Data Processing Addendum

DATA PROCESSING DETAILS

“CONTROLLER” The customer of Snyk Limited as set out in any ordering document or agreement between the parties under which the Processor provides Services to the Controller ("Snyk Main Agreement”)
NAME AND ADDRESS OF PROCESSOR (“PROCESSOR”) Snyk Limited of 1 Mark Square, London EC2A 4EG
SUBJECT MATTER OF THE PROCESSING The processing of Personal Data as part of the terms of the Snyk Main Agreement.
DURATION OF THE PROCESSING Start date - the date Personal Data is first processed by Processor.

End date - the date of termination or expiry of this Data Processing Addendum.

NATURE OF THE PROCESSING The processing of certain personal data by the Processor on behalf of the Controller in relation to allowing access of the Controller’s  users to the Processor’s platform in order to discover known vulnerabilities in the open source dependencies used by the Controller
PURPOSE OF THE PROCESSING 1.Collection of the specified data so that the Processor may provide the services to the Controller
2. Storage on secure cloud storage facilities
3. Digest and comparison for authentication and authorization purposes
4. Messaging regarding the Controller’s use of the Processor’s products and services
TYPE OF PERSONAL DATA 1. First and last name, employer, title and position
2. Email Addresses
3. User ID on social or professional platforms
4. Connection and/or localization data
CATEGORIES OF DATA SUBJECTS Employees, developers, contractors of the Controller.

These Data Processing Details are subject to the terms and conditions below.
In the event of conflict between these Data Processing Details and the terms and conditions, the Data Processing Details shall prevail. The Data Processing Details together with the terms and conditions constitute the “Data Processing Addendum”.

This Data Processing Addendum forms part of Snyk Main Agreement and shall be deemed to have been entered into on the same date as the Snyk Main Agreement (Effective Date).

TERMS AND CONDITIONS

  1. INTERPRETATION
    1. The following definitions and meanings apply to this Data Processing Addendum:

      “Applicable Law” means the law of the European Union, the applicable law of a member state of the European Union or (if the UK is outside the European Union), the applicable law of England and Wales, Scotland or Northern Ireland.

      “Data Subject”, “Personal Data” and “Processing” shall have the meanings set out in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation or GDPR”).

      “Privacy Laws” means the GDPR, the Data Protection Act 2018 and the Electronic Communications (EC Directive) Regulations 2003, as applicable, and any legislation which amends, re-enacts or replaces them.
      EU Model Clauses: the clauses annexed to European Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries. 

    2. Clause headings shall not affect the interpretation of this Data Processing Addendum.
    3. The words “include” and “including” shall not limit the generality of any words preceding them.
  2. RIGHTS AND OBLIGATIONS
    1. Controller and Processor shall each comply with the Privacy Laws.
    2. Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by Applicable Law.
    3. Processor shall ensure that persons authorized by it to process the Personal Data are bound by enforceable confidentiality obligations not to disclose it.
    4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Processor shall implement appropriate technical and organizational measures (to ensure a level of security appropriate to the risk) in such a manner that the Processing of Personal Data will meet the requirements of the Privacy Laws and ensure the protection of the rights of each Data Subject. Such measures shall include, if appropriate:

       

      1. the pseudonymisation and encryption of Personal Data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and/or
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
    5. Processor shall take account of the risks that are presented by Processing the Personal Data in assessing the level of security required for Personal Data.
    6. Processor shall ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not process them except on instructions from the Controller (unless required by Applicable Law).
    7. If Processor engages another processor for carrying out specific Processing activities on behalf of Controller, Processor shall procure (including by entering into a binding contract with that other processor) that the other processor complies with the same obligations as Processor assumes under this Data Processing Addendum.
    8. Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures (insofar as this is possible) in Controller’s compliance with its obligations to respond to requests from Data Subjects under the Privacy Laws.
    9. Processor shall (taking into account the nature of processing and the information available to the Processor) assist Controller in ensuring compliance with Controller’s obligations under Privacy Laws in respect of security of Processing, notification of Personal Data breaches, data protection impact assessments and
      prior consultation with supervisory authorities.
    10. Processor shall upon termination or expiry of this Data Processing Addendum (at the choice of Controller) delete or return to Controller all Personal Data processed under this Data Processing Addendum (including any copies of it) unless required to retain it under Applicable Law.
    11. Processor shall make available to Controller all information necessary to demonstrate compliance with this Data Processing Addendum and shall allow for and contribute to audits, including inspections, conducted by Controller, or another auditor mandated by Controller.
    12. Processor shall immediately inform Controller if, in its opinion, an instruction from Controller
      infringes Privacy Laws.
    13. If Processor engages another processor for carrying out specific processing activities on behalf of Controller, the same data protection obligations as set out in this Data Processing Addendum shall be imposed on that other processor in a contract which, in particular, provides sufficient guarantees to implement
      appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Privacy Laws. Where that other processor fails to fulfil its data protection obligations, Processor shall remain fully liable to Controller for the performance of that other processor’s obligations.
    14. As between Controller and Processor, any Personal Data will at all times be and remain the sole property of Data Subject and Processor will not have or obtain any rights to it other than a non-exclusive, non-transferrable license to Process the Personal Data for the duration of this Data Processing Addendum.
    15. The Controller agrees that Snyk may transfer outside of the the European Union, provided all such transfers shall (to the extent required under Privacy Laws) be effected by way of appropriate safeguards (including the EU Model Clauses in the manner set out in the Annex) in accordance with Privacy Laws. This paragraph forms part of Controller’s instructions to Processor. The Controller authorises the Processor to conclude, on the Controller’s behalf, EU Model Clauses with any sub-processors processing personal data in third countries outside the European Union.
    16. Processor shall not retain Personal Data for longer than is necessary to comply with its obligations under this Data Processing Addendum.
    17. Processor shall maintain and implement a written information security program that includes appropriate administrative, technical, organizational and physical safeguards and any other necessary security measures designed to: (i) ensure the security and confidentiality of Personal Data; (ii) protect against any actual, suspected or anticipated threats or hazards to the security and integrity of Personal Data, and (iii) protect against any data breach. A copy of the Snyk Security Policy will be provided upon request.
    18. Processor shall regularly train any Personnel with access to Personal Data regarding the obligations of Privacy Laws and the privacy, confidentiality and information security requirements in this Data Processing Addendum.
    19. Processor shall notify Controller promptly in writing of: (a) any breach of this Data Processing Addendum, any breach of Privacy Laws, or any data breach of which Processor becomes aware, and such notice must summarize in detail the effect on Controller of the breach and the corrective action taken or to be taken by Processor; (b) any request with respect to Personal Data received directly from a Data Subject (Processor shall co-operate with Controller in fulfilling, or responding to, such request).
    20. Any breach of this Data Processing Addendum, or any unauthorized use, Processing, disclosure or acquisition of or access to any Personal Data could cause immediate and irreparable harm to Controller and/or a Data Subject for which monetary damages might not constitute an adequate remedy. Processor therefore acknowledges and agrees that Controller and/or Data Subject may obtain specific performance and injunctive or other equitable relief for such violation, in addition to any claim for damages.
    21. Processor shall keep a written record of the processing of Personal Data it carries out under this Data Processing Addendum.
    22. Processor shall develop, implement and maintain, at Processor’s own expense, a data protection policy to govern its methodology for compliance with Privacy Laws and Processor’s obligations to Controller under this Data Processing Addendum.
    23. In the event that Controller undertakes a privacy impact assessment (“PIA”) in relation to or in connection with this Data Processing Addendum, Processor shall provide such reasonable cooperation, assistance or other information, including, without limitation around data flows and risks to data, to Controller as it may reasonably require in order to undertake that PIA.
    24. In the event that there is a data breach in relation to or in connection with the Personal Data provided by Controller, Processor shall immediately (and in any event within 24 hours of becoming aware of such breach) notify Controller of that data breach in writing including the following details:

       

      1. the nature of the data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
      2. the likely consequences of the data breach; and
      3. the measures which Processor proposes to take to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    25. In the event of a data breach in relation to or in connection with the Personal Data provided by Controller:
    26. Processor shall provide Controller with such reasonable cooperation and assistance with managing that data breach as it may reasonably require.
    27. In the event that Controller notifies Processor that it should cease processing the Personal Data or any part of the Personal Data, including, without limitation, the Personal Data of an individual Data Subject, Processor shall immediately return such Personal Data to Controller and shall cease processing that Personal Data or part of the Personal Data.
    28. In the event that Processor receives a request directly from an individual Data Subject relating to Personal Data, it shall promptly forward that request onto Controller.
  3. TERM AND TERMINATION

     

    1. This Data Processing Addendum shall start on the Effective Date and shall continue until the Snyk Main Agreement is terminated in accordance with its terms.
Annex

EU model clauses - EU controller to non-EU or EEA processor (*)

Processor and Controller agree that the EU Model Clauses shall apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the Privacy Laws, to the extent such transfers are subject to such Privacy laws and are to that extent incorporated herein by reference:

  1. Under the EU Model Clauses, Snyk Limited with a registered address at 1 Mark Square, London EC2A 4EG shall be deemed the “Data Importer” and Controller shall be deemed the “Data Exporter”.
  2. In execution of article 9 of the EU Model Clauses, the EU Model Clauses shall be governed by the law of the Member State in which the data exporter is established.
  3. The illustrative optional indemnification clause in Annex B to the EU Model Clauses shall not apply.
  4. In execution of article 11of the EU Model Clauses, the provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 of the EU Model Clauses shall be governed by the law of the Member State in which the data exporter is established.
  5. Appendix 1 to the EU Model Clauses is completed as follows:

     

    • The Data Exporter is relying on the service of the data importer as specified under the Snyk Main Agreement as well as in the Data Processing Details;
    • The Data Importer is providing the Services to the Data Exporter as specified in the Snyk Main Agreement as well as in the Data Processing Details;
    • The Personal Data transferred concerns the data of the Data Subjects as identified under the Data Processing Details;
    • The Categories of Personal Data transferred concerns such categories as identified in the DataProcessing Details;
    • Unless otherwise indicated in the Data Processing Details; NO special categories of Personal Data
      (as defined under article 9 GDPR, e.g. data concerning health, biometric data, racial or ethnical data, religious data, … ) are processed by the Data Importer.
  6. Appendix 2 to the EU Model Clauses shall refer to the Snyk Security Policy which is available on request.
  7. Signature of the Snyk Main Agreement shall serve as a binding acceptance of the EU Model Clauses.

(*) more info on the EU Model Clauses:

(https://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.html)