Probely Data Processing Addendum

This Data Processing Addendum, including all annexes attached hereto, (the “DPA”) is incorporated into and subject to the Agreement (defined below), which has been assigned or otherwise transferred in its entirety to Snyk.  This DPA will apply to any Personal Data that Snyk processes when providing the Probely Services. All capitalized terms used, but not defined in this DPA shall have the meanings set forth in the Agreement. In the event of an express conflict between the Agreement and the DPA, the terms of the DPA shall prevail.

1. DEFINITIONS

Agreement means the master service, software as a service or similar agreement entered into by and between Customer and Probe.ly - Soluções de Cibersegurança, S.A, for the provision of Probely Services to the Customer.

Customer means the person or entity described as the “Customer” in the Agreement, or that is otherwise permitted to receive the Probely Services pursuant to the Agreement.

Data Protection Laws means all national, federal, and state data protection laws and regulations, as may be amended or updated from time to time, applicable to Snyk’s processing of Personal Data to provide the Probely Services as described in the Agreement. Such Data Protection Laws shall include, as applicable:

The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”);

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) or the “UK GDPR” which means the UK General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018; and

The Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”).

EU SCCs means the standard contractual clauses attached to the European Commission’s Implementing Decision (EU) 2021/914 found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

Personal Data means any information relating to an identified or identifiable natural person, which is processed by Snyk in its role as a data processor for the purposes of providing the Probely Services under the Agreement.

Probely Services means the provision by Snyk, or any subcontracted entity, of the Web Application Vulnerability Scanner cloud-based solution currently referred to by Snyk as “Snyk API & Web”, and any other services described in the Agreement.

Restricted Transfer means any cross-border transfer of Personal Data that would be restricted by the Data Protection Laws in the absence of the EU SCCs, UK SCCs or Swiss SCCs, as applicable, including appropriate addenda.

Snyk means Snyk, Inc., a company incorporated in Delaware, having an office at 100 Summer Street, 7^th Floor, Boston, MA 02110 if Customer is located in the United States or Snyk Limited, a company incorporated in England and Wales (No. 09677925), having its registered office at Suite 4, 7th Floor, 50 Broadway, London, SW1H 0DB United Kingdom if Customer is located in any other country.

Swiss SCCs means the EU SCCs as amended in terms of Section 6.3 of this DPA.

UK Addendum means the International Data Transfer Addendum to EU SCCs, issued by the ICO under s119A(1) of the Data Protection Act 2018, version B1.0 and any updates or replacements as may be issued by the ICO from time to time in accordance with S119A(1).

UK SCCs means the UK Addendum, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

The terms "controller", "processor", "data subject", "process" and "supervisory authority,” and their derivatives and analogous terms shall have the same meaning as set out in applicable Data Protection Laws.

2. RIGHTS AND OBLIGATIONS

2.1 The parties acknowledge and agree that with respect to the processing of Personal Data, Customer is the controller and Snyk is the processor. The parties agree that the Agreement and this DPA, as well as Customer’s configuration of the Probely Services, shall constitute the Customer's instructions for the processing of Personal Data. Each Party shall comply with its respective obligations under the Data Protection Laws. Customer will not instruct Snyk to process Personal Data in violation of applicable law.  To the extent required by Data Protection Laws, Snyk shall assist Customer in complying with Customer’s obligations under the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data it provides or otherwise makes available to Snyk, and the means by which Customer acquired and transferred such Personal Data to Snyk, and the legal basis to permit Snyk’s processing of such Personal Data under the Agreement and this DPA. Snyk will cooperate with reasonable requests by Customer for documentary audits of Snyk's security and privacy practices. The time, duration, place, scope, and manner of the audit must be mutually agreed by the parties, but in no event will an audit be conducted more frequently than once per year. Taking into account the nature of the request and to the extent reasonably feasible from a technical and operational perspective, Snyk will provide Customer with any information necessary to enable Customer to comply with applicable law or request from a regulatory body, provided that Snyk will not release any proprietary or confidential information. If a regulator wishes to carry out an audit of Snyk or its activities under this Agreement, Customer will provide Snyk with no less than 30 days’ notice, unless the regulator has given less notice to Customer.  In the event of a breach of security resulting in an unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data (a “Security Incident”), upon becoming aware of the Security Incident, Snyk will (i) promptly take reasonable action to mitigate the Security Incident, and (ii) without undue delay, notify Customer of the Security Incident. Any such notification is not an acknowledgement of fault or responsibility. In addition, Snyk will provide reasonable assistance to Customer (and any law enforcement or regulatory official with proper jurisdiction) to fulfil Customer’s obligations under applicable law to investigate and respond to the Security Incident.

2.2 As required by Data Protection Law, Snyk shall keep a written record of its processing activities with respect to the Personal Data. Customer’s audit rights with respect to Personal Data are specified in this DPA.

3 SUBPROCESSORS

3.1 Customer grants Snyk general authorization to engage the third parties listed at https://snyk.io/policies/subprocessors/ and in Annex 3 to this DPA,  to process the Personal Data ("Sub-processors").

3.2 Snyk will provide Customer with thirty (30) days notice (the “Notice Period”) prior to adding or replacing any Sub-processor by posting details at https://snyk.io/policies/subprocessors/ and/or https://snyk.io/policies/snyk-api-and-web-master-services-addendum/ (as required by the context). In the event Customer reasonably objects to the addition or replacement of such Sub-processor, Customer will provide Snyk written notice of its objection and its reasonable grounds for objection within the Notice Period and the parties will discuss in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Snyk will either not appoint the new Sub-processor with respect to Customer’s use of the Probely Services, or permit Customer to suspend or terminate the affected Probely Services without liability to either party. Notwithstanding the foregoing, Snyk may replace a Sub-processor if the need for the change is urgent and necessary to provide the Probely Services. In such instance, Snyk shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor.

3.3 Snyk shall ensure each Sub-processor is appointed pursuant to a written contract conferring a materially the same obligations with respect to Personal Data as this DPA and shall be responsible for ensuring each such Sub-processor complies with all such obligations.

4 DATA REQUESTS

4.1 Snyk shall, to the extent required by applicable Data Protection Law, notify Customer if Snyk receives any valid requests from a data subject identified in connection with Customer’s subscription to the Probely Services to exercise his or her individual rights under Data Protection Law. Snyk shall, to the extent permitted by law and taking into account the nature of the processing, provide reasonable assistance to Customer in responding to valid requests from data subjects under the Data Protection Laws.

4.2 In the event Snyk becomes subject to a request from a public authority, Snyk shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Snyk shall promptly notify Customer in writing of any such request. Snyk shall in respect of any such request only disclose the minimum amount of Personal Data it assesses is reasonably required.

5 GDPR

5.1 This Section shall apply only to the extent as Personal Data contains personal information subject to the GDPR, UK GDPR, or FADP and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA. The parties agree that Snyk may process Personal Data as part of providing the Probely Services pursuant to the Agreement. Snyk shall inform Customer if it becomes aware that Customer’s instructions infringe GDPR, UK GDPR or FADP (as applicable) but without obligation to actively monitor Customer's compliance therewith.

6 INTERNATIONAL DATA TRANSFERS

6.1 Customer acknowledges and agrees that Snyk may transfer, access and process Personal Data on a global basis as necessary to provide the Probely Services in accordance with the Agreement. Snyk will make any such transfers in compliance with the Data Protection Laws.

6.2 The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the EU SCCs:

6.2.1. Clause 7, the (Docking Clause), shall not apply;

6.2.2. Clause 9, (Use of Sub-processors) Option 2, General Written Authorisation, shall apply and the “time period” shall be 30 days;

6.2.3. In Clause 11 (Redress) the optional language shall not apply;

6.2.4. Annex I.A (List of Parties) shall be deemed to be Customer as data exporter and Snyk as data importer;

6.2.5. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Annex 1;

6.2.6. Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority of Ireland; and

6.2.7. Annex 2 (Technical and Organisational Measures) shall be deemed to refer to Annex 2 of this DPA.

6.3 The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under FADP from Customer (as data exporter) to Snyk (as data importer) to the same extent recorded in Section 6.2, subject to the following amendments: 

6.3.1. References to “Regulation (EU) 2016/679” or to “GDPR” shall be interpreted as references to FADP

6.3.2. References to “EU”, “Union”, or “European Union”, “EU Member State” or “Member State”: (a) shall be interpreted to include “Switzerland”; and (b) shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of seeking to exercise their rights in Switzerland;

6.3.3. Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the Swiss Federal Data Protection and Information Commissioner; and

6.3.4. Clause 17 (Option 1) and Clause 18(b) shall be deemed to refer to the applicable governing law and courts in Section 8.1 below, save to the extent otherwise required by FADP, or to give effect to Section 6.3.2(b) above, in which case, the governing law shall be Swiss Law and disputes will be resolved before the courts of Switzerland (“Swiss SCCs”).

6.4 The parties agree that the terms of the UK SCCs apply to any Restricted Transfer under the UK GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the UK SCCs:

6.4.1. Tables 1 shall be deemed populated with Customer as data exporter and Snyk as data importer;

6.4.2. Table 2 is deemed populated with the corresponding details and selections described in Section 6.2 above;

6.4.3. Table 3 is deemed populated with the corresponding details and selections described in Section 6.2.4, 6.2.5, and 6.2.7 above, and Annex 1; and

6.4.4. Table 4 to the UK Transfer Addendum is completed by only ‘Importer’ being selected.

6.5 To the extent that Snyk makes an onward transfer which is a Restricted Transfer, it shall take such measures as may be necessary to ensure that the transfer is made in compliance with the Data Protection Laws.

7. CCPA

7.1 This Section shall apply only to the extent that Personal Data contains personal information subject to the CCPA and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA.

7.2 Snyk will promptly notify Customer if it determines that it can no longer meet its obligations under this DPA or the CCPA.

7.3 Customer may, upon providing Snyk prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by Snyk.

7.4 Snyk processes the Personal Data subject to CCPA for or on behalf of Customer for the business purposes specified in the Agreement. Snyk shall not retain, use, or disclose Personal Data for any purposes other than pursuant to the business relationship of the parties and performing the Probely Services under the Agreement or as otherwise permitted by for Service Providers by the CCPA.

7.5 Snyk shall not sell the Personal Data within the meaning of the CCPA. To the extent the CCPA is applicable, the parties acknowledge that Customer's transfer of Personal Data to Snyk is not a "sale" and Snyk provides no monetary or other valuable consideration to Customer in exchange for the Personal Data.

7.6 To the extent any Personal Data hereunder is deidentified by Snyk or Customer, Snyk shall take reasonable measure to ensure the deidentified Personal Data cannot be associated with a consumer or household and shall not attempt to reidentify such deidentified Personal Data.

7.7 Snyk certifies that it understands the obligations and restrictions contained in this Section 7 and will comply with them.

8. GENERAL

8.1 Governing Law. Unless otherwise required, the parties agree that:

8.1.1. If the Agreement is between Customer and Snyk, Inc., this DPA shall be governed by and construed in accordance with the laws of the jurisdiction set forth in the Agreement and the parties agree to submit to the jurisdiction of the courts specified in the Agreement.

8.1.2. If the Agreement is between Customer and Snyk Limited, this DPA shall be governed by and construed in accordance with the laws of Ireland and the parties agree to submit to the jurisdiction of the courts located in Ireland.

8.2 Updates. Snyk may modify this DPA as required as a result of (a) changes in Data Protection Laws; (b) a merger, acquisition, corporate reorganization or other similar occurrence; or (c) the release of new features, functions, products or services or material changes to any of the existing Probely Services. Snyk may make such modifications by posting a revised version of this DPA on its applicable webpage or by otherwise notifying Customer. Snyk will provide at least seven (7) days’ advance notice of any modifications. Subject to the seven (7) day advance notice requirement, the modified version of the DPA will become effective upon posting. By continuing to use the Probely Services after the effective date of any modifications to this DPA, the Customer agrees to be bound by the modified DPA.

Annex 1: DATA PROCESSING DETAILS

Categories of data subjects:         

Developers and other employees of Customer who are users of the Probely Services or otherwise contribute to Customer’s code base and data subjects whose personal data may be incidentally processed in the course of Customer's use of the Probely Services.

Categories of personal data:    

• First and last name, employer, title, and position

• Email Addresses

• User ID’s or tags related to source code repositories or other services integrated with Snyk by the Customer’s users

• Connection and/or localization data

• Personal data may be incidentally processed in the course of Customer's use of the Probely Service.

Sensitive data transferred (if applicable):

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Ongoing.

Nature of the processing:

The processing of certain personal data by Snyk on behalf of the Customer in relation to allowing access of the Customer’s users to Snyk’s platform for the purposes of reviewing software projects submitted to the platform.

Purpose(s) of the data transfer:

Providing the Probely Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:      

As set forth in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:

See https://snyk.io/policies/subprocessors/ and Annex 3 to this DPA for details.

Annex 2: TECHNICAL AND ORGANISATIONAL MEASURES

The following list is a non-exhaustive list of security controls we implement with respect to the Probely Services:

1. We employ industry-standard encryption technology.

2. All of our infrastructure is hosted in a top-tier cloud provider, where security has been scrutinized. Our cloud provider’s security features and controls are configured to segregate and monitor our service networks, for audit logs, and for security event management. The frontend, backend, and database servers use private and segregated networks controlled by security groups.

3. Where appropriate we implement the following security practices, including (but not limited to):

3.1. Principle of the least privilege (to access our systems and data),

3.2. Server hardening and security updates,

3.3. Requiring 2-factor authentication,

3.4. Central logging,

3.5. Secure Software Development Life cycle, including periodic security assessments

4. Notwithstanding the outlined security measures, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting data via the internet.

Annex 3: PROBELY SUBPROCESSORS

To provide the Probely Services, Snyk relies on additional Sub-processors. These Sub-processors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Snyk from time to time: