The following Data Processing Agreement was introduced in April 2018, in preparation for GDPR. You might also wish to refer to our List of Sub-Processors and Terms of Service.

Snowplow Analytics Data Processing Agreement

1. Interpretation

1.1 In this agreement:

Customer” has the meaning given to it in the Service Agreement;

"Data Privacy Laws" means the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, any amendment, consolidation, re-enactment or replacement thereof, and any other legislation of equivalent purpose or effect enacted in the United Kingdom, or, where relevant, the European Union;

"GDPR" means the General Data Protection Regulation (EU) 2016/679 as applied, supplemented, modified and/or replaced by the laws of England (or, where applicable, those of a relevant EU member state) from time to time;

"Personal Data" has the meaning given to it by the GDPR, but will only include personal data to the extent that such personal data, or any part of such personal data, is processed in relation to the performance of the Service Agreement;

Services” means the services provided by Snowplow to the Customer under the Service Agreement;

Service Agreement” means the agreement between Snowplow and the Customer for the performance of certain services involving the processing by Snowplow of personal data on behalf of the Customer;

Snowplow” means Snowplow Analytics Limited, an English company with company number 07852221, or if different the Snowplow affiliate which is party to the Service Agreement; and

otherwise, words and phrases with defined meanings in the GDPR have the same meanings when used in this agreement.

1.2 In the event of any inconsistency between the terms of the Service Agreement and terms of this data processing agreement, the terms of this data processing agreement will govern.

2. Particulars of Personal Data to be processed

2.1 The parties agree (for informational purposes only, and without creating additional obligations on either party or limiting the rights and obligations of either party otherwise existing), the following particulars of the Personal Data to be processed.

2.2 The nature and purpose of the processing to be carried out by Snowplow is provision of a data analytics pipeline service, as more particularly described in the Service Agreement and the service description documents referenced in it. The purpose for which that data analytics pipeline is used is determined by the Customer.

2.3 The duration of processing is the term of the Service Agreement and any period of transitional service provision.

2.4 Prior to any use of the Services with real Personal Data, the Customer will register with Snowplow, through Snowplow’s prescribed method from time to time, the categories of Personal Data which it has configured the Services to collect, and the categories of data subjects whose personal data it is, and will update that registration without delay if it configures the Services to collect different or additional categories of Personal Data, and/or Personal Data from different or additional categories of data subjects. That registration is hereby incorporated by reference into this clause 2.

3. Mutual Obligations

3.1 Each party will comply with the Data Privacy Laws applicable to it in connection with the Service Agreement, and will not cause the other party to breach any of its obligations under Data Privacy Laws.

4. Customer obligations

4.1 The Customer:

4.1.1 will provide to Snowplow on demand all such information as Snowplow may reasonably request in connection with the performance of its obligations under this agreement, including but not limited to the information which Snowplow needs in order to comply with article 30(2) GDPR (if not already within Snowplow’s knowledge); and

4.1.2 represents and warrants that all such information will be correct, complete and not misleading, and that it has disclosed to Snowplow all information relating to the Personal Data which is relevant to Snowplow’s performance of its obligations under this agreement or the Data Privacy Laws in respect of the Personal Data.

4.2 Without prejudice to the generality of clause 3 ( Mutual Obligations), the Customer will ensure that in respect of the Personal Data to be processed by Snowplow or its subcontractors under the Service Agreement:

4.2.1 it has established and recorded a valid legal basis for that processing pursuant to article 6 GDPR;

4.2.2 it has established and recorded a valid exemption for the processing of any special categories of Personal Data pursuant to article 9 GDPR;

4.2.3 it has complied with and/or will prior to the commencement of processing comply with the information provision requirements of articles 13 and 14 GDPR, and is able to demonstrate that compliance;

4.2.4 it has complied with and/or will comply with article 22 GDPR in respect of any automated individual decision making in respect of the data subject, including profiling, which it may undertake in connection with the Personal Data;

4.2.5 it secures those systems and services related to the Personal Data which are solely within the Customer’s control, and will secure those aspects of the Services and connected systems as are described as being the Customer’s responsibility to secure in Snowplow’s document “ GDPR: Securing data: A guide for Snowplow Insights customers”, as updated or replaced from time to time;

4.2.6 it has conducted and recorded any required privacy impact assessment, or has satisfied itself that no privacy impact assessment is required;

4.2.7 it has made any required notifications to, and obtained any required permissions from, each relevant supervisory authority; and

4.2.8 it has in place appropriate processes and procedures to enable it to comply with requests from data subjects to exercise their rights under GDPR, in particular their rights of objection, access and erasure.

4.3 The Customer acknowledges and agrees that:

4.3.1 it has reviewed and understood Snowplow’s provided documentation on the configuration of the Services, including but not limited to Snowplow’s documents “ GDPR: Understanding what data can be and is collected with Snowplow Insights ”, “GDPR: Understanding how Snowplow Insights processes data” and “ GDPR: Approaches to data deletion and retention with Snowplow Insights ”, as they may be updated or replaced from time to time (and Snowplow will draw significant updates or replacements to those documents to the Customer’s attention through some appropriate method);

4.3.2 it is the Customer’s responsibility to determine what Personal Data will be processed by the Services, and how it will be processed, and to configure the Services accordingly (or to instruct Snowplow to configure them accordingly); and

4.3.3 therefore, the lawfulness or otherwise of that processing is in large part determined by how the Customer chooses to use the Services, and Snowplow has no liability whatsoever arising out of or in connection with how the Customer chooses to configure or use the Services.

4.4 The Customer must give all configuration instructions for the Services to Snowplow in writing (which term when used in this context includes email or raising a ticket with the Snowplow service desk).

4.5 Snowplow acknowledges, and will comply with, its obligation under article 28(3) GDPR to inform the Customer if, in its opinion, an instruction given by the Customer infringes the Data Privacy Laws. However, the Customer acknowledges and agrees that Snowplow is not a law firm and does not give legal advice, and therefore Snowplow will have no liability whatsoever to the Customer arising out of or in connection with the content or effect of any such opinion, or whether or when any such opinion is given or not given, or otherwise arising out of or in connection with any such opinion in any way. Without prejudice to its other rights under this agreement, Snowplow reserves the right to decline to act (or to decline to continue to act) on an instruction of the Customer which it considers to be unlawful, but its failure to do so, or to do so by a particular time, will not be construed as a waiver of any of the Customer’s obligations under this clause 4.

5. Snowplow Obligations

5.1 Where Snowplow processes Personal Data (as processor) on behalf of the Customer (as controller) in connection with the Services, Snowplow will:

5.1.1 process that Personal Data only in accordance with the written instructions for the configuration of the Services given to it by the Customer or (at the Customer’s cost) such different or additional instructions received in writing from the Customer from time to time. If compliance with such additional instructions prevents or hinders the performance of Snowplow’s obligations under this agreement, Snowplow will be excused from the performance of the affected obligations, without liability;

5.1.2 ensure that all of its personnel with access to that Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

5.1.3 take the technical and organisational security measures to secure that Personal Data which are described as being Snowplow’s responsibility in Snowplow’s document “ GDPR: Securing data: A guide for Snowplow Insights customers” as updated or replaced from time to time, the Customer acknowledging that it has reviewed that description and agrees that the measures described are appropriate and sufficient for the purposes of article 32 GDPR . Snowplow reserves the right to make reasonable changes to the precise security measures in place from time to time; for example it may implement additional measures to respond to new threats, or change how existing measures are implemented to reflect customer feedback or changes in best practice, or remove measures which no longer serve a useful purpose. Snowplow will inform the Customer of any material changes to the security measures in place, and will ensure that any such change does not materially reduce the overall level of security of those aspects of the Services that are Snowplow’s responsibility to secure;

5.1.4 engage only those other processors which are set out in Snowplow’s customer support portal or which are subsequently engaged in accordance with paragraph 8.1.5 (each, a “Sub-Processor”) to process that Personal Data on its behalf, and provided always that: it binds any such Sub-Processor by a written agreement complying with the requirements of article 28 GDPR as it applies to that Sub-Processor’s processing activities; and Snowplow remains liable to the Customer for the acts and omissions of any Sub-Processor, as if they were the acts or omissions of Snowplow itself;

5.1.5 where Snowplow wishes to engage a different or an additional Sub-Processor, first inform the Customer of the identity of the proposed Sub-Processor and provide the Customer with a reasonable opportunity to object to that Sub-Processor’s engagement. If the Customer does so object it will inform Snowplow within 14 days of being so informed, giving reasons for the objection, and if Snowplow cannot within 30 days of that objection address the reasons for it to the Customer’s reasonable satisfaction then Snowplow may choose not to appoint that Sub-Processor, or it may choose to appoint that Sub-Processor regardless, in which case the Customer will be entitled to terminate the Service Agreement by notice to Snowplow;

5.1.6 taking into account the nature of the processing and insofar as is possible, assist the Customer (at the Customer’s cost) with the fulfilment of the Customer's obligation to respond to requests by data subjects to exercise their rights under the Data Privacy Laws over that Personal Data, by providing relevant information requested by the Customer and copies of relevant Personal Data requested by the Customer within a reasonable time and in a commonly used electronic format, in each case unless that information or relevant Personal Data is already accessible to the Customer without Snowplow’s intervention;

5.1.7 taking into account the nature of the processing and the information available to Snowplow, assist the Customer (at the Customer’s cost) in carrying out privacy impact assessments pursuant to article 35 GDPR and prior consultations pursuant to article 36 GDPR in respect of that Personal Data, by providing such relevant information about the processing carried out by Snowplow as the Customer may reasonably request;

5.1.8 inform the Customer of any personal data breach which occurs in respect of the Personal Data under Snowplow’s control without undue delay after becoming aware of it, providing sufficient details to enable the Customer to comply with its own notification obligations (and Snowplow may provide such details in stages as they become available to it, provided that it is reasonable to do so). The Customer acknowledges and agrees that Snowplow cannot proactively monitor for, and may not become aware of, personal data breaches caused by the Customer’s misuse or misconfiguration of Customer systems or the Services;

5.1.9 after the termination of the Services, delete or return to the Customer (at the Customer's option and cost) all copies of the Personal Data in its possession or control, and procure that any relevant Sub-Processor does the same, unless the applicable laws of the United Kingdom or European Union require Snowplow or that Sub-Processor to retain a copy of it;

5.1.10 make available to the Customer on demand all information reasonably necessary to demonstrate compliance with this clause 5, to the extent that it is not already available to the Customer; and

5.1.11 allow the Customer, or its external auditor (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit Snowplow’s data processing activities insofar as they relate to the Personal Data, to enable the Customer to verify that Snowplow is in compliance with this clause 5, provided that: the Customer may exercise that inspection and audit right no more frequently than once per calendar year, unless required by a supervisory authority; the Customer will meet Snowplow’s reasonable costs incurred as a result of any such inspection or audit, unless that inspection or audit shows Snowplow to be in breach of this clause 5; the Customer (or its auditor, as the case may be) will not thereby be entitled to access to personal data or confidential information of any other Snowplow customer, nor to direct access to any computer or storage system unless explicitly required by a supervisory authority; the Customer (or its auditor, as the case may be) complies with Snowplow’s reasonable policies while onsite, including its safety and security policies; and any information coming into the Customer’s possession (or that of its auditor, as the case may be) as a result of such inspection or audit will be and remain the Confidential Information of Snowplow for the purposes of the Service Agreement, and the Customer will (and will procure that its auditor will, as the case may be) treat it accordingly.

5.2 Snowplow and the Customer acknowledge their mutual obligations under Chapter V GDPR in relation to international transfers of Personal Data, and agree to address those obligations as follows. Snowplow will store the Personal Data in the geographical region selected by the Customer. If that geographical region is in the United Kingdom or the European Economic Area, Snowplow will not transfer it outside of the United Kingdom or the European Economic Area without the Customer’s prior written agreement, in which case Snowplow and the Customer agree to enter into such arrangement as may reasonably be required to provide adequate safeguards in respect of that transfer, such as entry into standard-form contracts governing such transfers which have been approved by the EU Commission and/or the UK Information Commissioner (as the case may be).

6. Indemnity

6.1 The Customer will indemnify and hold harmless Snowplow from and against any and all losses, damage, liability, costs (including reasonable legal fees) and expenses incurred by Snowplow or on its behalf as a result of a claim brought against Snowplow based on any breach by the Customer of clause 4 (Customer Obligations).

7. Liability

7.1 Notwithstanding anything to the contrary in the Service Agreement, the Customer’s liabilities and obligations under the indemnity in clause 6 above shall not be limited or excluded in any way.

8. Term and Termination

8.1 This agreement will have effect from the date of the last signature below until the Service Agreement is terminated or expires, whereupon it will terminate automatically.

8.2 A material breach of this agreement will constitute a material breach of the Service Agreement for the purposes of the termination rights set out in the Service Agreement.

9. General

9.1 Except as expressly provided in this agreement, any failure to exercise or delay in exercising (whether fully or at all) a right or remedy provided by this agreement or by law does not constitute a waiver of the right or remedy or a waiver of any other rights or remedies.

9.2 A person who is not a party to this agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.

9.3 This agreement and all non-contractual obligations arising out of or in connection with it are governed by English law and subject to the exclusive jurisdiction of the English courts.