Skip to main content

November 25, 2024

Data Processing Addendum

This Data Processing Addendum, including all schedules attached hereto, (the “DPA”) is incorporated into and subject to the Terms of Service or the Snyk Master Service Agreement, as applicable (the “Agreement”) entered into by and between Customer and Snyk. All capitalized terms used, but not defined in this DPA shall have the meanings set forth in the Agreement. In the event of an express conflict between the Agreement and the DPA, the terms of the DPA shall prevail.

1. DEFINITIONS

Data Protection Laws means all national, federal, and state data protection laws and regulations, as may be amended or updated from time to time, applicable to Snyk’s processing of Personal Data to provide the Services as described in the Agreement. Such Data Protection Laws shall include, as applicable:

The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”);

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) or the “UK GDPR” which means the UK General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018; and

The Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”).

EU SCCs means the standard contractual clauses attached to the European Commission’s Implementing Decision (EU) 2021/914 found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

Personal Data means any information relating to an identified or identifiable natural person, which is processed by Snyk in its role as a data processor for the purposes of providing the Services under the Agreement.

Restricted Transfer means any cross-border transfer of Personal Data that would be restricted by the Data Protection Laws in the absence of the EU SCCs,  UK SCCs or Swiss SCCs, as applicable, including appropriate addenda.

Swiss SCCs means the EU SCCs as amended in terms of Section 6.3 of this DPA.

UK Addendum means the International Data Transfer Addendum to EU SCCs, issued by the ICO under s119A(1) of the Data Protection Act 2018, version B1.0 and any updates or replacements as may be issued by the ICO from time to time in accordance with S119A(1).

UK SCCs means the UK Addendum, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

The terms "controller", "processor", "data subject", "process" and "supervisory authority,” and their derivatives and analogous terms shall have the same meaning as set out in applicable Data Protection Laws.

2.       RIGHTS AND OBLIGATIONS

2.1 The parties acknowledge and agree that with respect to the processing of Personal Data, Customer is the controller and Snyk is the processor. The parties agree that the Agreement and this DPA, as well as Customer’s configuration of the Services, shall constitute the Customer's instructions for the processing of Personal Data. Each Party shall comply with its respective obligations under the Data Protection Laws. Customer will not instruct Snyk to process Personal Data in violation of applicable law.  To the extent required by Data Protection Laws, Snyk shall assist Customer in complying with Customer’s obligations under the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data it provides or otherwise makes available to Snyk, and the means by which Customer acquired and transferred such Personal Data to Snyk, and the legal basis to permit Snyk’s processing of such Personal Data under the Agreement and this DPA. Snyk’s security commitments and Security Incident obligations with respect to Personal Data are specified in the Agreement. Additionally, the process for deleting Customer Data, including Personal Data, is outlined in the Agreement.

2.2 As required by Data Protection Law, Snyk shall keep a written record of its processing activities with respect to the Personal Data. Customer’s audit rights with respect to Personal Data are specified in the Agreement.

3.       SUBPROCESSORS

3.1 Customer grants Snyk general authorization to engage third parties to process the Personal Data ("Sub-processors"). Snyk shall maintain an up-to-date list of Sub-processors at https://snyk.io/policies/subprocessors/.

3.2 Snyk will provide Customer with thirty (30) day notice (the “Notice Period”) prior to adding or replacing any Sub-processor by posting details at https://snyk.io/policies/subprocessors/. In the event Customer reasonably objects to the addition or replacement of such Sub-processor, Customer will provide Snyk written notice of its objection and its reasonable grounds for objection within the Notice Period and the parties will discuss in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Snyk will either not appoint the new Sub-processor with respect to Customer’s use of the Services, or permit Customer to suspend or terminate the affected Services without liability to either party.  Notwithstanding the foregoing, Snyk may replace a Sub-processor if the need for the change is urgent and necessary to provide the Services.  In such instance, Snyk shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor.

3.3 Snyk shall ensure each Sub-processor is appointed pursuant to a written contract conferring a materially the same obligations with respect to Personal Data as this DPA and shall be responsible for ensuring each such Sub-processor complies with all such obligations.

4.       DATA REQUESTS

4.1 Snyk shall, to the extent required by applicable Data Protection Law, notify Customer if Snyk receives any valid requests from a data subject identified in connection with Customer’s Snyk subscription to exercise his or her individual rights under Data Protection Law. Snyk shall, to the extent permitted by law and taking into account the nature of the processing, provide reasonable assistance to Customer in responding to valid requests from data subjects under the Data Protection Laws.

4.2 In the event Snyk becomes subject to a request from a public authority, Snyk shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Snyk shall promptly notify Customer in writing of any such request. Snyk shall in respect of any such request only disclose the minimum amount of Personal Data it assesses is reasonably required.

5.       GDPR

5.1 This Section shall apply only to the extent as Personal Data contains personal information subject to the GDPR, UK GDPR or FADP, and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA. The parties agree that Snyk may process Personal Data as part of providing the Services pursuant to the Agreement. Snyk shall inform Customer if it becomes aware that Customer’s instructions infringe GDPR, UK GDPR or FADP (as applicable) but without obligation to actively monitor Customer's compliance therewith.

6.       INTERNATIONAL DATA TRANSFERS

6.1 Customer acknowledges and agrees that Snyk may transfer, access and process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement. Snyk will make any such transfers in compliance with the Data Protection Laws.

6.2 The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the EU SCCs:

6.2.1 Clause 7, the (Docking Clause), shall not apply;

6.2.2 Clause 9, (Use of Sub-processors) Option 2, General Written Authorisation, shall apply and the “time period” shall be 30 days;

6.2.3 In Clause 11 (Redress) the optional language shall not apply;

6.2.4 Annex I.A (List of Parties) shall be deemed to be Customer as data exporter and Snyk as data importer;

6.2.5 Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Schedule 1;

6.2.6 Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority of Ireland; and

6.2.7 Annex 2 (Technical and Organisational Measures) shall be deemed to refer to the Information Security Addendum (as specified in the Agreement).

6.3 The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under FADP from Customer (as data exporter) to Snyk (as data importer) to the same extent recorded in Section 6.2, subject to the following amendments:  

6.3.1.   References to “Regulation (EU) 2016/679” or to “GDPR” shall be interpreted as references to FADP;

6.3.2.   References to “EU”, “Union”, “European Union”, “EU Member State” or “Member State”: (a) shall be interpreted to include “Switzerland”; and (b) shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of seeking to exercise their rights in Switzerland;

6.3.3.   Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the Swiss Federal Data Protection and Information Commissioner; and

6.3.4.   Clause 17 (Option 1) and Clause 18(b) shall be deemed to refer to the applicable governing law and courts in Section 8.1 below, save to the extent otherwise required by FADP, or to give effect to Section 6.3.2 (b) above, in which case, the governing law shall be Swiss Law and disputes will be resolved before the courts of Switzerland (“Swiss SCCs”).

6.4.    The parties agree that the terms of the UK SCCs apply to any Restricted Transfer under the UK GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the UK SCCs:

6.4.1   Tables 1 shall be deemed populated with Customer as data exporter and Snyk as data importer;

6.4.2   Table 2 is deemed populated with the corresponding details and selections described in Section 6.2 above;

6.4.3   Table 3 is deemed populated with the corresponding details and selections described in Section 6.2.4, 6.2.5 and 6.2.7 above, and Schedule 1; and

6.4.4   Table 4 to the UK Transfer Addendum is completed by only ‘Importer’ being selected.

6.5   To the extent that Snyk makes an onward transfer which is a Restricted Transfer, it shall take such measures as may be necessary to ensure that the transfer is made in compliance with the Data Protection Laws.

7.       CCPA

7.1 This Section shall apply only to the extent that Personal Data contains personal information subject to the CCPA and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA.

7.2 Snyk will promptly notify Customer if it determines that it can no longer meet its obligations under this DPA or the CCPA.

7.3 Customer may, upon providing Snyk prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by Snyk.

7.4 Snyk processes the Personal Data subject to CCPA for or on behalf of Customer for the business purposes specified in the Agreement. Snyk shall not retain, use, or disclose Personal Data for any purposes other than pursuant to the business relationship of the parties and performing the Services under the Agreement or as otherwise permitted by for Service Providers by the CCPA.

7.5 Snyk shall not sell the Personal Data within the meaning of the CCPA. To the extent the CCPA is applicable, the parties acknowledge that Customer's transfer of Personal Data to Snyk is not a "sale" and Snyk provides no monetary or other valuable consideration to Customer in exchange for the Personal Data.

7.6 To the extent any Personal Data hereunder is deidentified by Snyk or Customer, Snyk shall take reasonable measure to ensure the deidentified Personal Data cannot be associated with a consumer or household and shall not attempt to reidentify such deidentified Personal Data.

7.7 Snyk certifies that it understands the obligations and restrictions contained in this Section 7 and will comply with them.

8.       GENERAL

8.1 Governing Law. Unless otherwise required, the parties agree that:

(1)  If the Agreement is between Customer and Snyk, Inc., this DPA shall be governed by and construed in accordance with the laws of the jurisdiction set forth in the Agreement and the parties agree to submit to the jurisdiction of the courts specified in the Agreement.

(2)  If the Agreement is between Customer and Snyk Limited, this DPA shall be governed by and construed in accordance with the laws of Ireland and the parties agree to submit to the jurisdiction of the courts located in Ireland.

8.2 Updates. Snyk may modify this DPA as required as a result of (a) changes in Data Protection Laws; (b) a merger, acquisition, corporate reorganization or other similar occurrence; or (c) the release of new features, functions, products or services or material changes to any of the existing Services. Snyk may make such modifications by posting a revised version of this DPA at https://snyk.io/policies/dpa/ or by otherwise notifying Customer. Snyk will provide at least seven (7) days’ advance notice of any modifications. Subject to the seven (7) day advance notice requirement, the modified version of the DPA will become effective upon posting. By continuing to use the Services after the effective date of any modifications to this DPA, the Customer agrees to be bound by the modified DPA.

Schedule 1: DATA PROCESSING DETAILS

Categories of data subjects:           

Developers and other employees of Customer who are users of Snyk’s services or otherwise contribute to Customer’s code base.

Categories of personal data:      

  • First and last name, employer, title, and position

  • Email Addresses

  • User ID’s or tags related to source code repositories or other services integrated with Snyk by the Customer’s users

  • Connection and/or localization data

Sensitive data transferred (if applicable):

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):        

Ongoing.

Nature of the processing:

The processing of certain personal data by Snyk on behalf of the Customer in relation to allowing access of the Customer’s users to Snyk’s platform for the purposes of reviewing software projects submitted to the platform.

Purpose(s) of the data transfer:  

Providing the Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:    

As set forth in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:

See https://snyk.io/policies/subprocessors/ for details.