Last Updated: March 25, 2024 | Previous Versions
This Snowflake Data Clean Rooms Data Processing Addendum («Snowflake DCRs DPA«) forms part of, and is subject to, the Snowflake Data Clean Rooms Terms between the member of the Snowflake Group that is a party to the Snowflake Snowflake Data Clean Rooms Terms (“Snowflake”) and the legal entity defined as ‘Customer’ thereunder (for purposes of this Snowflake DCRs DPA, “Customer”, and together with Snowflake, the “Parties” and each a “Party” (such agreement, the “Agreement”)). All capitalized terms not defined in this Snowflake DCRs DPA shall have the meanings set forth in the Agreement.
1. DEFINITIONS.
1.1. “Authorized Affiliate” shall mean a Customer Affiliate who is not bound to the Agreement, but is either a Data Controller or Data Processor for the Snowflake DCRs Personal Data processed by Snowflake pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
1.2. “AuthorizedAffiliate” shall mean a Customer Affiliate who is not bound to the Agreement, but is either a Data Controller or Data Processor for the Snowflake DCRs Personal Data processed by Snowflake pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
1.3. “California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
1.4. “CMA Customer Data” has the meaning set forth in the Agreement.
1.5. “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.6. “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
1.7. “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
1.8. “Data Subject” means the identified or identifiable natural person to whom Snowflake DCRs Personal Data relates.
1.9. “EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
1.10. “Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.
1.11. “Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, and “Process”, “Processes” and “Processed” will be interpreted accordingly.
1.12. “Purposes” shall mean (i) Snowflake’s provision of Snowflake DCRs as described in the Agreement and the Snowflake DCRs Documentation, including Processing initiated by users in their use of Snowflake DCRs; and (ii) further documented, reasonable instructions from Customer agreed upon by the Parties.
1.13. “Service” has the meaning set forth in the Agreement.
1.14. “Service Agreement” has the meaning set forth in the Agreement.
1.15. “Snowflake DCRs” has the meaning set forth in the Agreement.
1.16. “Snowflake DCRs Personal Data” means any Snowflake DCRs-Processed Data (where Customer is subject to a Service Agreement) or CMA Customer Data (where Customer is a CMA Customer) that is Personal Data.
1.17. “Snowflake DCRs Security Addendum” has the meaning set forth in the Agreement.
1.18. “Snowflake DCRs-Processed Data” has the meaning set forth in the Agreement.
1.19. “Snowflake Group” means Snowflake Inc. and its Affiliates.
1.20. “Sub-processor” means any other Data Processors engaged by a member of the Snowflake Group to Process Snowflake DCRs Personal Data.
1.21. “Systems” has the meaning set forth in the Agreement.
2. DPA SCOPE AND APPLICABILITY OF THIS DPA.This Snowflake DCRs DPA applies where and only to the extent that Snowflake Processes Snowflake DCRs Personal Data on behalf of Customer as Data Processor in the course of providing Snowflake DCRs.
3. ROLES AND SCOPE OF PROCESSING.
3.1. Role of the Parties. As between Snowflake and Customer, Snowflake shall Process Snowflake DCRs Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (such third-party, the “Third-Party Controller”) with respect to Snowflake DCRs Personal Data. To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Snowflake is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws.
3.2. Customer Instructions. Snowflake will Process Snowflake DCRs Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Snowflake DCRs Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Agreement (including this Snowflake DCRs DPA) sets out the exclusive and final instructions to Snowflake for all Processing of Snowflake DCRs Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions require the prior written agreement of Snowflake. Snowflake shall promptly notify Customer if, in Snowflake’s opinion, such instruction violates EU & UK Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller.
3.3. Customer Affiliates. Snowflake’s obligations set forth in this Snowflake DCRs DPA also extend to Authorized Affiliates, subject to the following conditions:
(i) Customer must exclusively communicate any additional Processing instructions requested pursuant to 3.2 directly to Snowflake, including instructions from its Authorized Affiliates;
(ii) Customer shall be responsible for Authorized Affiliates’ compliance with this Snowflake DCRs DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this Snowflake DCRs DPA shall be considered the acts and/or omissions of Customer; and
(iii) Authorized Affiliates shall not bring a claim directly against Snowflake. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or other forms of complaints or proceedings against Snowflake (“Authorized Affiliate Claim”): (a) Customer must bring such Authorized Affiliate Claim directly against Snowflake on behalf of such Authorized Affiliate, unless Data Protection Laws require the Authorized Affiliate be a party to such claim; and (b) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including, but not limited to, any aggregate limitation of liability.
3.4. Processing of Personal Data. Each Party will comply with its respective obligations under Data Protection Laws. Customer agrees (i) it will use Snowflake DCRs in a manner designed to ensure a level of security appropriate to the particular content of the Snowflake DCRs Personal Data, such as pseudonymizing and backing-up Snowflake DCRs Personal Data; and (ii) it has obtained all consents, permissions and/or rights necessary under Data Protection Laws for Snowflake to lawfully Process Snowflake DCRs Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Snowflake DCRs Personal Data with third-parties via Snowflake DCRs.
3.5. Details of Data Processing.
3.5.1. Subject Matter: The subject matter of the Processing under this Snowflake DCRs DPA is the Snowflake DCRs Personal Data.
3.5.2. Frequency and duration: Notwithstanding expiration or termination of the Agreement, Snowflake will Process the Snowflake DCRs Personal Data continuously and until deletion of all Snowflake DCRs Personal Data as described in this Snowflake DCRs DPA or the Snowflake DCRs Documentation.
3.5.3. Purpose: Snowflake will Process the Snowflake DCRs Personal Data only for the Purposes, as described in this Snowflake DCRs DPA.
3.5.4. Nature of the Processing: Snowflake will perform Processing as needed for the Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this Snowflake DCRs DPA.
3.5.5. Retention Period. The period for which Snowflake DCRs Personal Data will be retained and the criteria used to determine that period is determined by Customer during the term of the Agreement via Customer’s use and configuration of Snowflake DCRs. Upon termination or expiration of the Agreement, Snowflake DCRs Personal Data will be promptly deleted. Customer is responsible for maintaining a back-up copy of Snowflake DCRs Personal Data in systems outside of Snowflake DCRs, such as on Customer Systems.
3.5.6. Categories of Data Subjects: The categories of Data Subjects to which Snowflake DCRs Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(A) Prospects, customers, business partners and vendors of Customer (who are natural persons);
(B) Employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or
(C) Employees, agents, advisors, and freelancers of Customer (who are natural persons).
3.5.7. Categories of Personal Data: The types of Snowflake DCRs Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(A) Identification and contact data (name, address, title, contact details);
(B) Financial information (credit card details, account details, payment information);
(C) Employment details (employer, job title, geographic location, area of responsibility); and/or
(D) IT information (IP addresses, cookies data, location data).
3.5.8. Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement or Snowflake DCRs Documentation, Customer may also include ‘special categories of personal data’ or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Snowflake DCRs Personal Data, the extent of which is determined and controlled by Customer in its discretion, and which may include, but is not limited to Snowflake DCRs Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.
4. SUB-PROCESSING.
4.1.Authorized Sub-processors. Customer provides Snowflake with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as well as Snowflake’s current Sub-processors listed at Exhibit 1 (Snowflake DCRs Sub-Processors and Affiliates) as of the effective date of this Snowflake DCRs DPA and members of the Snowflake Group.
4.2. Sub-processor Obligations. Snowflake shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Snowflake DCRs Personal Data as Snowflake’s obligations under this Snowflake DCRs DPA to the extent applicable to the services provided by the Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this Snowflake DCRs DPA. Upon written request, and subject to any confidentiality restrictions, Snowflake shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.
4.3. Changes to Sub-processors. Snowflake shall notify Customer at least twenty-eight (28) days in advance of allowing any new Sub-processor to Process Snowflake DCRs Personal Data (the “Objection Period”), and such notification shall be sent to the email provided by Customer to Snowflake for such purposes, and where no such email is provided, Customer acknowledges that the means of notification shall be at Snowflake’s reasonable discretion and Snowflake’s ability to timely notify shall be negatively impacted. During the Objection Period, objections (if any) to Snowflake’s appointment of the new Sub-processor must be provided to Snowflake in writing at [email protected] and based on reasonable grounds. In such an event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Snowflake that the new Sub-processor is unable to Process Snowflake DCRs Personal Data in compliance with the terms of this Snowflake DCRs DPA and Snowflake cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement by providing advance written notice to Snowflake of such termination.
5. SECURITY.
5.1. Security Measures. Snowflake shall implement and maintain appropriate technical and organizational security measures designed to protect Snowflake DCRs Personal Data from Security Incidents and to preserve the security and confidentiality of the Snowflake DCRs Personal Data as described in the Snowflake DCRs Security Addendum. Snowflake may review and update the Snowflake DCRs Security Addendum from time to time, subject to section 15.5 (Changes in Terms) of the Agreement.
5.2. Confidentiality of Processing. Snowflake shall ensure that any person who is authorized by Snowflake to Process Snowflake DCRs Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3. No Assessment of Snowflake DCRs Personal Data by Snowflake. Snowflake shall have no obligation to assess the contents or accuracy of Snowflake DCRs Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for making an independent determination as to whether its use of Snowflake DCRs will meet Customer’s requirements and legal obligations under Data Protection Laws.
5.4. Customer Audit Rights. Audits shall be governed by the Snowflake DCRs Security Addendum.
6. DATA TRANSFERS.
6.1. Hosting and Processing Locations.
6.1.1. The hosting location of Snowflake DCRs Personal Data that is CMA Customer Data shall be the region(s) offered by Snowflake and configured by Customer via Snowflake DCRs or as otherwise set forth in the Snowflake DCRs Documentation.
6.1.2. Customer is solely responsible for the regions from which its Users access the Snowflake DCRs Personal Data, for any transfer or sharing of Snowflake DCRs Personal Data by Customer or its Users and for any subsequent designation of other hosting locations (either for the same Account, a different Account, or separate Snowflake DCRs). Snowflake will not Process Snowflake DCRs Personal Data from outside the country of the hosting location chosen by Customer except as reasonably necessary to provide Snowflake DCRs procured by Customer, or as necessary to comply with the law or binding order of a governmental body.
6.2. Requirements Prescribed by Data Protection Laws.
6.2.1. Transfer Mechanisms and/or Contract Clauses Prescribed by Data Protection Laws. If Data Protection Laws have prescribed specific mechanisms for the transfer of Snowflake DCRs Personal Data to Snowflake and/or contract clauses for Processing of Snowflake DCRs Personal Data by Snowflake (collectively, a “Transfer Mechanism”), Snowflake shall make such specific Transfer Mechanism available (to the extent generally supported by Snowflake) at www.snowflake.com/legal/transfermechanisms (the “Transfer Mechanism Site”). For clarity, the term ‘Customer Personal Data’ used on the Transfer Mechanism Site, shall be deemed to mean Snowflake DCRs Personal Data, as defined herein, and all references to the ‘Service’ or ‘Snowflake Offerings’ shall be deemed to be references to Snowflake DCRs. A Transfer Mechanism shall not apply and shall not be incorporated into this Snowflake DCRs DPA if it is not applicable to (i) transfers from Customer to Snowflake (including where no such transfer occurs), or (ii) Processing by Snowflake of Snowflake DCRs Personal Data. If a listed Transfer Mechanism is, or becomes applicable under Data Protection Laws, it shall be deemed to be signed by the Parties and is incorporated into this Snowflake DCRs DPA. Subject to Section 7.2.2 (Customer Objection Rights) below, Snowflake may only remove an applicable Transfer Mechanism if the Transfer Mechanism has ceased being valid under the Data Protection Law or Snowflake is offering an alternative, then-currently valid Transfer Mechanism.
6.2.2.Updates to the Transfer Mechanism Site.Snowflake shall notify Customer of changes to its Transfer Mechanisms by updating the Transfer Mechanism Site and posting a summary and date of the relevant changes.
6.3. Security Incident Response. Incident detection and response shall be governed by the Snowflake DCRs Security Addendum.
7. COOPERATION.
7.1. Data Subject Requests. Snowflake shall promptly notify Customer if Snowflake receives a request from a Data Subject that identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). Customer is solely responsible for ensuring compliance with its obligations with respect to Data Subject Requests. Customer acknowledges that with respect to Snowflake DCRs Personal Data, Customer may be required to manage certain aspects of Data Subject Requests through either the use of Customer Systems or the use of the separately licensed Service pursuant to the Service Agreement, or where deletion is required, deleting such data from Snowflake DCRs as described in the Snowflake DCRs Documentation. To the extent Customer is unable to handle Data Subject Requests in connection with Snowflake DCRs, Snowflake shall (upon Customer’s written request and taking into account the nature of Snowflake’s Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.
7.2. Data Protection Impact Assessments. Snowflake shall provide reasonably requested information regarding Snowflake DCRs to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
7.3. Government & Law Enforcement Inquiries. If Snowflake receives a demand to retain, disclose, or otherwise Process Snowflake DCRs Personal Data from law enforcement or any other government and/or public authority (“Third-Party Demand”), then Snowflake shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Snowflake can provide information to such third-party to the extent reasonably necessary to redirect the Third-Party Demand to Customer. If Snowflake cannot redirect the Third-Party Demand to Customer, then Snowflake shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish Snowflake’s obligations under any applicable Transfer Mechanisms with respect to access by public authorities.
8. RELATIONSHIP WITH THE AGREEMENT.
8.1. The Parties agree that this Snowflake DCRs DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Snowflake and Customer may have previously entered into in connection with Snowflake DCRs. Snowflake may update this Snowflake DCRs DPA from time to time subject to section 15.5 (Changes in Terms) of the Agreement
8.2. Except as provided by this Snowflake DCRs DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Snowflake DCRs DPA and the Agreement, this Snowflake DCRs DPA shall prevail to the extent of that conflict in connection with the Processing of Snowflake DCRs Personal Data.
8.3. Notwithstanding anything to the contrary in the Agreement or this Snowflake DCRs DPA, Snowflake’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this Snowflake DCRs DPA, the Transfer Mechanisms, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Snowflake DCRs Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this Snowflake DCRs DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
8.4. In no event shall this Snowflake DCRs DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this Snowflake DCRs DPA (including the Transfer Mechanisms).
8.5. This Snowflake DCRs DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.