Data Processing Agreement

September 1, 2020

Introduction

This Data Processing Agreement (”Agreement”) forms a legally binding contract between you and Snap, applies to the extent Snap processes Customer Personal Data on your behalf when you are the Data Controller, and is incorporated into the Business Services Terms. Some terms used in this Agreement are defined in the Business Services Terms.

For purposes of this Agreement and the Business Services Terms, if the entity using the Business Services has its principal place of business in France, then “Snap” means Snap Group SAS, or if that entity’s principal place of business is in Australia or New Zealand, then “Snap” means Snap Aus Pty Ltd, even if the entity using the Business Services is acting as agent for another entity somewhere else.

1. Definitions

“Customer Personal Data” means the personal data of EEA, UK, and Brazilian data subjects provided to Snap by you or on your behalf when you are the Data Controller.

“Data Controller” means a controller as defined in the GDPR or LGPD, as applicable, who alone or jointly with others determines the purposes and means of the processing of Customer Personal Data.

“Data Protection Law” means the EEA, UK, and Brazilian data protection laws applicable to the processing of Customer Personal Data under this Agreement, including the GDPR and LGPD.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“LGPD” means Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by Snap.

“Subprocessors” means third parties authorized under this Agreement to access and process Customer Personal Data in order to provide parts of the Business Services.

“UK” means the United Kingdom.

The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR or LGPD, as applicable, in each case irrespective of whether Data Protection Law applies.

2. Processing of Customer Personal Data

a. Roles of Parties. Snap processes Customer Personal Data on behalf of and as instructed by the Data Controller, in accordance with Article 28 (1) GDPR and LGPD, as applicable.

b. Appointment. The Data Controller appoints Snap to process Customer Personal Data on the Data Controller’s behalf only as is necessary to provide the Business Services and as may subsequently be agreed to by the parties in writing.

c. Legitimacy of Processing. The Data Controller is responsible for ensuring a valid legal basis for processing the Customer Personal Data as well as any transfer of Customer Personal Data to a third party.

d. Details of Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.

e. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement. Without prejudice to the foregoing, Snap will not process Customer Personal Data in a manner that will, or is likely to, result in the Data Controller breaching its obligations under the Data Protection Law.

3. Snap Obligations

a. Processing of Customer Personal Data. Snap will only process Customer Personal Data in accordance with the Business Services Terms and this Agreement, and will not use or process Customer Personal Data for any purpose other than in its capacity as processor appointed by the Data Controller.

b. Data Security. In accordance with Article 32 GDPR and LGPD, as applicable, and as described in Schedule 2 of this Agreement, Snap will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.

c. Non-Disclosure. Snap will not publish, disclose, or divulge (and will ensure that its personnel do not publish, disclose, or divulge) Customer Personal Data to a third party unless the Data Controller has given its prior written consent.

d. Confidentiality. Snap will ensure that only personnel who may be required to assist in meeting its obligations under the Business Services Terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.

e. Complaint Handling. Snap will inform the Data Controller promptly, and in any event within two business days, of any enquiry or complaint received from a data subject or supervisory authority relating to Customer Personal Data.

f. Cooperation. Snap will provide reasonable cooperation and assistance to the Data Controller as the Data Controller may reasonably require to allow the Data Controller to comply with its obligations under Articles 32 through 36 GDPR and LGPD, as applicable, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfilment of data subjects’ rights, and any enquiry, notice or investigation by a supervisory authority.

g. Providing Evidence. During the term of this Agreement and for a period of one year thereafter, Snap will make available to the Data Controller, or an internationally recognized auditing firm acting on the Data Controller’s behalf, all information reasonably necessary to demonstrate Snap’s compliance with this Agreement, and Snap will allow for and contribute to audits conducted by the Data Controller or its representatives who are bound by appropriate obligations of confidentiality; if: (i) the Data Controller provides no fewer than ten business days’ prior written notice to Snap; (ii) such audit is conducted during Snap’s normal business hours and in a manner that does not unreasonably interfere with Snap’s normal business operations; (iii) such audit lasts no longer than three total business days; (iv) in no event is the Data Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive Snap’s proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this Agreement; and (v) the Data Controller is obligated to reimburse Snap for Snap’s documented reasonable costs if that audit determines that Snap is in compliance with this Agreement. In the event the audit determines Snap is out of compliance with this Agreement, then Snap will be obligated for all reasonable costs of such audit.

h. Return or Destroy Customer Personal Data. Upon completion of Snap’s obligations in relation to processing of Customer Personal Data under this Agreement or upon the Data Controller’s request at any time during the term of this Agreement, (and, if the Data Controller so requests, at regular intervals set by the Data Controller), Snap will either: (i) return all or subsets of the Customer Personal Data in Snap’s possession to the Data Controller; (ii) render all or part of Customer Personal Data anonymous in such a manner that the data no longer constitutes personal data; or (iii) permanently delete or render all or parts of the Customer Personal Data unreadable. Upon the Data Controller’s request, Snap must provide written confirmation to the Data Controller of the anonymization, return, and deletion of Customer Personal Data.

i. Hashed Customer Personal Data. If Snap receives Customer Personal Data in hashed or otherwise obfuscated format, Snap will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated the Data Controller Personal Data unless the Data Controller instructs Snap to do so; and (ii) only share the Customer Personal Data in the format Snap received it from the Data Controller.

4. Personal Data Breach

a. Notification. In accordance with Article 33 GDPR and LGPD, as applicable, Snap will notify the Data Controller without undue delay and, where feasible, no more than 48 hours after becoming aware of a Personal Data Breach. Snap will also provide the Data Controller with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known to Snap) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and Snap will cooperate with any reasonable request made by the Data Controller relating to the Personal Data Breach.

b. Investigation. Snap agrees to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with the Data Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.

5. Subprocessors

a. Authorized Subprocessors. The Data Controller specifically authorizes the engagement of Snap’s affiliates to process Customer Personal Data and the Data Controller generally authorizes the engagement of any other third parties as Subprocessors to process Customer Personal Data.

b. Obligations of Subprocessor. In accordance with Article 28 (4) GDPR and LGPD, as applicable, Snap will impose legally binding contract terms on each Subprocessor that are as restrictive as those contained in this Agreement.

c. Restricted Access. Snap will ensure each Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Agreement.

d. Updates of Subprocessors. In accordance with Article 28 (2) GDPR, here is an up-to-date list of: (i) all Subprocessors involved in processing Customer Personal Data; (ii) the purposes for which the Subprocessors process Customer Personal Data; and (iii) the location of each Subprocessor.

6. Data Transfers

a. If the Data Controller is established in the EEA and transfers personal data to Snap Inc., Snap Aus Pty Ltd, or Snap Group Limited (in the absence of a legal mechanism automatically permitting unrestricted transfer to the UK), the Standard Contractual Clauses are incorporated by reference into this Agreement and apply to that transfer.

b. With respect to Personal Data of EEA and UK data subjects, the Data Controller and Snap agree that Snap may process Customer Personal Data outside the EEA and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.

c. With respect to Personal Data of Brazilian data subjects, the Data Controller agrees that Snap may process Customer Personal Data outside of Brazil, and represents and warrants that such transfer of Customer Personal Data is in compliance with LGPD.

7. Indemnity; Subprocessor Liability

a. Indemnity. Snap agrees to indemnify the Data Controller against all third-party complaints, charges, claims, damages, losses, costs, liabilities, and expenses due to, arising out of, or relating in any way to Snap’s breach of this Agreement.

b. Indemnity Process. The Data Controller will promptly notify Snap in writing of any indemnification claim, but any failure to notify Snap will not relieve Snap from any indemnity liability or obligation it may have, except to the extent Snap is materially prejudiced by that failure. The Data Controller will reasonably cooperate with Snap, at Snap’s expense, in connection with the defense, compromise, or settlement of any indemnification claim. Snap will not compromise or settle any claim in any manner, nor make any admission of liability, without the Data Controller’s prior written consent, which the Data Controller may provide in its sole discretion. The Data Controller may participate (at its cost) in the defense, compromise, and settlement of the claim with counsel of the Data Controller’s choosing.

c. Subprocessor Liability. Snap acknowledges and agrees that it will remain liable to the Data Controller for a breach of the terms of this Agreement by a Subprocessor and any other subsequent third-party processors appointed by it.

8. Termination

a. Termination. This Agreement will terminate automatically upon termination of the Business Services Terms.

b. Survival. Snap’s obligations related to returning or deleting Customer Personal Data will survive termination of the Business Services Terms and this Agreement until Snap has returned or deleted the Customer Personal Data in accordance with this Agreement.

9. Conflicts

If this Agreement or the Standard Contractual Clauses conflict with the Business Services Terms, any Supplemental Terms and Policies, or the Snap Terms of Service then to the extent of the conflict the governing documents will be, in descending order: the Standard Contractual Clauses (but only to the extent of the transfer of personal data as described above), this Agreement, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.

Schedule 1: Details of Data Processing

The data processing activities carried out by Snap under this Agreement are as follows:

Subject matter

Snap's provision of the Business Services to the Data Controller.

Duration of the Processing

For the term of this Agreement plus the period from expiry of the term of this Agreement until the anonymization, return, or deletion of data in accordance with this Agreement.

Nature and purpose

Snap will process Customer Personal Data for the purposes of providing the Business Services to the Data Controller in accordance with and as described in the Business Services Terms and this Agreement.

Data categories

Customer Personal Data relating to individuals provided to Snap via the Business Services, by (or at the direction of) the Data Controller, which includes:

  • email address
  • telephone number
  • mobile ad ID (IDFA/AAID)
  • IP address
  • cookie id
  • browser user agent
  • actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods

Data subjects

Data subjects include EEA, UK, and Brazilian individuals about whom personal data is provided to Snap via the Business Services by (or at the direction of) the Data Controller.

Schedule 2 - Snap Security Measures

1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Customer Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Data Controller, the Data Controller's customers, or the Data Controller's employees; and any anticipated threats or hazards to the security or integrity of such information.

2. Adopting and implementing reasonable policies and standards related to security.

3. Assigning responsibility for information security management.

4. Devoting adequate personnel resources to information security.

5. Carrying out verification checks on permanent staff who will have access to the Customer Personal Data.

6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Customer Personal Data to enter into written confidentiality agreements.

7. Conducting training to make employees and others with access to the Customer Personal Data aware of information security risks and to enhance compliance with Snap's policies and standards related to data protection.

8. Preventing unauthorized access to the Customer Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, Snap has implemented and complies with, as appropriate and without limitation:

  • Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);
  • Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);
  • Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization;
  • Data transmission control measures to ensure that the Customer Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Snap's information security program will be designed:
    • To encrypt in storage any data sets in Snap's possession, including sensitive personal data; and
    • To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Snap's IT system or transmitted over a public network is encrypted to protect the security of the transmission;
  • Data entry control measures to ensure Snap can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed; and
  • Subprocessor supervision measures to ensure that, if Snap is permitted to use subprocessors, the Customer Personal Data is processed strictly in accordance with the Data Controller's instructions including, as appropriate:
    • Measures to ensure that the Customer Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and
    • Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Customer Personal Data. 

9. Taking such other steps as may be appropriate under the circumstances.