Data Processing Addendum
Last Updated: May 1, 2023
Introduction
This Data Processing Addendum (“DPA”) forms an integral part of the Enterprise Terms of Service (the “Main Agreement”) between Snappy App, Inc. ("Snappy") and between the counterparty agreeing to these terms ("Customer"; each a “Party” and together the “Parties”) and applies to the extent that Snappy processes Personal Data on behalf of the Customer, in the course of providing Services under the Main Agreement.
You accept this DPA by agreeing to the Main Agreement or by sending any Gifts or utilizing the Services. If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
In the course of providing the Services to Customer pursuant to the Main Agreement, Snappy may Process Customer Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to Customer Personal Data.
You accept this DPA by agreeing to the Main Agreement or by sending any Gifts or utilizing the Services. If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
In the course of providing the Services to Customer pursuant to the Main Agreement, Snappy may Process Customer Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to Customer Personal Data.
1. DEFINITIONS
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement. In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.
"Aggregate Data" means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.
“Customer Personal Data” means any Personal Data which Customer provides to Snappy and which is Processed by Snappy or Snappy’s Subprocessor on behalf of Customer pursuant to the Main Agreement. “Customer Personal Data” does not include “Recipient Provided Data.”
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (h) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Recipient” is defined in the Main Agreement.
“Recipient Provided Data” is defined in the Main Agreement.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.
“Subprocessor” means any third party appointed by Snappy to Process Customer Personal Data on behalf of Customer in connection with the Main Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sale,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.
"Aggregate Data" means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.
“Customer Personal Data” means any Personal Data which Customer provides to Snappy and which is Processed by Snappy or Snappy’s Subprocessor on behalf of Customer pursuant to the Main Agreement. “Customer Personal Data” does not include “Recipient Provided Data.”
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (h) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Recipient” is defined in the Main Agreement.
“Recipient Provided Data” is defined in the Main Agreement.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.
“Subprocessor” means any third party appointed by Snappy to Process Customer Personal Data on behalf of Customer in connection with the Main Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sale,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL DATA
2.1. Application of this DPA. This DPA shall only apply to Snappy’s Processing of Customer Personal Data, and shall not apply to Snappy’s Processing of other Personal Data, including Recipient Provided Data. Moreover, this DPA shall only apply to the extent that Customer Personal Data is subject to Data Protection Laws. In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
2.2. Roles of the Parties. With regard to the Processing of Customer Personal Data, Customer is the Controller or Business (as applicable), Snappy is the Processor or Service Provider (as applicable), and Snappy shall engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Laws.
2.3. Snappy’s Processing of Personal Data.
2.3.1. Snappy shall treat Customer Personal Data as confidential and shall only Process Customer Personal Data as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes: (i) in accordance with the Main Agreement and Order Forms (where applicable); (ii) if initiated by Customer in its use of the Services; and/or (iii) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement and Data Protection Laws.
2.3.2 In no event shall Snappy Process Customer Personal Data for its own purposes or those of any third party, provided however, that Snappy may process such data for the legitimate business purposes of billing, record-keeping, account management, customer support, protection against fraudulent or illegal activity, or the prevention of misuse of the Services, and for the establishment, exercise, and defense of legal claims. Notwithstanding the foregoing, Snappy may process Customer Personal Data for the purposes of analytics, market research, and product improvement and development, provided that such data has been anonymized to the extent that the underlying Data Subjects are no longer capable of being identified. Snappy may process Aggregate Data and/or Deidentified Data in connection with Snappy’s ordinary business practices, provided that Snappy complies with the requirements set forth in Section 10 below.
2.4. Customer’s Obligations in Processing of Personal Data. Customer shall not provide Personal Data to Snappy except as is necessary for Snappy’s performance of Services and unless Customer shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Data is Processed by Snappy pursuant to the Main Agreement. Customer shall, in its use of the Services, Process Personal Data in accordance with this DPA and the requirements of Data Protection Laws and shall immediately notify Snappy if Customer is in violation of any Data Protection Law. Customer’s instructions to Snappy related to the Processing of Customer Personal Data shall comply with Data Protection Laws. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
2.5. California Personal Data Processing. To the extent that the Main Agreement or Customer’s instructions to Snappy involve the processing of Customer Personal Data concerning California Data Subjects, and to the extent that the CCPA governs the processing of the Customer Personal Data, the Parties acknowledge and agree that with respect to such information, the following provisions shall apply in addition to the general provisions set forth in this DPA:
2.5.1 Customer shall only instruct Snappy to process Customer Personal Data for those Business Purposes permitted under the CCPA, and shall disclose Customer Personal Data to Snappy only for the limited and specified purposes specified in the Main Agreement. Customer reserves the right, upon reasonable notice, to conduct audits and assessments as set forth in Section 7.2 to ensure that Snappy uses Customer Personal Data transferred in a manner consistent with Customer’s obligations under the CCPA, and to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
2.5.2 Snappy shall not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purposes specified in the Main Agreement except as otherwise permitted by the CCPA; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Snappy and Customer except as otherwise permitted by the CCPA; or (d) combine Customer Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects except as otherwise permitted by the CCPA. Snappy shall comply with applicable obligations and provide the same level of privacy protection as required by the CCPA, and shall assist Customer through appropriate technical and organizational measures to comply with CCPA requirements, taking into account the nature of the processing. Snappy shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
2.5.3 The specific Business Purpose for which Snappy is processing Customer Personal Data pursuant to the Agreement, and for which Customer is disclosing such information to Snappy, is the provision of Snappy’s gift giving services, which constitutes “performing services on behalf of the business” as set forth under Cal. Civ. Code § 1798.140(e)(5).
2.6. Details of the Processing. The subject matter of Processing of Customer Personal Data by Snappy is the performance of the Services pursuant to the Main Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Annex I attached hereto.
2.7. Instructions for Processing. Customer instructs Snappy and each Snappy Affiliate (and authorizes Snappy and each Snappy Affiliate to instruct each Subprocessor) to Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section. Snappy shall immediately inform Customer if, in its opinion, an instruction violates Data Protection Laws.
2.2. Roles of the Parties. With regard to the Processing of Customer Personal Data, Customer is the Controller or Business (as applicable), Snappy is the Processor or Service Provider (as applicable), and Snappy shall engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Laws.
2.3. Snappy’s Processing of Personal Data.
2.3.1. Snappy shall treat Customer Personal Data as confidential and shall only Process Customer Personal Data as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes: (i) in accordance with the Main Agreement and Order Forms (where applicable); (ii) if initiated by Customer in its use of the Services; and/or (iii) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement and Data Protection Laws.
2.3.2 In no event shall Snappy Process Customer Personal Data for its own purposes or those of any third party, provided however, that Snappy may process such data for the legitimate business purposes of billing, record-keeping, account management, customer support, protection against fraudulent or illegal activity, or the prevention of misuse of the Services, and for the establishment, exercise, and defense of legal claims. Notwithstanding the foregoing, Snappy may process Customer Personal Data for the purposes of analytics, market research, and product improvement and development, provided that such data has been anonymized to the extent that the underlying Data Subjects are no longer capable of being identified. Snappy may process Aggregate Data and/or Deidentified Data in connection with Snappy’s ordinary business practices, provided that Snappy complies with the requirements set forth in Section 10 below.
2.4. Customer’s Obligations in Processing of Personal Data. Customer shall not provide Personal Data to Snappy except as is necessary for Snappy’s performance of Services and unless Customer shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Data is Processed by Snappy pursuant to the Main Agreement. Customer shall, in its use of the Services, Process Personal Data in accordance with this DPA and the requirements of Data Protection Laws and shall immediately notify Snappy if Customer is in violation of any Data Protection Law. Customer’s instructions to Snappy related to the Processing of Customer Personal Data shall comply with Data Protection Laws. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
2.5. California Personal Data Processing. To the extent that the Main Agreement or Customer’s instructions to Snappy involve the processing of Customer Personal Data concerning California Data Subjects, and to the extent that the CCPA governs the processing of the Customer Personal Data, the Parties acknowledge and agree that with respect to such information, the following provisions shall apply in addition to the general provisions set forth in this DPA:
2.5.1 Customer shall only instruct Snappy to process Customer Personal Data for those Business Purposes permitted under the CCPA, and shall disclose Customer Personal Data to Snappy only for the limited and specified purposes specified in the Main Agreement. Customer reserves the right, upon reasonable notice, to conduct audits and assessments as set forth in Section 7.2 to ensure that Snappy uses Customer Personal Data transferred in a manner consistent with Customer’s obligations under the CCPA, and to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
2.5.2 Snappy shall not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purposes specified in the Main Agreement except as otherwise permitted by the CCPA; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Snappy and Customer except as otherwise permitted by the CCPA; or (d) combine Customer Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects except as otherwise permitted by the CCPA. Snappy shall comply with applicable obligations and provide the same level of privacy protection as required by the CCPA, and shall assist Customer through appropriate technical and organizational measures to comply with CCPA requirements, taking into account the nature of the processing. Snappy shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
2.5.3 The specific Business Purpose for which Snappy is processing Customer Personal Data pursuant to the Agreement, and for which Customer is disclosing such information to Snappy, is the provision of Snappy’s gift giving services, which constitutes “performing services on behalf of the business” as set forth under Cal. Civ. Code § 1798.140(e)(5).
2.6. Details of the Processing. The subject matter of Processing of Customer Personal Data by Snappy is the performance of the Services pursuant to the Main Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Annex I attached hereto.
2.7. Instructions for Processing. Customer instructs Snappy and each Snappy Affiliate (and authorizes Snappy and each Snappy Affiliate to instruct each Subprocessor) to Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section. Snappy shall immediately inform Customer if, in its opinion, an instruction violates Data Protection Laws.
3. RIGHTS OF DATA SUBJECTS
3.1. Data Subject Request Notifications. Snappy shall, to the extent legally permitted, promptly notify Customer if Snappy receives a request from a Data Subject to exercise the Data Subject’s rights to Customer Personal Data, including the rights to: knowledge/access; correction; deletion; restriction; objection; data portability; opt out of the Processing of and/or the Sale or Sharing of Personal Data; limit the use or disclosure of sensitive Personal Data; or any other request with respect to Personal Data of the applicable Data Subject, as set forth under applicable Data Protection Laws (“Data Subject Request”).
3.2. Assistance With Data Subject Requests. Taking into account the nature of the Processing and the Customer Personal Data, Snappy shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request directly, Snappy shall, upon Customer’s written request and at Customer’s cost, exercise reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Snappy is legally permitted to do so. Where such assistance exceeds the scope of the Services, and to the extent legally permitted, Customer shall be responsible for any additional costs arising from Snappy’s provision of such assistance. Nothing in this Section 3 shall require Snappy to disclose or reveal any trade secrets.
3.2. Assistance With Data Subject Requests. Taking into account the nature of the Processing and the Customer Personal Data, Snappy shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request directly, Snappy shall, upon Customer’s written request and at Customer’s cost, exercise reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Snappy is legally permitted to do so. Where such assistance exceeds the scope of the Services, and to the extent legally permitted, Customer shall be responsible for any additional costs arising from Snappy’s provision of such assistance. Nothing in this Section 3 shall require Snappy to disclose or reveal any trade secrets.
4. SNAPPY PERSONNEL
4.1. Confidentiality. Snappy shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, and are under a duty of confidentiality.
4.2. Reliability. Snappy shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Snappy personnel engaged in the Processing of Customer Personal Data.
4.3. Limitation of Access. Snappy shall ensure that Snappy’s access to Customer Personal Data is limited to those personnel who require such access to perform the Services in accordance with the Main Agreement.
4.2. Reliability. Snappy shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Snappy personnel engaged in the Processing of Customer Personal Data.
4.3. Limitation of Access. Snappy shall ensure that Snappy’s access to Customer Personal Data is limited to those personnel who require such access to perform the Services in accordance with the Main Agreement.
5. SUBPROCESSORS
5.1. Appointment of Subprocessors. With respect to the Processing of Customer Personal Data, Customer authorizes Snappy and each Snappy Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5.1 to appoint) Subprocessors in accordance with this Section 5. Snappy and each Snappy Affiliate may continue to use those Subprocessors already engaged as of the date of this DPA. Snappy or a Snappy Affiliate has entered or will enter into a written agreement with each Subprocessor containing data protection obligations substantially similar to those in this DPA with respect to the protection of Customer Personal Data (to the extent applicable to the Services provided by such Subprocessor).
5.2. Notification of New Subprocessors; Customer’s Right to Object. Customer authorizes Snappy’s engagement of Subprocessors listed at https://www.snappy.com/privacy/sub-processors. Snappy shall give Customer written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. If, within fourteen (14) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies Snappy in writing of any objections to the appointment (such objections being limited to those relating to data protection or compliance with Data Protection Laws), Snappy shall cease disclosing any Customer Personal Data to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer. Where the Parties cannot agree on a resolution to Customer’s reasonable objections and Snappy notifies Customer of its intention to continue to use such Subprocessor, Customer may terminate the affected portion of the Main Agreement immediately upon the provision of written notice to Snappy. Snappy remains liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor to the same extent that Snappy would be liable if performing the services of each Subprocessor directly under the terms of this DPA, to the extent required by law and except as otherwise provided in the Main Agreement.
5.2. Notification of New Subprocessors; Customer’s Right to Object. Customer authorizes Snappy’s engagement of Subprocessors listed at https://www.snappy.com/privacy/sub-processors. Snappy shall give Customer written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. If, within fourteen (14) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies Snappy in writing of any objections to the appointment (such objections being limited to those relating to data protection or compliance with Data Protection Laws), Snappy shall cease disclosing any Customer Personal Data to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer. Where the Parties cannot agree on a resolution to Customer’s reasonable objections and Snappy notifies Customer of its intention to continue to use such Subprocessor, Customer may terminate the affected portion of the Main Agreement immediately upon the provision of written notice to Snappy. Snappy remains liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor to the same extent that Snappy would be liable if performing the services of each Subprocessor directly under the terms of this DPA, to the extent required by law and except as otherwise provided in the Main Agreement.
6. SECURITY
6.1. Controls for the Protection of Customer Personal Data. The Parties shall maintain appropriate technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to data), confidentiality, and integrity of Customer Personal Data. The Parties shall monitor compliance with these measures in accordance with their respective internal information security programs. Snappy shall, taking into account the nature of processing and the information available to Snappy, assist Customer in meeting Customer’s obligations in relation to the security of processing Customer Personal Data. Snappy shall, at a minimum, implement and maintain the security measures specified in Annex II attached hereto.
6.2 Data Security Incident Management and Notification. Snappy shall maintain security incident management policies and procedures, and shall notify Customer without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that is transmitted, stored, or otherwise Processed by Snappy or its Subprocessors which results in any actual loss or unauthorized use of Customer Personal Data (a “Data Security Incident”). Snappy shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as Snappy deems reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within Snappy’s reasonable control. In the event of a Data Security Incident, Customer shall be responsible for notifying Data Subjects and/or Regulatory Authorities as required by Data Protection Laws, and Snappy, taking into account the nature of processing and the information available to Snappy, shall assist Customer in relation to such notification obligations. Before any such notification is made, Customer shall consult with and provide Snappy an opportunity to comment on any notification made in connection with a Data Security Incident. Nothing in this DPA shall be construed to require Snappy to violate, or delay compliance with, any legal obligation it may have with respect to a Data Security Incident. Snappy shall have no liability for the Data Security Incident management and notification obligations described in this Section unless the Data Security Incident is caused by Snappy’s breach of the security obligations under Section 6 of this DPA or other violation of Data Protection Laws by Snappy.
6.2 Data Security Incident Management and Notification. Snappy shall maintain security incident management policies and procedures, and shall notify Customer without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that is transmitted, stored, or otherwise Processed by Snappy or its Subprocessors which results in any actual loss or unauthorized use of Customer Personal Data (a “Data Security Incident”). Snappy shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as Snappy deems reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within Snappy’s reasonable control. In the event of a Data Security Incident, Customer shall be responsible for notifying Data Subjects and/or Regulatory Authorities as required by Data Protection Laws, and Snappy, taking into account the nature of processing and the information available to Snappy, shall assist Customer in relation to such notification obligations. Before any such notification is made, Customer shall consult with and provide Snappy an opportunity to comment on any notification made in connection with a Data Security Incident. Nothing in this DPA shall be construed to require Snappy to violate, or delay compliance with, any legal obligation it may have with respect to a Data Security Incident. Snappy shall have no liability for the Data Security Incident management and notification obligations described in this Section unless the Data Security Incident is caused by Snappy’s breach of the security obligations under Section 6 of this DPA or other violation of Data Protection Laws by Snappy.
7. INFORMATION PROVISION AND COOPERATION
7.1. Demonstration of Snappy’s Compliance. Snappy shall, upon Customer’s reasonable request and to the extent required by Data Protection Laws, make available to Customer all information in Snappy’s possession necessary to demonstrate Snappy’s compliance with its obligations under Data Protection Laws.
7.2. Audits and Assessments.
7.2.1 To the extent permitted by Data Protection Laws, Customer may contact Snappy to request an audit of the procedures relevant to the protection of Customer Personal Data and Snappy shall reasonably cooperate with Customer in relation to any audit of Snappy reasonably necessary to enable Customer to comply with its obligations under Data Protection Laws (“Audit”), and shall make reasonable efforts to seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) at Customer’s expense; (ii) subject to a mutually agreed upon scope; (iii) conducted by Customer or a mutually agreed upon third-party auditor who has signed a nondisclosure agreement with the applicable Snappy or Subprocessor audited party; and (iv) subject to the confidentiality obligations set forth in the Main Agreement. Any such Audit shall be conducted remotely, except Customer may conduct on on-site audit at Snappy’s premises if so required by the applicable Data Protection Laws. Customer shall use reasonable endeavours to minimize any disruption caused to the Snappy’s business activities as a result of an Audit. Audits shall take place no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by Snappy.
7.2.2. To the extent permitted by Data Protection Laws, Snappy may, as an alternative to the requirements set forth in Section 7.2.1 and upon Customer’s written request, provide Customer with a Customer a copy of Snappy’s then most recent third-party SOC 2 audit report, and any other audit reports and certifications prepared by a qualified and independent assessor assessing Snappy’s policies and technical and organizational measures in support of Snappy’s obligations under Data Protection Laws, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Snappy shall provide a report of such assessment to Customer upon written request no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by Snappy (“Assessment Report”).
7.2.3. Any Assessment Report or information disclosed in connection with an Audit shall be the Confidential Information of Snappy, its Affiliates, and/or its Subprocessors (as applicable).
7.3. Data Protection Assessments. Upon Customer’s request, at Customer’s cost, and to the extent required under Data Protection Laws, Snappy shall provide Customer with the necessary information and with reasonable cooperation and assistance needed to fulfil Customer’s obligation to carry out a Data Protection Assessment related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and that such information is reasonably available to Snappy. To the extent required under the GDPR or UK GDPR, Snappy shall provide reasonable assistance to Customer in its cooperation or prior consultation with a Regulatory Authority in relation to this Section 7.
7.2. Audits and Assessments.
7.2.1 To the extent permitted by Data Protection Laws, Customer may contact Snappy to request an audit of the procedures relevant to the protection of Customer Personal Data and Snappy shall reasonably cooperate with Customer in relation to any audit of Snappy reasonably necessary to enable Customer to comply with its obligations under Data Protection Laws (“Audit”), and shall make reasonable efforts to seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) at Customer’s expense; (ii) subject to a mutually agreed upon scope; (iii) conducted by Customer or a mutually agreed upon third-party auditor who has signed a nondisclosure agreement with the applicable Snappy or Subprocessor audited party; and (iv) subject to the confidentiality obligations set forth in the Main Agreement. Any such Audit shall be conducted remotely, except Customer may conduct on on-site audit at Snappy’s premises if so required by the applicable Data Protection Laws. Customer shall use reasonable endeavours to minimize any disruption caused to the Snappy’s business activities as a result of an Audit. Audits shall take place no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by Snappy.
7.2.2. To the extent permitted by Data Protection Laws, Snappy may, as an alternative to the requirements set forth in Section 7.2.1 and upon Customer’s written request, provide Customer with a Customer a copy of Snappy’s then most recent third-party SOC 2 audit report, and any other audit reports and certifications prepared by a qualified and independent assessor assessing Snappy’s policies and technical and organizational measures in support of Snappy’s obligations under Data Protection Laws, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Snappy shall provide a report of such assessment to Customer upon written request no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by Snappy (“Assessment Report”).
7.2.3. Any Assessment Report or information disclosed in connection with an Audit shall be the Confidential Information of Snappy, its Affiliates, and/or its Subprocessors (as applicable).
7.3. Data Protection Assessments. Upon Customer’s request, at Customer’s cost, and to the extent required under Data Protection Laws, Snappy shall provide Customer with the necessary information and with reasonable cooperation and assistance needed to fulfil Customer’s obligation to carry out a Data Protection Assessment related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and that such information is reasonably available to Snappy. To the extent required under the GDPR or UK GDPR, Snappy shall provide reasonable assistance to Customer in its cooperation or prior consultation with a Regulatory Authority in relation to this Section 7.
8. RETURN AND DELETION OF CUSTOMER PERSONAL DATA
Snappy shall, on the written request of Customer, return all Customer Personal Data to Customer and/or at Customer’s request delete the same from its systems, so far as is reasonably practicable, except for any back-up copies which Snappy or its Affiliates are required to retain for compliance with applicable laws or regulatory requirements, provided that such copies are kept confidential and secure in accordance with this DPA and the Main Agreement. For the avoidance of doubt, data that has been anonymized to the extent that the underlying Data Subjects are no longer capable of being identified shall be considered deleted for the purposes of this Section 8.
9. TRANSFER MECHANISMS FOR CROSS-BORDER DATA TRANSFERS
9.1. Transfers of EEA, Swiss, or UK Personal Data. If the Processing of Customer Personal Data includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties shall: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State, subject to any modifications or optional provisions as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Customer Personal Data to such Other Countries. Additional information required by the model clauses as described in this Section 9 is set forth in Annexes I and II attached hereto.
9.2. EU SCCs Modules. The Parties agree that for transfers of Customer Personal Data from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA as follows:
a. Where Snappy Processes Personal Data as a Processor for Customer pursuant to the terms of the Main Agreement, Snappy and its relevant Subprocessors or Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.
b. Where Customer Processes Personal Data as a Processor under the instructions of a third-party Controller, Snappy Processes Personal Data as a Subprocessor for Customer pursuant to the terms of the Main Agreement, Snappy and its relevant Subprocessors or Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer); Module 3: Transfer processor to processor, Clauses 1 to 18 apply.
c. With respect to Clause 8.9 of the EU SCCs, the parties agree to follow the audit process set forth in this DPA.
9.3. EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:In Clause 7 (Docking Clause) – the Optional provision shall NOT apply;In Clause 9(a) (Use of sub-processors) – Option 2 shall apply (and the parties shall follow the process and timings agreed in this DPA to appoint sub-processors);In Clause 11(a) (Redress) – the Optional provision shall NOT apply;In Clause 17 (Governing Law) – Option 1 shall apply, and the courts of Ireland shall govern; andIn Clause 18 (Choice of forum and jurisdiction) – the courts of Ireland shall have jurisdiction.
9.4. UK Model Clauses. The Parties agree that for transfers of Customer Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed this DPA. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the parties agree that both the Importer and Exporter may end the UK Addendum as set out in Section 19.
9.5. Swiss Data Transfers. The Parties agree that for transfers of Customer Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
9.2. EU SCCs Modules. The Parties agree that for transfers of Customer Personal Data from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA as follows:
a. Where Snappy Processes Personal Data as a Processor for Customer pursuant to the terms of the Main Agreement, Snappy and its relevant Subprocessors or Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.
b. Where Customer Processes Personal Data as a Processor under the instructions of a third-party Controller, Snappy Processes Personal Data as a Subprocessor for Customer pursuant to the terms of the Main Agreement, Snappy and its relevant Subprocessors or Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer); Module 3: Transfer processor to processor, Clauses 1 to 18 apply.
c. With respect to Clause 8.9 of the EU SCCs, the parties agree to follow the audit process set forth in this DPA.
9.3. EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:In Clause 7 (Docking Clause) – the Optional provision shall NOT apply;In Clause 9(a) (Use of sub-processors) – Option 2 shall apply (and the parties shall follow the process and timings agreed in this DPA to appoint sub-processors);In Clause 11(a) (Redress) – the Optional provision shall NOT apply;In Clause 17 (Governing Law) – Option 1 shall apply, and the courts of Ireland shall govern; andIn Clause 18 (Choice of forum and jurisdiction) – the courts of Ireland shall have jurisdiction.
9.4. UK Model Clauses. The Parties agree that for transfers of Customer Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed this DPA. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the parties agree that both the Importer and Exporter may end the UK Addendum as set out in Section 19.
9.5. Swiss Data Transfers. The Parties agree that for transfers of Customer Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
10. DEIDENTIFIED DATA
To the extent that Snappy receives Deidentified Data from Customer or processes Customer Personal Data in such a way that it becomes Deidentified Data, Snappy shall:
a. Take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household;
b. Publicly commit to maintain and use the Deidentified Data only in a de-identified fashion and not attempt to re-identify the data, unless otherwise permitted by Data Protection Laws; and
c. Contractually obligate any recipients of the Deidentified Data, including any Subprocessors, to comply with the requirements of this Section 10.
a. Take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household;
b. Publicly commit to maintain and use the Deidentified Data only in a de-identified fashion and not attempt to re-identify the data, unless otherwise permitted by Data Protection Laws; and
c. Contractually obligate any recipients of the Deidentified Data, including any Subprocessors, to comply with the requirements of this Section 10.
11. LIMITATIONS
Any claims brought under this DPA will be subject to the terms and conditions of the Main Agreement, including any exclusions and limitations set forth therein.
12. GOVERNING LAW
Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 9 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Main Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Main Agreement.
The Parties’ authorized signatories have duly executed this DPA, including (as applicable) the EU SCCs and UK Addendum incorporated herein.
The Parties’ authorized signatories have duly executed this DPA, including (as applicable) the EU SCCs and UK Addendum incorporated herein.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
1. Name: THE CUSTOMER
Address: As provided to Snappy upon registration for the Services
Contact person’s name, position and contact details: As provided to Snappy upon registration for the Services.
Activities relevant to the data transferred under these Clauses: Obtaining the services from Data Importer pursuant to the Main Agreement
Role (controller/processor): Controller
Data importer(s):
1. Name: Snappy App, Inc.
Address: 33 Irving Place, #5021, New York, NY 10003
Contact person’s name, position and contact details: privacy@snappy.com
Activities relevant to the data transferred under these Clauses: The performance of services for Data Exporter pursuant to the Main Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF THE TRANSFER
Categories of data subjects whose personal data is transferred:
The Personal Data transferred concern the following categories of Data Subjects:
- Customer's end-users or Customer’s customers (if applicable)
- Customer's employees
Categories of personal data transferred:
The Personal Data transferred concern the following categories of data:
- Contact information (name, age, gender, address, telephone number, email address etc.)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous
Nature of the processing:
Pursuant to the Agreement
Purpose(s) of the data transfer and further processing:
As defined in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained for the term of the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Pursuant to the Agreement and for the term of the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The competent supervisory authority shall be one of the following: (1) the relevant authority located in the EU Member State in which the data exporter is established; (2) where the data exporter does not have an EU establishment, where its EU representative has been appointed pursuant to Article 27(1) of the GDPR; or (3) where the data exporter does not have an EU establishment or an EU representative, the supervisory authority shall be that of the EU Member State in which the data subjects whose personal data is transferred pursuant to the Main Agreement are located.
Data exporter(s):
1. Name: THE CUSTOMER
Address: As provided to Snappy upon registration for the Services
Contact person’s name, position and contact details: As provided to Snappy upon registration for the Services.
Activities relevant to the data transferred under these Clauses: Obtaining the services from Data Importer pursuant to the Main Agreement
Role (controller/processor): Controller
Data importer(s):
1. Name: Snappy App, Inc.
Address: 33 Irving Place, #5021, New York, NY 10003
Contact person’s name, position and contact details: privacy@snappy.com
Activities relevant to the data transferred under these Clauses: The performance of services for Data Exporter pursuant to the Main Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF THE TRANSFER
Categories of data subjects whose personal data is transferred:
The Personal Data transferred concern the following categories of Data Subjects:
- Customer's end-users or Customer’s customers (if applicable)
- Customer's employees
Categories of personal data transferred:
The Personal Data transferred concern the following categories of data:
- Contact information (name, age, gender, address, telephone number, email address etc.)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous
Nature of the processing:
Pursuant to the Agreement
Purpose(s) of the data transfer and further processing:
As defined in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained for the term of the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Pursuant to the Agreement and for the term of the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The competent supervisory authority shall be one of the following: (1) the relevant authority located in the EU Member State in which the data exporter is established; (2) where the data exporter does not have an EU establishment, where its EU representative has been appointed pursuant to Article 27(1) of the GDPR; or (3) where the data exporter does not have an EU establishment or an EU representative, the supervisory authority shall be that of the EU Member State in which the data subjects whose personal data is transferred pursuant to the Main Agreement are located.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
This Annex forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
Snappy Security Certifications
Snappy is SOC 2 Type 2 and ISO 27001 compliant.
Document Management
Snappy will validate that necessary documentation is in place between Snappy and its customers as required by Data Protection Laws.
Any change to the processing of Customer Personal Data will be reviewed to determine any impact on required technical and organizational measures and other contract exhibits. Snappy will conduct a periodic review of Sub-processors to validate ongoing adherence to the agreed upon technical and organizational measures and other contractual requirements.
Security Policies
Snappy will maintain and follow IT security policies and practices that are integral to Snappy’s business and mandatory for all Snappy employees, including supplemental personnel. Snappy will periodically review such policies and amend them as Snappy deems reasonable to maintain the protection of its services and Customer Personal Data processed therein. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Snappy’s operation and support of the service, and as required to maintain compliance and certifications.
Security Controls
1. ACCESS CONTROL
Persons entitled to use data processing systems have access only to the Customer Personal Data that they have a right to access, and Customer Personal Data must not be read, copied, modified, or removed without authorization in the course of processing, use, and storage.
Measures:
1.1. As part of the Snappy Security Policy, Customer Personal Data requires at least the same protection level as "confidential" information according to Snappy’s information classification standard.
1.2. Access to Customer Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. Snappy uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the Snappy Security Policy.
1.3. Snappy conducts internal and external security checks and penetration tests on its IT systems.
1.4. Snappy does not allow the installation of software that has not been approved by Snappy.
2. DATA TRANSMISSION CONTROL
Except as necessary for the provision of the Services in accordance with the Main Agreement, Customer Personal Data must not be read, copied, modified, or removed without authorization during transfer.
Measures:
2.1. Customer Personal Data in transfer over Snappy internal networks is protected according to the Snappy Security Policy.
2.2. When data is transferred between Snappy and Customer, the protection measures required for data transfer are hereby mutually agreed upon between Snappy and Customer and included as a part of the DPA.
2.3 Snappy will securely encrypt data in transit using an encryption protocol of TLS 1.2 or greater.
3. DATA INPUT CONTROL
Snappy tracks whether and by whom Customer Personal Data have been entered, modified, or removed from Snappy data processing systems.
Measures:
3.1. Snappy only allows authorized personnel to access Customer Personal Data as required in the course of their duty.
3.2. Snappy has implemented a logging system for input, modification, and deletion, or blocking of Customer Personal Data by Snappy within the Services to the extent technically feasible.
4. AVAILABILITY CONTROL
Customer Personal Data will be protected against accidental or unauthorized destruction or loss.
Measures:
4.1. Snappy employs regular backup processes to provide restoration of business-critical systems as and when necessary.
4.2. Snappy has defined business continuity plans for business-critical processes.
4.3. Emergency processes and systems are regularly tested.
5. DATA SEPARATION CONTROL
Customer Personal Data collected for different purposes can be processed separately.
Measures:
5.1. Snappy uses appropriate technical controls to appropriately separate Customer Personal Data.
5.2. Customer will have access only to its own Customer Personal Data based on secure authentication and authorization.
6. DATA INTEGRITY CONTROL
Customer Personal Data will remain intact and complete during processing activities. Snappy uses the following measures to implement the controls described above:
- Firewalls;
- Antivirus software;
- Backup and recovery;
- External and internal penetration testing; and
- Regular external audits of security measures.
This Annex forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
Snappy Security Certifications
Snappy is SOC 2 Type 2 and ISO 27001 compliant.
Document Management
Snappy will validate that necessary documentation is in place between Snappy and its customers as required by Data Protection Laws.
Any change to the processing of Customer Personal Data will be reviewed to determine any impact on required technical and organizational measures and other contract exhibits. Snappy will conduct a periodic review of Sub-processors to validate ongoing adherence to the agreed upon technical and organizational measures and other contractual requirements.
Security Policies
Snappy will maintain and follow IT security policies and practices that are integral to Snappy’s business and mandatory for all Snappy employees, including supplemental personnel. Snappy will periodically review such policies and amend them as Snappy deems reasonable to maintain the protection of its services and Customer Personal Data processed therein. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Snappy’s operation and support of the service, and as required to maintain compliance and certifications.
Security Controls
1. ACCESS CONTROL
Persons entitled to use data processing systems have access only to the Customer Personal Data that they have a right to access, and Customer Personal Data must not be read, copied, modified, or removed without authorization in the course of processing, use, and storage.
Measures:
1.1. As part of the Snappy Security Policy, Customer Personal Data requires at least the same protection level as "confidential" information according to Snappy’s information classification standard.
1.2. Access to Customer Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. Snappy uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the Snappy Security Policy.
1.3. Snappy conducts internal and external security checks and penetration tests on its IT systems.
1.4. Snappy does not allow the installation of software that has not been approved by Snappy.
2. DATA TRANSMISSION CONTROL
Except as necessary for the provision of the Services in accordance with the Main Agreement, Customer Personal Data must not be read, copied, modified, or removed without authorization during transfer.
Measures:
2.1. Customer Personal Data in transfer over Snappy internal networks is protected according to the Snappy Security Policy.
2.2. When data is transferred between Snappy and Customer, the protection measures required for data transfer are hereby mutually agreed upon between Snappy and Customer and included as a part of the DPA.
2.3 Snappy will securely encrypt data in transit using an encryption protocol of TLS 1.2 or greater.
3. DATA INPUT CONTROL
Snappy tracks whether and by whom Customer Personal Data have been entered, modified, or removed from Snappy data processing systems.
Measures:
3.1. Snappy only allows authorized personnel to access Customer Personal Data as required in the course of their duty.
3.2. Snappy has implemented a logging system for input, modification, and deletion, or blocking of Customer Personal Data by Snappy within the Services to the extent technically feasible.
4. AVAILABILITY CONTROL
Customer Personal Data will be protected against accidental or unauthorized destruction or loss.
Measures:
4.1. Snappy employs regular backup processes to provide restoration of business-critical systems as and when necessary.
4.2. Snappy has defined business continuity plans for business-critical processes.
4.3. Emergency processes and systems are regularly tested.
5. DATA SEPARATION CONTROL
Customer Personal Data collected for different purposes can be processed separately.
Measures:
5.1. Snappy uses appropriate technical controls to appropriately separate Customer Personal Data.
5.2. Customer will have access only to its own Customer Personal Data based on secure authentication and authorization.
6. DATA INTEGRITY CONTROL
Customer Personal Data will remain intact and complete during processing activities. Snappy uses the following measures to implement the controls described above:
- Firewalls;
- Antivirus software;
- Backup and recovery;
- External and internal penetration testing; and
- Regular external audits of security measures.