Data Processing Addendum
SnowcatCloud offers a Data Processing Agreement (DPA) and EU Model Clauses (MCC) to meet the requirements of the European Parliament and General Data Protection Regulation (GDPR)
Data Protection Addendum
This Data Processing Addendum (the “DPA”) is incorporated by reference, and subject to, the Master Services Agreement (“MSA”) entered into between Snowcat Cloud Inc. (“SnowcatCloud”) and the legal entity defined as Customer therein. Capitalized terms have the meanings provided in the MSA (defined below) except as provided here.
WHEREAS, SnowcatCloud and Customer are parties to a Master Subscription Agreement (the “MSA”) regarding Customer’s trial and/or subscription to SnowcatCloud’s Services; and
WHEREAS, SnowcatCloud and Customer wish to enter this DPA, which will supplement certain provisions of the MSA regarding the parties’ security and data protection obligations.
NOW THEREFORE, the parties agree as follows:
For purposes of this Addendum, the terms below have the meanings set forth below.
1.1. “Breach” means a breach of security by SnowcatCloud that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored in the Services.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, as amended from time to time.
1.3. “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR (as defined below) and include equivalent terms in the CCPA and other Data Protection Laws, in each case as applicable to the Services provided by SnowcatCloud under the MSA.
1.4. “Customer Data” means all data provided by Customer to SnowcatCloud to enable the provision of the Services.
1.5. “Data Protection Laws” means GDPR, UK GDPR, CCPA and all other laws and regulations applicable to the Processing of Personal Data under the MSA within the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom.
1.6 “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.7 “Personal Data”: (a) has the meaning provided in Data Protection Laws in reference to residents of the European Economic Area, Switzerland and the United Kingdom, (b) means Personal Information as defined in the CCPA in reference to California residents, and (c) in reference to residents of other jurisdictions incorporates equivalent terms under other laws applicable to the Services.
1.8 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA.
1.9 “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
2. Handling of Customer Data.
2.1 General Processing Conditions. SnowcatCloud will only process Customer Data in order to perform its obligations under the MSA or with Customer’s prior written consent. SnowcatCloud shall immediately inform the Customer if it is unable to follow those instructions.
2.2 Processing in Accordance with EU and UK Law. Customer may be the controller of Personal Data or a processor. SnowcatCloud will act as a processor or sub-processor, as appropriate. Each party will comply with the obligations that apply to it under Data Protection Laws. SnowcatCloud will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Laws.
2.3 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) SnowcatCloud will not “sell” (as defined in the CCPA) any Personal Data; and (b) SnowcatCloud will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.4 Local Implementation Agreement. If and when necessary to accommodate laws, regulations, and/or local business requirements in a particular country outside the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, the parties may enter into a Local Implementation Addendum covering additional requirements under such laws that are not already addressed in the MSA or this DPA.
2.5 Confidentiality of Processing. SnowcatCloud will treat Customer Data as Customer’s Confidential Information (as that term is defined in the MSA). SnowcatCloud will protect the Customer Data in accordance with the confidentiality obligations under the MSA.
2.6 Cooperation and Data Subjects' Rights. SnowcatCloud will provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws (including rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to SnowcatCloud, SnowcatCloud will (unless prohibited by applicable law) promptly inform Customer providing full details of the same.
2.7 Customer Data Return and Disposal. SnowcatCloud shall not retain a copy or backup of Customer Data for longer than seventy-two hours since the Customer Data was collected. Seventy-two hours after collection, all Customer Data is automatically overwritten or expunged in a manner that makes such Customer Data non-readable and non-retrievable. Until the Customer Data is overwritten or expunged, SnowcatCloud shall continue to ensure compliance with its security and privacy obligations in the MSA and this DPA.
2.8 International Transfers. SnowcatCloud shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Without prejudice to the foregoing, Customer consents to transfers outside of the EEA where SnowcatCloud has implemented a transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses, which are incorporated herein by reference; (c) another appropriate safeguard applies pursuant to Article 46 of the GDPR or other provisions of Data Protection Laws; or (d) a derogation pursuant to Article 49 of the GDPR.
2.9 Subprocessing. Customer consents to SnowcatCloud engaging SnowcatCloud affiliates and third party sub-processors to process Personal Data to carry out SnowcatCloud’s obligations under the MSA. SnowcatCloud will maintain an up-to-date list of its sub-processors (below), which it will update with details of any change in sub-processors at least 10 days prior to any such change, thereby giving Customer the opportunity to object to such changes. SnowcatCloud will impose data protection terms on any sub-processor it appoints as required to protect Personal Data equivalent to those imposed on SnowcatCloud in this DPA.
Amazon Web Services, Inc.
Entity Type:. Cloud Service Provider
Entity Location:. USA
2.10Data Protection Impact Assessment. SnowcatCloud will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under Data Protection Laws.
3. SnowcatCloud Security Measures.
3.1 Audit. The audit requirements under Data Protection Laws will be satisfied as follows. On Customer’s request and subject to the confidentiality obligations set forth in the MSA or an appropriate NDA in the case of third parties. Not more than once per year, SnowcatCloud will respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions.
3.2 SnowcatCloud Security Responsibilities. SnowcatCloud will: (a) use procedural, technical, and administrative safeguards on its Services designed to ensure the confidentiality, security, integrity, availability, and privacy of Customer Data when cached by the Services and in transit between Customer’s data sources and target systems; and (b) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data via the Services.
3.3 Personnel Background Checks. Prior to engaging any employee or contractor who may receive access to Customer Data SnowcatCloud will conduct a criminal history background check (modified as appropriate to comply with applicable law in countries outside the United States) covering the three-year period prior to the employment commencement date of such employee.
4. Personal Data Breach Notification and Resolution
4.1 Breach Notice . SnowcatCloud will notify Customer without undue delay after SnowcatCloud’s discovery or notification of Breach by email to the notice email address on the signature page below, or Customer’s principal contact for the Services if none is provided. SnowcatCloud will further take reasonably necessary measures to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
4.2 Cooperation . SnowcatCloud will provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
5.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if a MSA is in effect between SnowcatCloud and Customer. This DPA is part of the MSA and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the MSA are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
5.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
5.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
5.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the MSA. If the MSA is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
5.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the MSA unless otherwise required by GDPR or Data Protection Laws, in which case this DPA will be governed by the laws of the Republic of Ireland.
5.6 Counterparts . This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS
1. Incorporation of Standard Contractual Clauses
The Parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
1.1 Where SnowcatCloud Processes Personal Data as a Controller pursuant to the terms of the Agreement, SnowcatCloud and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply.
1.2 Where SnowcatCloud Processes Personal Data as a Processor pursuant to the terms of the Agreement, SnowcatCloud and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply.
1.3 Where SnowcatCloud Processes Personal Data as a Processor pursuant to the terms of the Agreement, and SnowcatCloud and its relevant Sub-Processor Affiliates are located in the EEA, and Customer and its relevant Affiliates are located in non-adequacy approved third countries, Module 4: Transfer processor to controller, Clauses 1 to 6, 8, 10 to 12, and 14 to 18 apply.
2. Standard Contractual Clause Optional Provisions
In addition to Section 1.1, where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
2.1 Clause 7 (Docking Clause) is omitted;
2.2 In Clause 9(a) (Use of sub-processors) (Module 2) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;
2.3 In Clause 11(a) (Redress) (Module 1, 2 or 4) – the Optional provision shall NOT apply;
2.4 In Clause 16(b) (Suspension of transfers) if SnowcatCloud is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
2.5 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of the Republic of Ireland shall govern; and
2.6 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts of the Republic of Ireland shall have jurisdiction.
3. Supplementary Terms to Standard Contractual Clauses
3.1 Documentation and compliance. For the purposes of Clause 8.9(b) – Module One, Clause 8.9(e) – Module Two and Clause 8.3 – Module Four the review and audit provisions in the Agreement and DPA shall apply.
3.2 Notification and Transparency.
(a) The Parties acknowledge and agree that SnowcatCloud, where required by the Standard Contractual Clauses, to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires to do, and without delaying the timing of the notification unduly.
(b) For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the Parties agree and acknowledge that it may not be possible for SnowcatCloud to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who makes any communication to the data subject, and Vendor shall provide the level of assistance set out in the DPA.
3.3 Liability. For the purposes of Clause 12(a), the liability of the Parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
3.4 Enforcement. The Data Exporter may enforce the terms of the Standard Contractual Clauses against the Data Importer (and vice versa), provided however, that the Parties agree that any valid legal action, suit, claim or proceedings must be brought by SnowcatCloud on behalf of the relevant Data Exporter/Data Importer (as applicable), where such Data Exporter/Data Importer would otherwise have the right to bring such claim directly against Customer if it were a party to the Agreement (each a “Relevant Claim”), unless the applicable Data Protection Laws to which the relevant Data Exporter/Data Importer is subject requires that the relevant Data Exporter/Data Importer itself bring or be a party to such Relevant Claim. The Standard Contractual Clauses entered into between Customer and Vendor shall only be enforceable against the Customer entity which is party to the Agreement as such Standard Contractual Clauses form an integrated part of the Agreement (including the DPA), which shall form the entire agreement with regard to the Processing of Personal Data by Vendor. Any such Relevant Claim shall at all times be subject to any aggregate limitation of liability that applies under the Agreement. The existence of more than one claim shall not enlarge this limit.
3.5 Signatories. Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, SnowcatCloud and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
Annex I - Identification of Parties
The full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement; and
(a) In the case of Module 1, the data exporter and Controller is Customer and its relevant Affiliates which are established in the EEA, and the data importer and Controller is SnowcatCloud and its relevant Affiliates located in non-adequacy approved third countries;
(b) In the case of Module 2, the data exporter and Controller is Customer and its relevant Affiliates which are established in the EEA, and the data importer and Processor is SnowcatCloud and its relevant Sub-Processor Affiliates located in non-adequacy approved third countries;
(c) In the case of Module 3, the data exporter and Processor is SnowcatCloud and its relevant Sub-Processor Affiliates, which are established in the EEA / exporting data from the EEA, and the data importer and Controller is Customer and its relevant Affiliates located in non-adequacy approved third countries.
Description of Data Processing
The data processing activities carried out by SnowcatCloud under the MSA may be described as follows:
Subject Matter and Purpose
The personal data transferred will be subject to the following basic processing activities:
SnowcatCloud will process Customer data in order to facilitate collection of behavior event level data from Customer’s digital properties and delivery into the Customer’s data infrastructure.
The personal data transferred concern the following categories of data subjects:
- Customer’s employees and consultants who use SnowcatCloud’s Service.
- Individuals whose personal data is collected in Customer’s digital properties and processed by SnowcatCloud.
Categories of personal data
The personal data transferred concern the following categories of data::
- SnowcatCloud may have access to personal data of Customer’s employees and consultants who use SnowcatCloud’s Service.
- SnowcatCloud may have access to personal data of Individuals whose personal data is stored in Customer’s data sources.
The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.
Special categories of data
The personal data transferred concern the following special categories of data: As above
Annex II - Technical and Organizational Security Measures
Description of the technical and organizational security measures implemented by SnowcatCloud in accordance with Data Protection Laws:
Security measures include:
Transport layer security
All data is transmitted to or from Snowcat Cloud over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+). Snowcat Cloud unencrypted requests (HTTP) will return 404.
Data at rest
All data at rest is encrypted using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) AES-256.
Physical & Environmental Security
he Snowcat Cloud services are hosted in Amazon Web Services (AWS) and Google Cloud Platform (GCP). Hosting providers maintain physical & environmental security protections including:
- Physical access is restricted to approved employees based on the principle of least privilege.
- Multi-factor authentication when approved personnel access facilities.
- Closed Circuit Television Camera (CCTV) video recording of access points.
- Fire detection and suppression systems.
- Redundant infrastructure for power, networking, and cooling.
Logical Access controls
Logical access to the Snowcat Cloud services is restricted to employees based on the principle of least privilege. All access is formally approved and requires multi-factor authentication.
Access is removed in the event of employee termination or if the employee changes roles and no longer requires access, as well as being reviewed on a quarterly basis.
Access activity is logged in centralized logging infrastructure and protected from tampering.
Processing of customer data
Data is processed through a shared infrastructure composed and then routed to the corresponding dedicated customer data pipes and storage.
Snowcat Cloud retains customer database credentials to securely troubleshoot customer issues and load data. These credentials are securely stored in a key management system. The key management system is backed by a hardware security module that is managed by our cloud provider.
Snowcat Cloud does not control the host physical infrastructure. Snowcat Cloud relies on the fault-tolerant nature of GCP and AWS across multiple availability zones, and can redeploy the platform to another region in case of catastrophic failure.
Snowcat Cloud will process Customer Data within the region specified by the Customer during configuration of the data pipeline. Current geographic regions supported by Snowcat Cloud are EU-WEST-1, US-WEST-2, and AP-SOUTH-1.
SnowcatCloud DPA v1.1.0 - October 27th 2021