Data Processing Addendum

This Data Processing Addendum and schedule to it (“DPA”) forms part of the Agreement entered into by Snowplow and You for the use of Snowplow’s Services as described in the Order Form.

In the course of providing the Services to You pursuant to the Agreement, We may Process Personal Data on Your behalf. The parties agree to comply with the following provisions with respect to any such Personal Data.

‍

1. Interpretation
   1. The term of this DPA will follow the Term of the Agreement.
   2. Defined words in the Agreement are also used in this DPA.
   3. In the event of any inconsistency between the terms of the Agreement this DPA, the terms of this DPA will govern.
2. Particulars of Personal Data to Be Processed
   1. The parties agree (for informational purposes only, and without creating additional obligations on either party or limiting the rights and obligations of either party otherwise existing), the following particulars of the Personal Data to be processed:some text
      1. the subject matter and purpose of the processing to be carried out by Snowplow is the provision of Snowplow's Platform and Services, as more particularly described in the Agreement;
      2. the purpose for which Snowplow's Platform and Services are used, the type of personal data and the categories of data subjects are determined by the Customer; and
      3. the duration of processing is the Term.
3. Mutual Obligations
   1. Each party will, in connection with this Agreement, comply with the Data Privacy Laws applicable to it and will not cause the other party to breach any of its obligations under Data Privacy Laws.
4. Customer Obligations
   1. The Customer acknowledges and agrees that:some text
      1. it has reviewed and understood Snowplow's provided documentation on the configuration of the Products as they may be updated or replaced from time to time;
      2. it is the Customer's responsibility to determine what Personal Data will be processed by the Products, and how it will be processed, and to configure the Products accordingly (or to instruct Snowplow to configure them accordingly, as the case may be); and
      3. therefore, the lawfulness or otherwise of that processing is in large part determined by how the Customer chooses to use the Products, and Snowplow has no liability whatsoever arising out of or in connection with how the Customer chooses to configure or use any Product.
   2. The Customer must give all configuration instructions either through the provided user interface or in writing (which term when used in this context includes raising a ticket with the Snowplow service desk or by way of an agreed Statement of Work), including but not limited to any initial setup and configuration instructions.
   3. Snowplow acknowledges, and will comply with, its obligation under article 28(3) GDPR to inform the Customer if, in its opinion, an instruction given by the Customer infringes the Data Privacy Laws. However, the Customer acknowledges and agrees that Snowplow is not a law firm and does not give legal advice, and therefore Snowplow will have no liability whatsoever to the Customer arising out of or in connection with the content or effect of any such opinion, or whether or when any such opinion is given or not given, or otherwise arising out of or in connection with any such opinion in any way. Without prejudice to its other rights under this Agreement, Snowplow reserves the right to decline to act (or to decline to continue to act) on an instruction of the Customer which it considers to be unlawful, but its failure to do so, or to do so by a particular time, will not be construed as a waiver of any of the Customer's obligations under this paragraph 4.
5. Snowplow Obligations
   1. Where Snowplow processes Personal Data (as processor) on behalf of the Customer (as controller) in connection with the Product, Snowplow will:some text
      1. process that Personal Data only in accordance with the written instructions for the configuration of the Products given to it by the Customer or (at the Customer’s cost) such different or additional instructions received in writing from the Customer from time to time. If compliance with such different or additional instructions prevents or hinders the performance of Snowplow’s obligations under this Agreement, Snowplow will be excused from the performance of the affected obligations, without liability;
      2. ensure that all of its personnel with access to that Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. take the technical and organisational security measures necessary to secure that Personal Data as set forth in Snowplow’s security policy at www.snowplow.io/legal, provided that the Customer acknowledging that it has reviewed those measures and agrees that they are appropriate and sufficient for the purposes of article 32 GDPR in light of the Customer’s intended use of the Products. Snowplow reserves the right to make reasonable changes to the precise security measures in place from time to time; for example, it may implement additional measures to respond to new threats, or change how existing measures are implemented to reflect customer feedback or changes in best practice, or remove measures which no longer serve a useful purpose. Snowplow will inform the Customer of any material changes to the security measures in place, and will ensure that any such change does not materially reduce the overall level of security of those aspects of the Product that are Snowplow’s responsibility to secure;
      4. engage only those other processors which are published on Snowplow’s website at www.snowplow.io/legal or which are subsequently engaged in accordance with paragraph 5.1.5 or as instructed by the Customer from time to time (each, a “Sub-Processor”) to process that Personal Data on its behalf, and provided always that:some text
         1. it binds any such Sub-Processor by a written agreement complying with the requirements of article 28 GDPR as it applies to that Sub-Processor’s processing activities; and
         2. Snowplow remains liable to the Customer for the acts and omissions of any Sub-Processor, as if they were the acts or omissions of Snowplow itself;
      5. where Snowplow wishes to engage a different or an additional Sub-Processor, first inform the Customer of the identity of the proposed Sub-Processor and provide the Customer with a reasonable opportunity to object to that Sub-Processor’s engagement. If the Customer does so object it will inform Snowplow within 14 days of being so informed, giving reasons for the objection on the basis of the Data Privacy Laws, and if Snowplow cannot within 30 days of that objection address the reasons for it to the Customer’s reasonable satisfaction then Snowplow may choose not to appoint that Sub-Processor, or it may choose to appoint that Sub-Processor regardless, in which case the Customer will be entitled to terminate this Agreement by notice to Snowplow;
      6. taking into account the nature of the processing and insofar as is possible, assist the Customer (at the Customer’s cost) with the fulfillment of the Customer’s obligation to respond to requests by data subjects to exercise their rights over that Personal Data under the Data Privacy Laws, by providing relevant information requested by the Customer and copies of relevant Personal Data requested by the Customer within a reasonable time and in a commonly used electronic format, in each case unless that information or relevant Personal Data is already accessible to the Customer without Snowplow’s intervention;
      7. taking into account the nature of the processing and the information available to Snowplow, assist the Customer (at the Customer’s cost) in carrying out privacy impact assessments pursuant to article 35 GDPR and prior consultations pursuant to article 36 GDPR in respect of that Personal Data, by providing such relevant information about the processing carried out by Snowplow as the Customer may reasonably request;
      8. inform the Customer of any personal data breach which occurs in respect of the Personal Data under Snowplow’s control without undue delay after becoming aware of it, providing sufficient details to enable the Customer to comply with its own notification obligations (and Snowplow may provide such details in stages as they become available to it, provided that it is reasonable to do so). The Customer acknowledges and agrees that Snowplow cannot proactively monitor for, and may not become aware of, personal data breaches caused by the Customer’s misuse or misconfiguration of Customer systems (including the Customer’s Cloud Computing Platform) or the Products;
      9. except where the Agreement makes more specific provision, after the termination of the Agreement, delete or return to the Customer (at the Customer’s option and cost) all copies of the Personal Data in its possession or control, and procure that any relevant Sub-Processor does the same, unless the applicable laws of the United Kingdom or European Union (or a relevant member state thereof) require Snowplow or that Sub-Processor to retain a copy of it;
      10. make available to the Customer on demand all information reasonably necessary to demonstrate compliance with this paragraph 5.1, to the extent that it is not already available to the Customer; and
      11. allow the Customer, or its external auditor (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit Snowplow’s data processing activities insofar as they relate to the Personal Data, to enable the Customer to verify that Snowplow is in compliance with this paragraph 5.1, provided that:some text
          1. the Customer may exercise that inspection and audit right no more frequently than once per calendar year, unless required by a supervisory authority;
          2. the Customer will meet Snowplow’s reasonable costs incurred as a result of any such inspection or audit, unless that inspection or audit shows Snowplow to be in breach of this paragraph 5.1;
          3. the Customer (or its auditor, as the case may be) will not thereby be entitled to access to personal data or confidential information of any other Snowplow customer, nor to direct access to any computer or storage system unless explicitly required by a supervisory authority;
          4. the Customer (or its auditor, as the case may be) complies with Snowplow’s reasonable policies while onsite, including its safety and security policies;
          5. any information coming into the Customer’s possession (or that of its auditor, as the case may be) as a result of such inspection or audit will be and remain the Confidential Information of Snowplow for the purposes of the Agreement, and the Customer will (and will procure that its auditor will, as the case may be) treat it accordingly; and
          6. the Customer will not be able to audit Snowplow’s Cloud Computing Platform, the Customer acknowledging and agreeing that the providers of such platforms do not permit such audits and that the Customer has reviewed and is satisfied with the information made available by such providers in lieu of such an audit.
6. International Transfer
   
   1. Snowplow and the Customer acknowledge their mutual obligations under Chapter V GDPR in relation to international transfers of Personal Data, and agree that where the deployment model is "Private Managed Cloud" or “Cloud” in the Order Form, the hosting location for a Workspace will be determined by the Customer. If that hosting location is within the United Kingdom and the European Economic Area, Snowplow will not transfer the Personal Data outside of the United Kingdom and the European Economic Area without the Customer's prior written agreement except in the limited and specific circumstances detailed in Attachment 1 to this DPA, to which the Standard Contractual Clauses shall apply.‍
7. ‍Changes to Applicable Laws‍
   1. If either party requires a change to this DPA to comply with any applicable laws, it will contact the other party as soon as reasonably practicable with details of such changes. The parties will work together in good faith to agree the necessary updates and amendments to this DPA as quickly as reasonably possible. ‍
8. Legal Effect‍
   1. This DPA shall become legally binding between You (the Customer) and Snowplow when an Order Form is signed by both parties.
   2. If You wish to have a copy of the DPA which is signed by both parties, please complete the “Customer Legal Name” so that it is the same in the Order Form, along with the signature box below, and email the counter-signed copy to legal@snowplow.io

‍

Annex 1 – Standard Contractual Clauses

Relevant transfers

The circumstances referred to in clause 6 of this DPA whereby Snowplow or its Sub-Processors may transfer or process Personal Data which is hosted within the United Kingdom or European Economic Area to or from territories outside of the United Kingdom or European Economic Area are as follows:

●   Scenario 1: In the case of Products for which the Deployment Model is “Cloud”, where the Customer selects a hosting location for the Product which is within the United Kingdom or European Economic Area but uses a Cloud Data Destination hosted outside of the United Kingdom and European Economic Area

●   Scenario 2: Incidental and temporary access to the Products by personnel working out of Snowplow’s US and/or Australian offices in the course of providing customer service and Support Services

Application of EU SCCs

Where and to the extent that the above constitutes a relevant transfer for the purposes of Chapter V of the EU GDPR, the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”) shall apply, and for that purpose:

●   In respect of Scenario 1, Snowplow is the exporter and the Customer is the importer;

●   In respect of Scenario 2, the Customer is the exporter and Snowplow is the importer;

●   Module 4 applies to Scenario 1;

●   Module 2 applies to Scenario 2;

●   Modules 1 and 3 do not apply;

●   Clause 7 (Docking clause) is not included;

●   Under Clause 9 (Use of subprocessors), the Customer and Snowplow select Option 2 (General written authorization);

●   The optional language in Clause 11 (Redress) does not apply;

●   Under Clause 17 (Governing law), Option 1 applies and the Customer and Snowplow select the laws of the Republic of Ireland;

●   Under Clause 18 (Choice of forum and jurisdiction), the Customer and Snowplow select the courts of the Republic of Ireland;

●   Annex I.A is completed using the Customer’s and Snowplow’s details from the Agreement;

●   Annex I.B is completed using the information set out in (or determined in accordance with) clause 2 (Particulars of Personal Data to be processed) of this DPA;

●   Annex I.C is completed according to the rules set out in Clause 13 (Supervision), provided that to the extent permissible under those rules the Customer and Snowplow select the Irish Data Protection Commission;

●   Annex II (Technical and organizational measures) is completed with the information referred to in clause 5.1.3 of this DPA; and

●   Annex III (List of Subprocessors) does not apply, the Customer and Snowplow having selected Option 2 in Clause 9 (Use of subprocessors).

Application of UK Addendum

Where and to the extent that the above constitutes a relevant transfer for the purposes of Chapter V of the UK GDPR, the EU SCCs shall apply as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0, in force 21 March 2022 (the “UK Addendum”), and for that purpose:

●   Table 1 of the UK Addendum shall be deemed populated using the information from Annex I.A to the EU SCCs;

●   For the purposes of Table 2 of the UK Addendum, the “Addendum EU SCCs” shall be the EU SCCs as populated in accordance with the above;

●   Table 3 of the UK Addendum shall be deemed populated using the information from Annexes I, II and III to the EU SCCs, as applicable;

●   in Table 4 of the UK Addendum, both the importer and exporter may end the UK Addendum; and

●   the “Alternative Part 2 Mandatory Clauses” in the UK Addendum shall not apply.

Precedence

In the event of an inconsistency or contradiction between the Standard Contractual Clauses and this DPA in respect of a relevant international transfer of Personal Data, the Standard Contractual Clauses shall govern.

‍