logo

Snap Cloud Data Processing Agreement

Effective Date: October 14, 2025

Introduction

This Snap Cloud Data Processing Agreement forms a legally binding contract between you and Snap, applies to the extent Snap processes User Personal Data on your behalf when you are the data controller, and is incorporated into the Snap Cloud Terms. Some terms used in this Snap Cloud Data Processing Agreement are defined in the Snap Cloud Terms.

1. Definitions

“Data Controller” (or equivalent term under Data Protection Law) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of User Personal Data.

“Data Protection Law” means all privacy and data protection laws regarding the protection of personal data as applicable to User Personal Data, including without limitation: (i) California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”); (ii) EU Regulation 2016/679 (“GDPR”) and the EU Privacy and Electronic Communications Directive 2002/58/EC (“EPrivacy Directive”) as those laws are implemented in the national laws of EEA/EFTA countries;, (iii) UK Data protection Act 2018 and GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK (“UK GDPR”); (v) Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); and (viii) the Saudi Arabian Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH (“PDPL”).

"Data Transfer" means a processing activity whereby User Personal Data which is processed in accordance with Data Protection Law is transferred from you to Snap (or our premises) in a third country other than the EEA, UK or a country subject to an adequacy decision made by the European Commission or UK Secretary of State (as applicable) in accordance with the relevant provisions of applicable Data Protection Law. 

“EEA” means the European Economic Area.

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data on systems managed or controlled by Snap.

"SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).

“Subprocessors” means third parties authorized under this Snap Cloud Data Processing Agreement to access and process User Personal Data in order to provide parts of the Services.

"UK IDTA Addendum" means the Mandatory Clauses of Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

“User Personal Data” means the personal data of EEA, UK, US, Canadian, or Saudi Arabian data subjects provided to Snap by you or on your behalf, or processed by Snap in accordance with your instructions via Snap Cloud, when you are the Data Controller.

“UK” means the United Kingdom.

The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” (or equivalent term) each as used in this Snap Cloud Data Processing Agreement, have the meanings given in the Data Protection Law as applicable, in each case irrespective of whether Data Protection Law applies.

2. Processing of User Personal Data

a. Roles of Parties. Snap processes User Personal Data on behalf of and as instructed by the Data Controller, in accordance with Data Protection Law.

b. Appointment. The Data Controller appoints Snap to process User Personal Data on the Data Controller’s behalf only as is necessary to provide the Services and as may subsequently be agreed to by the parties in writing.

c. Legitimacy of Processing. The Data Controller is responsible for ensuring a valid legal basis for processing the User Personal Data.

d. Details of Processing. The subject matter and details of processing are described in Schedule 1 of this Snap Cloud Data Processing Agreement.

e. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any User Personal Data it processes under or in relation to this Snap Cloud Data Processing Agreement. Without prejudice to the foregoing, Snap will not process User Personal Data in a manner that will, or is likely to, result in the Data Controller breaching its obligations under the Data Protection Law. Snap will promptly inform the Data Controller if: (i) Snap is of the opinion that the Data Controller’s instruction infringes Data Protection Law; and (ii)  Snap determines it can no longer meet its obligations under Data Protection Law.

3. Snap Obligations

a. Processing of User Personal Data. Snap agrees that it will not process User Personal Data for any purposes other than in its capacity as a processor appointed by the Data Controller and unless permitted by applicable Data Protection Law, retain, use, or disclose any User Personal Data for any purpose other than for the business purposes specified in the Snap Cloud Terms. 

b. No information Selling or Sharing. Where required by Data Protection Law, Snap acknowledges and confirms that it does not and will not receive any User Personal Data as consideration for any Services or other items that Snap provides to the Data Controller under this Agreement and Snap will not, unless permitted by applicable Data Protection Law: (a) sell or share any User Personal Data as the terms “sell” and “share” are defined by applicable Data Protection Law; (b) combine User Personal Data that Snap receives from, or on behalf of, Data Controller with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer. 

b. Data Security. In accordance with Data Protection Law, and as described in Schedule 2 of this Snap Cloud Data Processing Agreement, Snap will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of User Personal Data; and (ii) prevent unauthorized or unlawful processing of User Personal Data, accidental loss, disclosure or destruction of, or damage to, User Personal Data.

c. Confidentiality. Snap will not publish, disclose, or divulge User Personal Data to a third party unless the Data Controller has given its prior written consent, or otherwise instructed or authorized, Snap to do so via the Services. Snap will ensure its personnel are bound by appropriate obligations of confidentiality prohibiting Snap personnel from publishing, disclosing, or divulging User Personal Data. 

d. Cooperation. Snap will provide reasonable cooperation and assistance to the Data Controller as the Data Controller may reasonably require to allow the Data Controller to comply with its obligations under Data Protection Law, as further detailed in this Snap Cloud Data Processing Agreement.

e. Data Subject and Supervisory Requests. Snap will inform the Data Controller promptly of any inquiry or complaint Snap receives from a data subject or supervisory authority relating to User Personal Data. Snap will assist the Data Controller, insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from data subjects and supervisory authorities as required by Data Protection Law.

f. Data Protection Impact Assessment. Upon request, Snap will provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the processing activity and the information available to Snap, to assist the Data Controller to conduct a data protection impact assessment as required by Data Protection Law.

g. Providing Evidence. During the term of this Snap Cloud Data Processing Agreement Snap, where required by law, will make available to the Data Controller, or an internationally recognized auditing firm acting on the Data Controller’s behalf, all information reasonably necessary to demonstrate Snap’s compliance with this Snap Cloud Data Processing Agreement, and Snap will allow for and contribute to audits conducted by the Data Controller or its representatives who are bound by appropriate obligations of confidentiality; if: (i) the Data Controller provides no fewer than ten business days’ prior written notice to Snap; (ii) such audit is conducted during Snap’s normal business hours and in a manner that does not unreasonably interfere with Snap’s normal business operations; (iii) such audit lasts no longer than three total business days; (iv) in no event is the Data Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive Snap’s proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this Snap Cloud Data Processing Agreement; and (v) the Data Controller is obligated to reimburse Snap for Snap’s documented reasonable costs. In the event an audit determines Snap’s use of User Personal Data is unauthorized under Data Protection Law, the Data Controller may take reasonable and appropriate measures, upon reasonable notice to Snap, to remediate such unauthorized use. 

h. Return or Destroy User Personal Data. Upon completion of Snap’s obligations in relation to processing of User Personal Data under this Snap Cloud Data Processing Agreement or upon the Data Controller’s request at any time during the term of this Snap Cloud Data Processing Agreement, Snap will either: (i) return all or subsets of the User Personal Data in Snap’s possession to the Data Controller; (ii) render all or part of User Personal Data anonymous in such a manner that the data no longer constitutes personal data; or (iii) permanently delete or render all or parts of the User Personal Data unreadable. 

4. Personal Data Breach

Where, and to the extent required by Data Protection Law, Snap will notify the Data Controller without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. Snap will also provide the Data Controller with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known to Snap) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available., and Snap will cooperate with any reasonable request made by the Data Controller relating to the Personal Data Breach.

5. Subprocessors

a. Authorized Subprocessors. The Data Controller specifically authorizes the engagement of Snap’s affiliates to process User Personal Data and the Data Controller generally authorizes the engagement of any other third parties as Subprocessors to process User Personal Data.

b. Obligations of Subprocessor. In accordance with Data Protection Law, Snap will impose contractual terms on each Subprocessor that are as restrictive as those contained in this Snap Cloud Data Processing Agreement.

c. Restricted Access. Snap will require each Subprocessor only access and use User Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Snap Cloud Data Processing Agreement.

d. Updates of Subprocessors. In accordance with Data Protection Law, here and Schedule 2 contain an up-to-date list of: (i) all Subprocessors involved in processing User Personal Data; (ii) the purposes for which the Subprocessors process User Personal Data; and (iii) the location of each Subprocessor. Snap will notify the Data Controller at least 30 days before adding a new Subprocessor. 

e. Right to Object. Data Controller has the right to object to the addition of a new Subprocessor, as described in this Section. In the event that the Data Controller objects to the processing of User Personal Data by any newly appointed Subprocessor, it will immediately, but no later than 10 days from Snap’s notification of the new Subprocessor, inform Snap, after which Snap will either: (i) instruct the Subprocessor to cease any further processing of User Personal Data, in which event this Snap Cloud Data Processing Agreement shall continue unaffected; or (ii) allow the Data Controller to terminate this Snap Cloud Data Processing Agreement immediately.

6. Data Transfers

a. If the Data Controller is established in the EEA, UK, or Kingdom of Saudi Arabia and transfers User Personal Data to Snap Inc., then this Section shall:

(i) apply to such transfers; and

(ii) take precedence over all other terms, including the terms of this Snap Cloud Data Processing Agreement, in respect of such transfers.

b. Where a Data Transfer occurs for which you are acting as Data Controller and provide User Personal Data of EEA data subjects to Snap as a processor under this Snap Cloud Data Processing Agreement, then any Data Transfers that occur of such data shall be governed by the EEA controller to processor SCCs which are incorporated into this Snap Cloud Data Processing Agreement with the following amendments (with references in this Subsection to Clauses being to Clauses of the SCCs): (i) in respect of Clause 9 (sub-processors), Snap shall inform you of intended changes by updating the list available here; and (ii) Annexes I and II of the EEA controller to processor SCCs shall be completed with the information set out in Schedules 1 and 2 of this Snap Cloud Data Processing Agreement, respectively.

c. Where a Data Transfer occurs for which you are acting as a Data Controller and provide User Personal Data of UK data subjects to Snap acting as a processor under this Snap Cloud Data Processing Agreement, then any Data Transfers which occur of such data shall be governed by the EEA controller to processor SCCs incorporating the amendments set out in clause 3.a. and the UK IDTA Addendum. 

d. With respect to personal data of EEA and UK data subjects, the Data Controller and Snap agree that Snap may process User Personal Data outside the EEA and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.

e. If, during the term of this Snap Cloud Data Processing Agreement, Snap receives any Government Agency Requests, it will (unless prohibited by Applicable Law from doing so) inform you in writing as soon as reasonably practicable and you and Snap shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of User Personal Data pursuant to this Agreement should be suspended in the light of such Government Agency Requests.

f. If either: (i) any of the means of legitimizing transfers of personal data outside of the EEA countries or UK which are referred to in this Snap Cloud Data Processing Agreement cease to be valid; or (ii) any supervisory authority requires transfers of User Personal Data pursuant to those means to be suspended, then Snap may by notice to the other party, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by the relevant Data Protection Law.

g. In addition, you agree that: (i) the Saudi controller-processor Standard Contractual Clauses govern the transfer of User Personal Data of Saudi Arabian data subjects by you or on your behalf to Snap and are incorporated into this Snap Cloud Data Processing Agreement; (ii) Appendices 1 and 2 of the Saudi controller-processor Standard Contractual Clauses shall be completed with the information set forth in Schedule 1 to this Snap Cloud Data Processing Agreement; (iii) Appendix 3 of the Saudi controller-processor Standard Contractual Clauses shall be completed with the information set forth in Schedule 2 of this Snap Cloud Data Processing Agreement; and (iv) Snap may process the User Personal Data of Saudi Arabian data subjects outside of Saudi Arabia, and you represent and warrant that such transfer of the User Personal Data of Saudi Arabian data subjects is in compliance with all applicable law.

7. Termination

a. Termination. This Snap Cloud Data Processing Agreement will terminate automatically upon termination of the Snap Cloud Terms.

b. Survival. Snap’s obligations related to returning or deleting User Personal Data will survive termination of the Snap Cloud Terms and this Snap Cloud Data Processing Agreement until Snap has returned or deleted the User Personal Data in accordance with this Snap Cloud Data Processing Agreement.

8. Conflicts

If there is a conflict or inconsistency between this Snap Cloud Data Processing Agreement, the Snap Cloud Terms, any applicable supplemental terms and policies, or the Snap Terms of Service the order of priority will be: this Snap Cloud Data Processing Agreement, the Snap Cloud Terms, and the Snap Terms of Service.

Schedule 1: Details of Data Processing

A. List of Parties

Data exporter(s)

The data exporter shall be the Data Controller, as defined in this Snap Cloud Data Processing Agreement, with the name, address, and contact details as provided to Snap via the Services. The activities relevant to the data transferred under these Clauses include the use of the relevant Services in accordance with the Snap Cloud Terms and applicable Supplemental Terms and Policies . The data exporter shall be in the controller role. 

Data importer(s)

The data importer shall be:

Snap Inc., with its address at 3000 31st Street, Santa Monica, California 90405

The activities relevant to the data transferred under these Clauses include the provision of the relevant Services in accordance with the Snap Cloud Terms and applicable Supplemental Terms and Policies terms. The data importer shall be in the processor role.

B. Description of Transfer

The data processing activities carried out by Snap under this Snap Cloud Data Processing Agreement are as follows:

Subject matter

Snap's provision of Snap Cloud and associated Services to the Data Controller.

Duration of the processing and retention

For the term of this Snap Cloud Data Processing Agreement plus the period from expiry of the term of this Snap Cloud Data Processing Agreement until the anonymization, return, or deletion of data in accordance with this Snap Cloud Data Processing Agreement.

Nature and purpose

Snap will process User Personal Data for the purposes of providing Snap Cloud to the Data Controller in accordance with and as described in the Snap Cloud Terms and this Snap Cloud Data Processing Agreement.

Data categories

User Personal Data relating to individuals provided to Snap via the Services, by (or at the direction of) the Data Controller, which may include:

  • User Personal Data of individuals who engage with Lense(s) 

Sensitive data transferred

Unless otherwise contemplated by the Snap Cloud Terms, no sensitive data is transferred. 

Frequency of the transfer 

Continuous

Data subjects

Data subjects include EEA, UK, Canadian, and Saudi Arabian individuals about whom personal data is provided to Snap via the Services by (or at the direction of) the Data Controller.

C. Competent Supervisory Authority

The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).

D. Additional Subprocessors

SUPABASE PTE. LTD

Processing activities: Managed Services 

Location: United States

Schedule 2 - Snap Security Measures

1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the User Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm to the Data Controller, the Data Controller's customers, or the Data Controller's employees; and any anticipated threats or hazards to the security or integrity of such information.

2. Adopting and implementing reasonable policies and standards related to security.

3. Assigning responsibility for information security management.

4. Devoting adequate personnel resources to information security.

5. Carrying out verification checks on permanent staff who will have access to the User Personal Data.

6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the User Personal Data to enter into written confidentiality agreements.

7. Conducting training to make employees and others with access to the User Personal Data aware of information security risks and to enhance compliance with Snap's policies and standards related to data protection.

8. Implementing controls designed to prevent unauthorized access to the User Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, Snap has implemented and complies with, as appropriate and without limitation:

  • Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);

  • Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);

  • Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the User Personal Data cannot be read, copied, modified, or removed without authorization;

  • Data transmission control measures to ensure that the User Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Snap's information security program will be designed:

    • To encrypt in storage any data sets in Snap's possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards, including AES -256, and storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and

    • To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Snap's IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission;

  • Data entry control measures to ensure Snap can check and establish whether and by whom the User Personal Data has been input into data processing systems, modified, or removed;

  • Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testing, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;

  • Subprocessor supervision measures to ensure that, if Snap is permitted to use subprocessors, the User Personal Data is processed strictly in accordance with the Data Controller's instructions including, as appropriate:

    • Measures to ensure that the User Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and

    • Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of User Personal Data. 

9. Taking such other steps as may be appropriate under the circumstances.