaining verifiable certifications and transparent documentation.
The License Agreement forms the contractual foundation between the licensee and Skyfish. It governs how the service is used and how personal data is handled within that relationship.
The agreement includes provisions on confidentiality, warranty, liability, and termination, and ensures that all personal data is processed lawfully, for a defined purpose, and with full transparency in accordance with data protection regulations.
The Data Processing Agreement defines Skyfish’s obligations as a data processor under Article 28 of the GDPR. It is attached as an annex to the License Agreement and describes the terms for data protection, confidentiality, and security.
The DPA also governs data transfers to third countries and sets out procedures for breach notification and for data deletion or return upon termination of service. A signed DPA is available for download.
Skyfish undergoes an independent ISAE 3000 audit each year, conducted by PricewaterhouseCoopers (PwC). This audit verifies that Skyfish’s data processing activities comply with the GDPR and with internationally recognized best practices for information security and privacy management.
The audit confirms that Skyfish maintains effective controls to protect the confidentiality and integrity of customer data.
Skyfish regularly conducts Transfer Impact Assessments to evaluate the lawfulness and security of any data transfers to third countries.
Although the European Commission has determined that certified U.S. providers such as AWS offer an adequate level of protection, Skyfish continues to monitor compliance independently. Each assessment reviews privacy laws, technical safeguards, and potential risks to data subjects’ rights. The most recent TIA report is available on request.
Email info@skyfish.com to receive our latest ISAE 3000 audit and Transfer Impact Assessment reports.
Skyfish chose AWS for its technical reliability, security, and compliance. Their operations are GDPR-certified and aligned with ISO/IEC 27001 standards. By partnering with AWS, we ensure a secure, compliant, and future-ready platform for your business.
AWS relies on sub-processors to deliver the Skyfish service. In their Data Processing Addendum (DPA), AWS provides the following guarantee:
“AWS will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by AWS under this DPA, AWS will impose on the Sub-processor the same contractual obligations that AWS has under this DPA.”
We acknowledge that AWS must comply with legally valid or binding orders and cooperate with law-enforcement agencies to investigate criminal and terrorist activities. However, the Data Processing Addendum between AWS and Colourbox requires AWS to redirect any governmental request directly to Colourbox or to notify Colourbox of the request. Since January 2015, reports on law-enforcement information requests have been published every half-year. So far, no data located outside of the US has been disclosed to the US Government. Colourbox, as part of its GDPR annual wheel, goes through every published report to ensure complete data privacy.
Data is securely stored across three separate hosting facilities to ensure redundancy and prevent loss. We have robust backup measures in place for both customer data and the system-supporting databases. Additionally, we are continuously enhancing these safeguards by strengthening redundancy, implementing advanced encryption protocols, and conducting rigorous recovery testing.
AWS KMS leverages Hardware Security Modules (HSMs) to securely store and manage encryption keys, adhering to stringent standards like FIPS 140-2 Level 3. These HSMs provide robust protection, ensuring that encryption keys are stored safely and managed securely by AWS. The architecture operates like a secure vault, where customer-managed keys are protected with advanced encryption protocols.
Not exactly. While the system doesn’t permanently lock users, it does enforce a temporary login restriction after failed attempts. This measure helps protect accounts while minimizing disruption for legitimate users.
The system provides access logs for user activity; however, failed login attempts are not currently included in these logs.
Access logs, including login activity, are stored for as long as the user has an active account in Skyfish.
Should you have any further questions regarding the legal framework, you are always welcome to contact us. Please reach out to our DPO.
