Probely Enterprise DAST Addendum to the Snyk Software as a Service Agreement

This Probely Enterprise DAST Master Services Addendum (“Addendum”) amends the Snyk Software as a Service Agreement (“Snyk MSA”) entered into between Snyk and the Customer identified in the Snyk MSA (“you”) with regard to the provision of Probely Enterprise DAST. This Addendum sets forth additional terms and conditions that govern your access and use of Probely Enterprise DAST. Snyk authorizes your use of Probely Enterprise DAST only under the terms and conditions of the Snyk MSA and this Addendum (“the Agreement”). In the event of any conflict between this Addendum and the Snyk MSA, the terms of the Addendum shall control, but only with regard to Probely Enterprise DAST. Capitalized terms used in this Addendum but not defined in the Addendum will have the meaning given in the Snyk MSA. In the event of any conflict between the terms and conditions of this Addendum and the terms and conditions of an Order Form, precedence will be given in the following order: (1) the terms and conditions of the Addendum, (2) the terms and conditions of the Snyk MSA, and (3) the terms and conditions of an Order Form. 

These terms and conditions govern your access and use of the Web Application Vulnerability Scanner cloud based solution provided by us, or any subcontracted entity (“Probely Enterprise DAST”). 

1. ACCESS TO PROBELY ENTERPRISE DAST

   1. Probely Enterprise DAST is intended for and has been designed to operate against any web application, as long as there is connectivity between Snyk’s servers and the server that hosts the web application being tested.

2. ACCEPTABLE USE

   1. WE STRONGLY RECOMMEND THAT YOU USE PROBELY ENTERPRISE DAST SOLELY IN STAGING AND TESTING SITES AND NOT AGAINST A PRODUCTION SITE. SHOULD YOU USE IT AGAINST A PRODUCTION SITE, YOU USE IT AT YOUR OWN RISK.

   2. You undertake that you will not and will not encourage or assist any third party to access or use Probely Enterprise DAST in any way intended to improperly avoid incurring fees, or exceeding usage limits or quotas. As such, you are entitled to no more than 2 concurrent scans of the same target or 60 scans of the same target on a monthly basis.

3. SERVICE LEVEL TERMS

   1. Snyk uses reasonable endeavors designed to ensure that Probely Enterprise DAST is always available. Snyk commits to availability of 99.9% for paid access to Probely Enterprise DAST, calculated on a 90-day period, excluding holidays and weekends and scheduled maintenance. If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance. Further, any Downtime resulting from the following will also be excluded from any such calculation: (a) third party connections or utilities or other reasons beyond Snyk’s control; (b) your acts or omissions; (c) the failure or malfunction of equipment, applications or systems not owned or controlled by Snyk; (d) any inconsistencies or changes in your source environment, including either intentional or accidental connections or disconnections to the environment; (e) force majeure events; (f) any suspension of Probely Enterprise DAST in accordance with the Agreement; (g) your use of Probely Enterprise DAST in a manner inconsistent with our documentation; (h) scheduled downtime; or, (i) emergency downtime.

   2. If Snyk fails to meet the guaranteed availability (“Downtime”) in any calendar month, except as otherwise provided herein you will be eligible for a credit as described in the table below. 

   3. Downtime shall begin to accrue as soon as you (with notice to Snyk) recognize that downtime is taking place, and continues until the availability of Probely Enterprise DAST is restored. In order to receive a Service Credit, you must notify Snyk in writing within 24 hours from the initial Downtime, and failure to provide such notice will forfeit the right to receive a Service Credit. Service Credits shall be your sole and exclusive remedy in the event of any failure to meet these availability commitments. Service Credits will be applied to the next invoice following your request and Snyk’s confirmation that credits are applicable. If availability is less than 95% for (a) three consecutive months, or, (b) any three months during any twelve-month period, you may terminate this Agreement upon written notice to Snyk.

   4. Snyk’s blocking of data communications or other portions of Probely Enterprise DAST in accordance with its policies shall not be deemed to be a failure of Snyk to provide adequate service levels under these Terms.

Probely Enterprise DAST DPA Addendum to the Snyk Data Processing Addendum 

This Probely Enterprise DAST DPA Addendum (“DPA Addendum”) amends the Snyk Data Processing Addendum (“Snyk DPA”) which is appended to the Snyk MSA, as amended by the Addendum, with regard to the provision of Probely Enterprise DAST. This DPA Addendum sets forth terms and conditions that govern your access and use of Probely Enterprise DAST. Snyk authorizes your use of Probely Enterprise DAST only under the terms and conditions of the Agreement, including the Snyk DPA as amended. In the event of any conflict between this DPA Addendum and the Snyk DPA, the terms of the DPA Addendum shall control, but only with regard to Probely Enterprise DAST. Capitalized terms used in this DPA Addendum but not defined herein will have the meaning given in the Snyk MSA.

1. Section 5.2 of the Snyk MSA shall not apply to Probely Enterprise DAST, and is replaced in its entirety with the following: “Snyk will employ security measures designed to protect Customer Data in accordance with Schedule B below.”

2. Customer grants Snyk general authorization to engage third parties to process the Personal Data ("Sub-processors"). Snyk shall maintain an up-to-date list of Sub-processors at https://snyk.io/policies/subprocessors/ and the Sub-processors listed in Schedule A to this DPA Addendum.

3. Annex 2 (Technical and Organizational Measures) shall be deemed to refer to Schedule B to this DPA Addendum.

Schedule 1 of the Snyk DPA is amended as follows:

1. “Categories of data subjects” shall include, data subjects whose personal data may be incidentally processed in the course of Customer's use of Probely Enterprise DAST.

2. “Categories of personal data” shall include, personal data that may be incidentally processed in the course of Customer's use of Probely Enterprise DAST.

3. Details regarding transfers to Sub-processors shall include the Sub-processors listed in Schedule A.

Schedule A: Probely Enterprise DAST Sub-processors

To provide Probely Enterprise DAST, Snyk relies on additional Sub-processors. These Sub-processors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Snyk from time to time:

Schedule B: Technical and Organizational Measures

The following list is a non-exhaustive list of security controls we implemented with respect to Probely Enterprise DAST :

• We employ industry-standard encryption technology.

• All of our infrastructure is hosted in a top-tier cloud provider, where security has been scrutinized. Our cloud provider’s security features and controls are configured to segregate and monitor our service networks, for audit logs, and for security event management. The frontend, backend, and database servers use private and segregated networks controlled by security groups.

• Where appropriate we implement the following security practices, including (but not limited to):

  • Principle of the least privilege (to access our systems and data)

  • Server hardening and security updates

  • Requiring 2-factor authentication

  • Central logging

  • Secure Software Development Life cycle, including periodic security assessments 

Notwithstanding the outlined security measures, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting data via the internet.