This Snovio Data Processing Addendum (hereinafter ‘DPA’) supplements the Snovio Terms and Conditions (hereinafter ‘Terms’), the agreement between you (hereinafter ‘User’ ‘Customer’, ‘you’, ‘your’) and Snovio Inc. (hereinafter ‘Company’, ‘Snov.io’, ‘Snovio’, ‘we’, ‘us’ or ‘our’) which is governing the processing of personal data that you upload or otherwise provide Snovio in connection with the Services or of any personal data that Snovio obtains in connection with the performance of the Services, hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’.
Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in Snovio’s Terms and Conditions. This DPA shall remain in force until the termination of the Terms between you and us governing your use of the Services.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, Brazil, applicable to the processing of personal data under the Terms as amended from time to time, such as GDPR, UK Data Protection Laws, or other applicable laws and regulations.
“General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).
“EU Standard Contractual Clauses (EU SCCs)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
“UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“controller”, “processor”, “data subject”, “personal data”, “processing” have the meanings given in Data Protection Laws and Regulations.
“Customer Data” means personal data that you upload or otherwise provide Snovio in connection with the Services or of any personal data that Snovio obtains in connection with the performance of the Services.
“Sub-processor” means any entity which provides processing services to Snovio in furtherance of Snovio’s processing on behalf of Customer.
“Public Authority” means a government agency or law enforcement authority, including judicial authorities.
“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of the data protection legislation.
2. Roles and Responsibilities
The Parties agree that this DPA and the Terms (including the provision of instructions via browser extensions) constitute your complete and final documented instructions regarding our processing of Customer Data on your behalf (hereinafter ‘Instructions’). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.
4. Description of Processing
The processing of Customer Data on your behalf in connection with Services is described in Schedule 1 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality which is part of the Services.
5. Your obligations
Within the scope of the DPA and Terms and your use of the Services, including our integration with HubSpot and/or Pipedrive, you will be solely responsible for complying with all requirements that apply to you under the Data Protection Laws and Regulations. You represent and warrant that you will be solely responsible for:
(i) the accuracy, quality, integrity, confidentiality and security of collected Customer Data;
(ii) complying with all necessary transparency, lawfulness, fairness and other requirements under Data Protection Laws and Regulations for the collection and use of the personal data by: establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of Customer; providing us only with data that has been lawfully and validly obtained and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third-party accessing or using Customer Data on your behalf; and
(iii) ensuring that your Instructions to us regarding the processing of Customer Data comply with the Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation.
6. Our obligations
6.1. General Obligations
With regard to the processing of Customer Data we shall:
(i) process Customer Data using appropriate technical and organisational security measures, and in compliance with the Instructions received from Customer subject to Section 3 of this DPA;
(ii) inform Customer if, in our opinion, a Customer’s Instructions may be in violation of the provisions of the Data Protection Laws and Regulations;
(iii) follow Customer’s instructions regarding the collection of Customer Data, in case we are obtaining Customer Data from data subjects on behalf of Customer under Terms;
(iv) take reasonable steps to ensure that any employee/contractor to whom we authorise access to Customer Data on our behalf comply with respective provisions of the Terms and this DPA.
6.2. Notices to Customer
Upon becoming aware, we shall inform you of any legally binding request for disclosure of Customer Data by a Public Authority, unless we are otherwise forbidden by law to inform Customer, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Customer Data under this DPA conducted between you and us.
6.3. Security measures
We shall implement and maintain appropriate technical and organisational measures to protect Customer Data from personal data breaches (hereinafter ‘Security Incidents’), in accordance with our security standards set out in Schedule 2 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 2 of this DPA at our sole discretion provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA.
6.4. Security Incident
Upon becoming aware of a Security Incident, we shall:
(i) notify you without undue delay after we become aware of the Security Incident;
(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and
(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgement by us of any fault or liability regarding the Security Incident.
We will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). We shall ensure that any employee/contractor whom we authorize to access Customer Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Customer Data.
6.6. Return or deletion of Customer Data
Upon termination or expiration of the Terms concluded between you and us, we shall delete all Customer Data in our possession or control; except that this requirement shall not apply to the extent, we are required by applicable law or respective contractual obligations to retain some or all of the Customer Data.
6.7. Reasonable Assistance
We agree to provide reasonable assistance to Customer regarding:
(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Data that we process on behalf of Customer. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;
(ii) the investigation of Security Incident and communication of necessary notifications regarding such Security Incidents subject to Section 6.4 of this DPA;
(iii) preparation of data protection impact assessments and, where necessary, consultation of Customer with the Supervisory Authority under Articles 35 and 36 of the GDPR.
6.8. Audit and Certification
If a Supervisory Authority requires an audit of the data processing facilities from which we process Customer Data to ascertain or monitor Customer's compliance with Data Protection Laws and Regulations, we will cooperate with such audit. The Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.
Customer may, prior to the commencement of processing, and at regular intervals, thereafter, audit the technical and organisational measures taken by us. If Customer is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide Customer with all information necessary to demonstrate compliance with its obligations laid down in the Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer with respect to such processing.
We shall, upon Customer’s written request and within a reasonable period, provide Customer with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
7. Data Subject Request
In the event that a data subject contacts us with regard to the exercise of their rights under Data Protection Laws and Regulations (in particular, requests for access to, rectification or deletion of Customer Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.
You agree that we may engage Sub-processors to assist in fulfilling our obligations with respect to the provision of the Services under the Terms. Agreed list of Sub-processors are set out in Schedule 3 of this DPA.
9. Transfers of Customer Data
Parties agree that when the processing of Customer Data on behalf of Customer in connection with Services constitutes a transfer under Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to incorporated into and form part of this DPA as further described in subsections 9.2 and 9.3 of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict
9.2. Transfers under GDPR
When the processing of Customer Data on behalf of Customer in connection with Services constitutes a “transfer” under GDPR, Standard Contractual Clauses shall apply. When you are a controller and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor and we are a sub-processor, Module Three of the EU SCCs shall apply.
For the purpose of the EU SCCs, we are a “data importer” and you are a “data exporter”. The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed as follows:
(i) in Clause 7, the optional docking clause shall not apply;
(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing of data exporter shall be 10 days;
(iii) in Clause 11, the optional provision shall not apply;
(iv) in Clause 13, a particular option shall apply depending on the specific case;
(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Federal Republic of Germany;
(vi) in Clause 18(b), disputes shall be resolved by the courts of the Federal Republic of Germany;
(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;
(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.
9.3. Transfers under UK Data Protection Laws
When the processing of Customer Data on behalf of Customer in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, UK Addendum shall apply. When you are a controller and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor and we are a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA.
For the purpose of the UK Addendum, we are an “Importer” and you are a “Exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:
(i) Table 1 in Part 1 is deemed completed with information set out in Schedule 1 of this DPA, and official registration number of Importer is 6896854 and official registration number of Exporter is contained in the Customer’s account, if any;
(ii) Table 2 in Part 1 is deemed completed accordingly with information set out in subsection 9.2 of this DPA;
(iii) Table 3 in Part 1 is deemed completed with information set out in Schedules 1, 2 and 3 of this DPA;
(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.
SCHEDULE 1 - DESCRIPTION OF PROCESSING
A. LIST OF PARTIES
Name: You, «Customer», «User»
Address: the relevant information is contained in the Customer’s account.
Contact person’s name, position and contact details: the relevant information is contained in the Customer’s account.
Signature and date: By entering into the Terms, data exporter is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.
Name: Snovio Inc.
Address: 220 East 23rd Street, №401, New York, NY, USA 10010
Contact person’s name, position and contact details: the Director Oleksii Kratko, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: provision of Snovio Inc.’s services (e.g., CRM, verification, integration of information with other services).
Signature and date: By entering into the Terms, data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.
B. DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred:
2. Categories of personal data transferred:
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
The data importer does not obtain access to the special categories of data (sensitive data).
4. The frequency of the transfer:
The personal data is transferred on a continuous basis.
5. Nature of the processing:
Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
6. Purpose(s) of the data transfer and further processing:
The purpose of the data processing under these Clauses is the performance of the services for data exporter by the data importer under the Terms concluded between the data importer and the data exporter.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The personal data shall be stored for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
subject matter: the performance of services
nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
duration: the performance of the services for data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.
C. COMPETENT SUPERVISORY AUTHORITY
In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the data exporter.
SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL MEASURES
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
SCHEDULE 3 - SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Name: Amazon.com, Inc.
Address: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal
Contact person’s name, position and contact details: https://console.aws.amazon.com/support/home
Description of processing: storage of personal data on the servers of Amazon.com, Inc.