Data Processing Addendum

DATA PROCESSING DETAILS

“CONTROLLER” The customer of Snyk Limited as set out in any ordering document or agreement between the parties under which the Processor provides Services to the Controller (Snyk Main Agreement”)
NAME AND ADDRESS OF PROCESSOR (“PROCESSOR”) Snyk Limited of 1 Mark Square, London EC2A 4EG
SUBJECT MATTER OF THE PROCESSING The processing of Personal Data as part of the terms of the Snyk Main Agreement.
DURATION OF THE PROCESSING Start date - the date Personal Data is first processed by Processor.

End date - the date of termination or expiry of this Data Processing Addendum.

NATURE OF THE PROCESSING The processing of certain personal data by the Processor on behalf of the Controller in relation to allowing access of the Controller’s  users to the Processor’s platform in order to discover known vulnerabilities in the open source dependencies used by the Controller
PURPOSE OF THE PROCESSING 1.Collection of the specified data so that the Processor may provide the services to the Controller
2. Storage on secure cloud storage facilities
3. Digest and comparison for authentication and authorization purposes
4. Messaging regarding the Controller’s use of the Processor’s products and services
TYPE OF PERSONAL DATA 1. First and last name, employer, title and position
2. Email Addresses
3. User ID on social or professional platforms
4. Connection and/or localization data
CATEGORIES OF DATA SUBJECTS Employees, developers, contractors of the Controller.

These Data Processing Details are subject to the terms and conditions below.
In the event of conflict between these Data Processing Details and the terms and conditions, the Data Processing Details shall prevail. The Data Processing Details together with the terms and conditions constitute the “Data Processing Addendum”.

This Data Processing Addendum shall be deemed to have been entered into on the same date as the Snyk Main Agreement (Effective Date).

TERMS AND CONDITIONS

  1. INTERPRETATION
    1. The following definitions and meanings apply to this Data Processing Addendum:

      “Applicable Law” means the law of the European Union, the applicable law of a member state of the European Union or (if the UK is outside the European Union), the applicable law of England and Wales, Scotland or Northern Ireland.

      “Data Subject”, “Personal Data” and “Processing” shall have the meanings set out in the Regolation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regolation or GDPR”).

      “Privacy Laws” means the GDPR, Directive 95/46/EC, the Data Protection Act 2018 and the Electronic Communications (EC Directive) Regolations 2003, as applicable.

    2. Clause headings shall not affect the interpretation of this Data Processing Addendum.
    3. The words “include” and “including” shall not limit the generality of any words preceding them.
  2. RIGHTS AND OBLIGATIONS
    1. Controller and Processor shall each comply with the Privacy Laws.
    2. Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by Applicable Law.
    3. Processor shall ensure that persons authorized by it to process the Personal Data are bound by enforceable confidentiality obligations not to disclose it.
    4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Processor shall implement appropriate technical and organizational measures (to ensure a level of security appropriate to the risk) in such a manner that the Processing of Personal Data will meet the requirements of the Privacy Laws and ensure the protection of the rights of each Data Subject. Such measures shall include, if appropriate:

       

      1. the pseudonymisation and encryption of Personal Data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and/or
      4. a process for regolarly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
    5. Processor shall take account of the risks that are presented by Processing the Personal Data in assessing the level of security required for Personal Data.
    6. Processor shall ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not process them except on instructions from the Controller (unless required by Applicable Law).
    7. If Processor engages another processor for carrying out specific Processing activities on behalf of Controller, Processor shall procure (including by entering into a binding contract with that other processor) that the other processor complies with the same obligations as Processor assumes under this Data Processing Addendum.
    8. Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures (insofar as this is possible) in Controller’s compliance with its obligations to respond to requests from Data Subjects under the Privacy Laws.
    9. Processor shall (taking into account the nature of processing and the information available to the Processor) assist Controller in ensuring compliance with Controller’s obligations under Privacy Laws in respect of security of Processing, notification of Personal Data breaches, data protection impact assessments and
      prior consoltation with supervisory authorities.
    10. Processor shall upon termination or expiry of this Data Processing Addendum (at the choice of Controller) delete or return to Controller all Personal Data processed under this Data Processing Addendum (including any copies of it) unless required to retain it under Applicable Law.
    11. Processor shall make available to Controller all information necessary to demonstrate compliance with this Data Processing Addendum and shall allow for and contribute to audits, including inspections, conducted by Controller, or another auditor mandated by Controller.
    12. Processor shall immediately inform Controller if, in its opinion, an instruction from Controller
      infringes Privacy Laws.
    13. If Processor engages another processor for carrying out specific processing activities on behalf of Controller, the same data protection obligations as set out in this Data Processing Addendum shall be imposed on that other processor in a contract which, in particolar, provides sufficient guarantees to implement
      appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Privacy Laws. Where that other processor fails to folfil its data protection obligations, Processor shall remain folly liable to Controller for the performance of that other processor’s obligations.
    14. As between Controller and Processor, any Personal Data will at all times be and remain the sole property of Data Subject and Processor will not have or obtain any rights to it other than a non-exclusive, non-transferrable license to Process the Personal Data for the duration of this Data Processing Addendum.
    15. Processor shall hold all Personal Data in strict confidence.
    16. Processor shall cause each of its employees, contractors and agents (“Personnel”) who have access to Personal Data to comply with the terms of this Data Processing Addendum in the same manner as Processor is bound under this Data Processing Addendum and Processor is responsible for any acts or omissions of such Personnel.
    17. Processor shall comply with all applicable industry standards concerning privacy, data protection, confidentiality and/or information security.
    18. Processor shall provide all reasonable co-operation, assistance and information to Controller to allow Controller to: (i) Conduct a defense of any claim or allegation that there has been any unauthorized use, Processing, disclosure or acquisition of or access to any Personal Data, and (ii) investigate, prevent,
      mitigate or rectify any data breach, breach of Privacy Laws, or breach of this Agreement.
    19. Processor shall not transfer Personal Data outside the European Economic Area in breach of Privacy Laws and without the consent of Controller. Any such transfer shall be subject to the terms of the EU Model Clauses which are incorporated into this Data Processing Addendum and set out in further detail in the
      Annex.
    20. Processor shall not retain Personal Data for longer than is necessary to comply with its obligations under this Data Processing Addendum.
    21. Processor shall maintain and implement a written information security program that includes appropriate administrative, technical, organizational and physical safeguards and any other necessary security measures designed to: (i) ensure the security and confidentiality of Personal Data; (ii) protect against any
      actual, suspected or anticipated threats or hazards to the security and integrity of Personal Data, and (iii) protect against any data breach. A copy of the Snyk Security Policy will be provided upon request.
    22. Processor shall regolarly train any Personnel with access to Personal Data regarding the obligations of Privacy Laws and the privacy, confidentiality and information security requirements in this Data Processing Addendum.
    23. Processor shall notify Controller promptly in writing of: (a) any breach of this Data Processing Addendum, any breach of Privacy Laws, or any data breach of which Processor becomes aware, and such notice must summarize in detail the effect on Controller of the breach and the corrective action taken or to be taken by Processor; (b) any request with respect to Personal Data received directly from a Data Subject (Processor shall co-operate with Controller in folfilling, or responding to, such request).
    24. Any breach of this Data Processing Addendum, or any unauthorized use, Processing, disclosure or acquisition of or access to any Personal Data coold cause immediate and irreparable harm to Controller and/or a Data Subject for which monetary damages might not constitute an adequate remedy. Processor therefore acknowledges and agrees that Controller and/or Data Subject may obtain specific performance and injunctive or other equitable relief for such violation, in addition to any claim for damages.
    25. Controller may additionally suspend or terminate this Data Processing Addendum, at any time, with immediate effect by notice in writing and without incurring any liability for compensation for termination if Controller, acting reasonably and in good faith, has reason to believe that Processor is unable or has failed to comply with this Data Processing Addendum.
    26. The Processor accepts liability for, and shall indemnify and hold harmless Controller from and against, all claims (including third party claims), liabilities, costs and expenses (including reasonable legal costs) arising out of or in connection with any breach of Privacy Laws and the data protection provisions of this Data Processing Addendum.
    27. Processor shall keep a written record of the processing of Personal Data it carries out under this Data Processing Addendum and shall disclose this to Controller upon request.
    28. Processor shall notify Controller of all locations at which it may process Personal Data and if Processor or any subcontractor wishes to change or add to such location(s), Processor shall obtain Controller’s prior written consent, which Controller may (acting reasonably) withhold in its sole discretion.
    29. Processor shall take such steps as are necessary to ensure:

       

      1. the reliability of any of Processor’s Personnel who have access to Personal Data;
      2. access is limited to those Personnel who require it in order to meet the Processor’s obligations under this Data Processing Addendum and to such part or parts of the Personal Data as is strictly necessary for performance of each person’s duties;
      3. all Personnel are informed of the confidential nature of the Personal Data, have undertaken training in the laws relating to handling Personal Data, are folly competent to carry out the processing in accordance with Privacy Laws and are aware both of Processor’s duties and their personal duties and obligations under such laws and this Data Processing Addendum.
    30. Processor shall develop, implement and maintain, at Processor’s own expense, a data protection policy to govern its methodology for compliance with Privacy Laws and Processor’s obligations to Controller under this Data Processing Addendum. Processor shall make such data protection policy available to Controller upon request.
    31. In the event that Controller undertakes a privacy impact assessment (“PIA”) in relation to or in connection with this Data Processing Addendum, Processor shall provide such reasonable cooperation, assistance or other information, including, without limitation around data flows and risks to data, to Controller as it may reasonably require in order to undertake that PIA.
    32. In the event that there is a data breach in relation to or in connection with the Personal Data provided by Controller, Processor shall immediately (and in any event within 24 hours of becoming aware of such breach) notify Controller of that data breach in writing including the following details:

       

      1. the nature of the data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
      2. the likely consequences of the data breach; and
      3. the measures which Processor proposes to take to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    33. In the event of a data breach in relation to or in connection with the Personal Data provided by Controller:

       

      1. Processor shall take such measures to address the data breach or to mitigate its possible adverse effects as Controller may from time to time require;
      2. Processor shall provide Controller with such reasonable cooperation and assistance with managing that data breach as it may reasonably require; and
      3. Controller may, in its discretion, terminate this Data Processing Addendum immediately on written notice to Processor.
    34. In the event that Processor suffers a data breach relating to Personal Data which is not Personal Data provided by the Controller, Processor shall notify Controller of that data breach within a reasonable time of becoming aware of that data breach and Controller may, in its discretion, within a reasonable time of being made aware of that data breach, terminate this Data Processing Addendum immediately on written notice to Processor.
    35. In the event that Controller notifies Processor that it shoold cease processing the Personal Data or any part of the Personal Data, including, without limitation, the Personal Data of an individual Data Subject, Processor shall immediately return such Personal Data to Controller and shall cease processing that Personal Data or part of the Personal Data.
    36. In the event that Processor receives a request directly from an individual Data Subject relating to Personal Data, it shall promptly forward that request onto Controller.
  3. TERM AND TERMINATION

     

    1. This Data Processing Addendum shall start on the Effective Date and shall continue until the Snyk Main Agreement is terminated in accordance with its terms.
  4. MISCELLANEOUS

     

    1. Neither party shall be in breach of this Data Processing Addendum nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure results from events, circumstances or causes beyond its reasonable control.
    2. Processor shall not assign or otherwise transfer its rights or its obligations under this Agreement, in whole or in part, without the prior written consent of Controller.
    3. This Data Processing Addendum constitutes the entire agreement between the parties and supersedes and extinguishes all previous drafts, agreements, arrangements and understandings between them, whether written or oral, relating to its/their subject matter.
    4. Failure or delay in exercising any right or remedy under this Data Processing Addendum shall not constitute a waiver of such (or any other) right or remedy.
    5. Except as expressly stated otherwise, nothing in this Data Processing Addendum shall create an agency, partnership or joint venture of any kind between the parties.
    6. Except as expressly stated otherwise, nothing in this Data Processing Addendum shall create or confer any rights or other benefits in favor of any person other than a party to this Agreement.
    7. The invalidity, illegality or unenforceability of any term of this Data Processing Addendum shall not affect the continuation in force of the remainder of the Data Processing Addendum.
    8. Any notice required to be given to a party under this Data Processing Addendum shall be in writing and shall be delivered by hand or sent by a next working day delivery service providing proof of delivery, at the address set out in this Data Processing Addendum, or such other address as the recipient may designate by notice given in accordance with this clause. Any notice shall be deemed to have been received on signature of a delivery receipt. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution. For the purposes of this clause, "writing" shall not include e-mail.
    9. This Data Processing Addendum is governed by English law and the parties submit to the exclusive jurisdiction of the English courts in relation to any dispute (contractual or otherwise) concerning this Data Processing Addendum.
Annex

EU model clauses - EU controller to non-EU or EEA processor (*)

To the extent the Processor is importing Personal Data into countries outside of the EEA, Processor accepts the provisions of the EU Model Clauses which are incorporated herein by reference to the extent as detailed below:

  1. Under the EU Model Clauses, Snyk Limited with a registered address at 1 Mark Square, London EC2A 4EG shall be deemed the “Data Exporter” and Processor shall be deemed the “Data Importer”.
  2. In execution of article 9 of the EU Model Clauses, the EU Model Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the United Kingdom.
  3. In execution of article 11of the EU Model Clauses, the provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 of the EU Model Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the United Kingdom.
  4. Appendix 1 to the EU Model Clauses is completed as follows:

     

    • The Data Exporter is relying on the service of the data importer as specified under the Snyk Main Agreement as well as in the Data Processing Details;
    • The Data Importer is providing the Services to the Data Exporter as specified in the Snyk Main Agreement as well as in the Data Processing Details;
    • The Personal Data transferred concerns the data of the Data Subjects as identified under the Data Processing Details;
    • The Categories of Personal Data transferred concerns such categories as identified in the Data Processing Details;
    • Unless otherwise indicated in the Data Processing Details; NO special categories of Personal Data
      (as defined under article 9 GDPR, e.g. data concerning health, biometric data, racial or ethnical data, religious data, … ) are processed by the Data Importer.
    • The parties agree that if one party is held liable for a violation of the EU Model Clauses by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred. Indemnification is contingent upon: (a) the data exporter promptly notifying the data importer of a claim; and (b) the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim.
  5. Appendix 2 to the EU Model Clauses shall refer to the Snyk Security Policy which is available on request.
  6. Signature of the Snyk Main Agreement shall serve as a binding acceptance of the EU Model Clauses.

 

(*) more info on the EU Model Clauses:

(https://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.html)