Last updated February 8, 2024
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the SnapSite SaaS Agreement as updated from time to time between Customer and SnapSite, or other agreement between Customer and SnapSite governing Customer’s use of the Services (the “Agreement”). This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and SnapSite Inc. (“SnapSite”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 1 of this DPA.
1.1 “Data Protection Laws” means all national, foreign, state or local laws, regulations or, ordinances, or other government standards relating to the privacy, confidentiality or security of Personal Data, including, without limitation, the EU General Data Protection Regulation (2016/679) (“GDPR”), the Gramm-Leach Bliley Act (“GLBA”), and laws requiring the secure disposal of records containing certain Personal Data.
1.2 “Personal Data” has the meaning given by Data Protection Laws and shall include information (regardless of the medium in which it is contained and whether alone or in combination) that directly or indirectly identifies an individual and is Processed by SnapSite pursuant to this Agreement.
1.3 “EU SCCs” means the standard contractual clauses for the transfer of Personal Data to Controllers and Processors established in third countries, adopted by the European Commission from time to time, the adopted version of which in force at the date of signature of this Data Processing Agreement is that set out in the Annex to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available at eur-lex.europa.eu, and as may be amended or replaced from time to time.
1.5 “DPA” means this Data Processing Agreement.
2.1 SnapSite will Process Personal Data only (a) in accordance with this Agreement or on written instruction of Customer; or (b) as otherwise required by law, in which case SnapSite will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2.2 SnapSite will ensure that any persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3 SnapSite will implement appropriate technical and organizational measures to ensure a level of security of Personal Data, appropriate to the risk, including, as deemed appropriate by SnapSite: (a) pseudonymization or encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services Processing Personal Data; (c) the ability to restore availability of and access to Personal Data in a timely manner in the event of a Security Incident; and (d) a process for regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the Processing.
3.1 Customer hereby confirms its general written authorization for SnapSite’s use of the Sub-processors listed at https://snapsite.com/dpa/subprocessors/ (“Sub-processor Policy”) in accordance with Article 28 of the GDPR and equivalent requirements in other Applicable Data Protection Law to assist SnapSite in providing the Service and processing Personal Data, provided that such Sub-processors:
(i) agree to act only on SnapSite's instructions when processing the Personal Data, which instructions shall be consistent with Customer's processing instructions to SnapSite;
(ii) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they process consistent with the Security Standards described in Annex III to this DPA, as applicable.
3.2 SnapSite shall remain liable to Customer for the subcontracted processing services of any of its Sub-processors under this DPA. SnapSite shall update the Sub-processor Policy on its Website with any Sub-processor to be appointed at least thirty (30) days prior to such change.
3.3 In the event that Customer objects to the processing of its Personal Data by any proposed Sub-processor as described in Section 3.2 on reasonable grounds relating to data protection, it shall inform SnapSite in writing by emailing privacy@snapsite.com within thirty (30) days following the update of the Sub-processor Policy above. In such an event, the Parties shall negotiate in good faith a solution to Customer’s objection. If the Parties cannot reach resolution within sixty (60) days of SnapSite’s receipt of Customer’s objection, SnapSite will either (a) instruct the Sub-processor to not process Customer's Personal Data, in which event this DPA shall continue unaffected, or (b) allow Customer to terminate this DPA and any related services agreement with SnapSite immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided, but not yet received by Customer as of the effective date of termination.
3.4 The Service provides links to integrations with Non-SnapSite Services, including, without limitation, certain non SnapSite Services which may be integrated directly into Customer’s account or instance in the Service. If Customer elects to enable, access, or use such Non-SnapSite Services, its access and use of such Non-SnapSite Services is governed solely by the terms and conditions and privacy policies of such Non-SnapSite Services, and SnapSite does not endorse and is not responsible or liable for, and makes no representations as to any aspect of such Non-SnapSite Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Customer and the provider of such Non-SnapSite Services. The providers of Non-SnapSite Services shall not be deemed Sub-processors for any purpose under this DPA.
3.5 SnapSite will, insofar as is reasonably achievable and taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures for the fulfillment of Customer’s obligations to respond to requests from data subjects regarding their rights under applicable Data Protection Laws, including for EU data subjects, the right to rectification, right to be forgotten, right to restriction of Processing, and right to data portability.
3.6 SnapSite will notify Customer without undue delay after becoming aware of a Personal Data Breach. Where required by Customer for compliance with its obligations under Data Protection Laws, SnapSite will include in its notification, to the extent known to it: (a) a description of the nature of the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) a description of the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to be taken by SnapSite to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. For purposes of this Section, a “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by SnapSite pursuant to this Agreement and that is likely to result in a risk to the rights and freedoms of natural persons. For the avoidance of doubt, where notification regarding a Personal Data Breach is required to individuals or governmental authorities under applicable Data Protection Laws, Customer will provide such notifications.
3.7 Upon written request from Customer and taking into account the nature of processing and the information available to SnapSite, SnapSite will assist Customer in ensuring compliance with Customer’s data protection impact assessment and prior consultation requirements under Articles 35-36 of the GDPR subject to Customer bearing SnapSite’s reasonably incurred costs for the provision of such assistance.
3.8 Upon written request from Customer, and no more than once per calendar year, SnapSite will make available to Customer all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Any reviews of information, audits, or inspections conducted pursuant to this Section shall be at Customer’s sole expense.
Where SnapSite processes Personal Data that is subject to the GDPR in a country that has not received an adequacy decision from the EU Commission, the Parties hereby incorporate the EU SCCs by reference. Where the EU SCCs apply, they will be deemed completed as follows:
(i) Module 2 (Controller to Processor) will apply where Customer is a controller of Service Data and SnapSite is a processor of Service Data; Module 3 (Processor to Processor) will apply where Customer is a processor of Service Data and SnapSite is a processor of Service Data.
(ii) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 9(a), Option 2 “General Written Authorization” will apply, and the time period for prior notice of Sub processor changes shall be as set out in Section 2.4 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply and will be governed by the laws provided in the Data Processing Agreement. If the Data Processing Agreement is not governed by an EEA member state law, then the laws of Ireland shall govern;
(vi) in Clause 18(b), disputes shall be resolved before the courts provided in the Data Processing Agreement. If the Data Processing Agreement does not provide courts in an EEA Member State, the parties agree to the courts of Dublin;
(vii) Annex I.A and I.B and Annex II of the EU SCCs shall be deemed completed with the information set out in Annex I and Annex II to this DPA; and
(viii) in Annex I.C of the EU SCCs, where the data exporter is established in the EEA shall be the Supervisory Authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer. Where the data exporter is not established in the EEA, but is within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1), the Supervisory Authority shall be the member state in which the representative within the meaning of Article 27(1) is established. If the data exporter is not established in the EEA, but falls within the territorial scope of application of GDPR without having to appoint a representative pursuant to Article 27(2), the Supervisory Authority of Ireland shall act as the competent Supervisory Authority.
Nothing in the interpretations in this Section 3 is intended to conflict with either Party's rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
1. Nature and Purpose of the Processing: Snapsite will process Personal Data in the course of providing Service(s) under the Data Processing Agreement, which may include operation of a cloud-based web presence and ecommerce platform. Additional information about Snapsite Services is available at https://snapsite.com/. Snapsite will process Personal Data as a processor in accordance with Customer’s instructions.
2. Processing Activities: Personal Data contained in Service Data will be subject to the hosting and processing activities of providing the Services.
3. Duration of Processing: The processing of Personal Data shall endure for the duration of the Subscription Term in the Data Processing Agreement and this DPA on a continuous basis.
4. Data Subjects: Customer may, at its sole discretion, submit Personal Data to the Service(s), which may include, but is not limited to, the following categories of data subjects: employees (including contractors and temporary employees), relatives of employees, customers, prospective customers, service providers, business partners, vendors, End-Users, advisors (all of whom are natural persons) of Customer and any natural person(s) authorized by Customer to use the Service(s).
5. Categories of Personal Data: Customer may, at its sole discretion, transfer Personal Data to the Snapsite Service(s) which may include, but is not limited to, the following categories of Personal Data: first and last name, email address, title, position, employer, contact information (company, email, phone numbers, physical address), date of birth, gender, communications (telephone recordings, voicemail), and website content information.
6. Special Categories of Data (if applicable): Sensitive Data may, from time to time, be included in processing via the Service(s) where Customer or its End-Users choose to include Sensitive Data within the Service(s). Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s End-Users to transmit or process any Sensitive Data via the Service(s).
Our Sub-processors, when processing Service Data on behalf of Customer in connection with the Enterprise Services, shall implement and maintain the following technical and organizational security measures for the Processing of such Service Data (“Enterprise Services Security Standards”):
1. Physical Access Controls: Our Sub-processors will take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to Service Data.
2. System Access Controls: Our Sub-processors will take reasonable measures to prevent Service Data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
3. Data Access Controls: Our Sub-processors will take reasonable measures to ensure that Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to Service Data to which they have privilege of access; and, that Service Data cannot be read, copied, modified or removed without authorization in the course of processing. Vendor will implement and maintain an access policy under which access to its system environment, to data processing systems, to Service Data, and other data is restricted to authorized personnel only.
4. Transmission Controls: Our Sub-processors will take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
5. Input Controls: Our Sub-processors will take reasonable measures to ensure that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and any transfer of Service Data to a third-party service provider is made via a secure transmission.
6. Data Protection: Our Sub-processors will take reasonable measures to ensure that Service Data is secured to protect against accidental destruction or loss. Our Sub-processors shall ensure that, when hosted by Sub-processor, backups are completed on a regular basis, are secured and encrypted, to ensure that Service Data is protected. Our Sub processors will implement and maintain a managed security program to identify risks and implement preventative technology and processes for common attack mitigation.
7. Logical Separation: Our Sub-processors will logically segregate Service Data from the data of other parties on its systems to ensure that Service Data may be processed separately.
ANNEX II
Physical Access Controls: Snapsite takes reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to Service Data and validates third parties operating data centers on Snapsite’s behalf are adhering to such controls.
System Access Controls: Snapsite takes reasonable measures to prevent Service Data from being used without authorization. These controls vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords, ssh keys and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
Data Access Controls: Snapsite takes reasonable measures to ensure Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Service Data to which they have privilege of access; and, that Service Data cannot be read, copied, modified or removed without authorization in the course of processing.
Transmission Controls: Snapsite takes reasonable measures to ensure the ability to check and establish which entities are transferred Service Data by means of data transmission facilities so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. Service Data is encrypted in transit over public networks when communicating with Snapsite user interfaces (UIs) and application programming interfaces (APIs) via industry standard HTTPS/TLS (TLS 1.2 or higher). Exceptions to encryption in transit may include any non-Snapsite Service that does not support encryption, which the data controller may link to through the Enterprise Services at its election.
Input Controls: Snapsite takes reasonable measures to provide the ability to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed, and that any transfer of Service Data to a third-party service provider is made via a secure transmission.
Isolation and separation of data: Measures that make sure that data which is collected for a specific purpose is isolated from data related to other purposes. Concrete measures: (i) Clear separation of core database systems (ii) Database rights are centrally managed and set as granular as possible (iii) Production and test systems are clearly separated
No Backdoors: Snapsite has not built any backdoors or other methods into its Services to allow government authorities to circumvent its security measures to gain access to Service Data.
Data Center Architecture and Security: Snapsite hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC2 compliant. AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. AWS on-site security includes a number of features, such as, security guards, fencing, securing feeds, intrusion detection technology, and other security measures. More details on AWS controls can be found at: https://aws.amazon.com/security/.
Network Architecture and Security: Snapsite’s network is protected through the use of key AWS security services, which monitor and/or block known malicious traffic and network attacks. Snapsite has a multi-layer approach to DDoS mitigation, utilizing network edge defenses, along with scaling and protection tools. Infrastructure management and configuration management tools are used for security hardening and to ensure baseline configuration standards have been established for production servers.
Testing, Monitoring, and Logging: Each quarter, Snapsite executes a 3rd party application to perform a broad vulnerability test across servers. Snapsite gathers logs from important host systems. The alerts notify the Security team based on correlated events for investigation and response. Service ingress and egress points are instrumented and monitored to detect anomalous behavior, including 24/7 system monitoring.
Availability and Continuity: Snapsite maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events, found at: https://snapsite.com/status/. Snapsite employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated.
People Security: Snapsite performs pre-employment background checks of all employees, including education and employment verification, in accordance with applicable local laws. Employees are bound by written confidentiality agreements to maintain the confidentiality of data.
Vendor Management: Snapsite uses third party vendors to provide certain aspects of the Services. Snapsite completes a security risk assessment of prospective vendors.