Data Processing Addendum

Data Processing Details

“CONTROLLER”	The customer of Snyk Limited or Snyk, Inc. (as the case may be), as set out in any ordering document or agreement between the parties under which the Processor provides services to the Controller ("Snyk Main Agreement”).
NAME AND ADDRESS OF PROCESSOR (“PROCESSOR”)	‘Snyk’ as defined in the Snyk Main Agreement.
SUBJECT MATTER OF THE PROCESSING	The processing of Personal Data as part of the Snyk services under the Snyk Main Agreement (“Services”).
DURATION OF THE PROCESSING	Start date - the date Personal Data is first processed by Processor. End date - the date of termination or expiry of the Snyk Main Agreement. The frequency of the processing is continual and ongoing during the term of the Snyk Main Agreement.
NATURE OF THE PROCESSING	The processing of certain personal data by the Processor on behalf of the Controller in relation to allowing access of the Controller’s users to the Processor’s platform for the purposes of reviewing software projects submitted to the platform.
PURPOSE OF THE PROCESSING	1. Collection of the specified data so that the Processor may provide the Services to the Controller 2. Storage on secure cloud storage facilities 3. Digest and comparison for authentication and authorization purposes 4. Messaging regarding the Controller’s use of the Processor’s products and services
TYPE OF PERSONAL DATA	1. First and last name, employer, title and position 2. Email Addresses 3. User ID on source code repositories and other services integrated with Snyk by the Controller’s users 4. Connection and/or localization data The data shall not include any ‘special category’ data as defined under GDPR.
CATEGORIES OF DATA SUBJECTS	Employees, developers, contractors of the Controller.

The Data Processing Details above together with the terms and conditions below constitute this “Data Processing Addendum” or “DPA”. This DPA forms part of Snyk Main Agreement.

Terms and Conditions

Interpretation
1. The following definitions and meanings apply to this DPA: “Adequate Territory” means: (i) in respect of Personal Data which is subject to the GDPR, the European Economic Area and any other territory which the European Commission has determined ensures an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR; and (ii) in respect of Personal Data which is subject to the UK GDPR, the United Kingdom and any other territory which the UK Secretary of State has by regulations specified ensures an adequate level of protection for Personal Data pursuant to Article 45 of the UK GDPR and Section 17A of the UK Data Protection Act 2018
  “Applicable Data Protection Laws”
  means, with respect to a party, all data protection laws applicable to such party’s processing of Personal Data, including the GDPR, the UK GDPR, the CCPA and as applicable, and any legislation which amends, re-enacts or replaces them.
  “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), “Data Subject”, “Data Processor”, “Data Controller” and “Processing” shall have the meanings set out in the GDPR.
  “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; “Personal Data” means any information relating to an identified or identifiable natural person, which is processed by the Processor solely on behalf of the Controller, as part of the Services under the Snyk Main Agreement.
  “Security Measures” means the technical and organizational security measures to be applied by Processor in respect of the Personal Data, as set out at https://snyk.io/policies/snyk-security-addendum/ as may be updated from time-to-time.
  “SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021; as they may be amended, superseded or replaced from time to time. “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
  "UK Transfer Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (“UK Mandatory Clauses”).
2. Clause headings shall not affect the interpretation of this DPA.
3. The words “include” and “including” shall not limit the generality of any words preceding them.
Rights and Obligations
1. Controller and Processor shall each comply with the Applicable Data Protection Laws. For the purposes of the Applicable Data Protection Laws, Controller is the Data Controller (under CCPA, the ‘business’) and Processor is the Data Processor (under CCPA, the ‘service provider’), of the Personal Data.
2. Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by applicable law. Processor shall not "sell" the Personal Data within the meaning of the CCPA. To the extent the CCPA is applicable, the parties acknowledge that Controller's transfer of Personal Data to Processor is not a "sale" and Processor provides no monetary or other valuable consideration to Controller in exchange for the Personal Data.
3. Processor shall ensure that persons authorized by it to process the Personal Data are bound by enforceable confidentiality obligations not to disclose it.
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Processor shall implement appropriate technical and organizational measures (to ensure a level of security appropriate to the risk) supported by a written Information Security Management System in such a manner that the Processing of Personal Data will meet the requirements of the Applicable Data Protection Laws and ensure the protection of the rights of each Data Subject. Such measures shall include the Security Measures.
5. Processor shall take account of the risks that are presented by Processing the Personal Data in assessing the level of security required for Personal Data.
6. Controller authorizes Processor to engage third party sub-processors ("Sub-processors") to process the Personal Data. Processor provides reasonable prior notice before the proposed addition or replacement of any Sub-processor by posting details at https://snyk.io/policies/sub-processors/, in order to allow Controller to raise in writing any reasonable objections on grounds of data protection within 14 days of such notice. In the event of such an objection, the parties will discuss Controller’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Processor will, at its sole discretion, either not appoint the new Sub-processor, or permit Controller to suspend or terminate the Snyk Main Agreement without liability to either party. Processor shall not be obliged to make any refund of any sums paid under the Snyk Main Agreement.
  For the purposes of the SCCs (including Clause 9(c) of the SCCs), Controller acknowledges that Processor may be restricted from disclosing to Controller its contract terms with Sub-processors due to confidentiality obligations.
  Processor shall ensure each Sub-processor is appointed under a binding written contract conferring a materially similar level of obligation on the Sub-processor in relation to protection of the Personal Data as under this DPA (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) and shall be responsible for ensuring each such Sub-processor complies with all such obligations.
7. Processor shall, taking into account the nature of the Processing, provide reasonable assistance to Controller by appropriate technical and organizational measures (insofar as this is possible) in Controller’s compliance with its obligations to respond to requests from Data Subjects under Applicable Data Protection Laws.
8. To the extent required under Applicable Data Protection Laws, Processor shall (taking into account the nature of processing and the information available to the Processor) assist Controller in ensuring compliance with Controller’s obligations under Applicable Data Protection Laws in respect of security of Processing, notification of Personal Data breaches, data protection impact assessments and prior consultation with supervisory authorities.
9. Processor shall upon termination or expiry of the Snyk Main Agreement delete or return to Controller all Personal Data processed under this DPA (including any copies of it) unless required to retain it under applicable law.
10. Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller, or another auditor mandated by Controller on 10 working days’ notice and mutual agreement of a suitable scope and agenda.
11. Processor shall immediately inform Controller if it becomes aware that Controller's processing instructions infringe GDPR or UK GDPR (as applicable) but without obligation to actively monitor Controller's compliance with them.
12. The Controller acknowledges and agrees that the Processor may transfer, access and process Personal Data on a global basis as necessary to provide the Snyk service in accordance with the Snyk Main Agreement. The Processor will make any such transfers in compliance with Applicable Data Protection Laws. This paragraph forms part of Controller’s instructions to Processor.
13. Solely to extent required to ensure Processor’s Processing of Personal Data complies with any international transfer rules set out in Applicable Data Protection Laws, in the event that the transfer of Personal Data from Controller to Processor involves a transfer of Personal Data, that is subject to GDPR or UK GDPR, outside of an Adequate Territory, the SCCs shall be incorporated by reference and form an integral part of this DPA – with Controller as "data exporter" and Processor as "data importer" – in the following manner:
  1. In relation to any such transfer made subject to the EU GDPR, for the purposes of the SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) in Clause 9, Option 2 shall apply and the “time period” shall be 14 days (iii) in Clause 11, the optional language shall not apply; (iv) in Clause 17 (Option 1) the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex 1 and 3 of the SCCs shall be populated with the information set out in this DPA; and (vii) Annex 2 of the SCCs shall be deemed to refer to the Security Measures.
  2. In relation to any such transfer made subject to the UK GDPR, the SCCs shall apply as varied by the UK Transfer Addendum – for which purpose, the parties agree: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details and selections described in paragraph 13.1 above; (ii) Table 4 to the UK Transfer Addendum is completed by only ‘Importer’ being selected; (iii) to be bound by the UK Mandatory Clauses; and (iv) to the presentation of information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner determined by this paragraph 13.2 (as permitted by Section 17 of the UK Mandatory Clauses).
14. To the extent that Processor makes an onward transfer of the Personal Data to a third party (including any entity in Processor’s group of companies, or a Sub-processor), to a country other than an Adequate Territory or the country in which the Personal Data was first processed by Processor, it shall take such measures as may be necessary to ensure that the transfer is made in compliance with Applicable Data Protection Laws. Such measures may include (as necessary and applicable, and without limitation) transferring the Personal Data to a recipient that has a contract with Processor that ensures the Personal Data will be protected to the standard required by Applicable Data Protection Laws.
15. Processor shall notify Controller without undue delay in writing of any request with respect to Personal Data received directly from a Data Subject. Processor shall co-operate with Controller in fulfilling, or responding to, such request.
16. Processor shall to the extent required by Applicable Data Protection Laws keep a written record of the processing of Personal Data it carries out under this DPA.
17. In the event that there is a confirmed personal data breach (as defined in GDPR) in respect of the Personal Data provided by Controller, Processor shall without undue delay (and in any event within 72 hours of confirming such breach) notify Controller of that data breach in writing including the following details:
  1. the nature of the personal data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  2. the likely consequences of the personal data breach; and
  3. the measures which Processor proposes to take to remediate the cause of the breach.
    In the event of a personal data breach in respect of the Personal Data provided by Controller, Processor shall provide Controller with such reasonable cooperation and assistance with managing that personal data breach as may be agreed between the parties, acting in good faith.
18. In the event that Controller notifies Processor that it should cease processing the Personal Data or any part of the Personal Data, including, without limitation, the Personal Data of an individual Data Subject, Processor shall without undue delay return such Personal Data to Controller and shall cease processing that Personal Data or part of the Personal Data. Controller acknowledges and agrees that Processor shall not have any liability under the remainder of the Main Agreement for any failure to provide the Services which results from such cessation.
19. In the event that Processor receives a request directly from an individual Data Subject relating to Personal Data, it shall promptly forward that request onto Controller.
20. In the event Processor becomes subject to a request from a public authority to disclose any Personal Data, Processor shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Processor shall promptly notify Controller in writing of any such request. Processor shall only comply with such requests in the event that it reasonably considers that it is lawfully compelled to do so. Processor shall in respect of any such request (i) only disclose the minimum amount of Personal Data required, and (ii) retain evidence that any disclosure of Personal Data to public authorities was made in accordance with the restrictions under this paragraph, and (to the extent permitted by law) make such evidence available to Controller promptly upon request.
Updates
1. Processor may modify this DPA as required as a result of (a) changes in Applicable Data Protection Laws; (b) a merger, acquisition, corporate reorganization or other similar occurrence; or (c) the release of new features, functions, products or services or material changes to any of the existing Services. Processor may make such modifications by posting a revised version of this DPA at https://snyk.io/policies/dpa/ or by otherwise notifying Controller. Processor will provide at least 7 days’ advance notice of any modifications. Subject to the 7 day advance notice requirement, the modified version of the DPA will become effective upon posting. By continuing to use the Services after the effective date of any modifications to this DPA, the Controller agrees to be bound by the modified DPA.