SnippetSentry Data Processing Agreement
This Data Processing Agreement (“DPA”) is incorporated into the Agreement and applies if and to the extent
that SnippetSentry is a data processor when processing SnippetSentry Personal Data. Capitalized terms used
in this DPA not otherwise defined herein shall have the meanings set out in the Agreement.
1.0 In this DPA, the following terms and expressions shall have the following meaning:
1.1 Data Controller means the natural or legal person who is considered to be the ‘data controller’ in relation
to the Personal Data under Data Privacy Laws.
1.2 Data Privacy Laws means all applicable privacy and data protection laws, including (but not limited to)
the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the EU ePrivacy Directive 2002/58/EC as
amended by Directive 2009/136/EC, the General Data Protection Regulation ((EU) 2016/679) as it forms part
of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union
(withdrawal) Act 2018 (and see section 205(4) (“UK GDPR”), the Swiss Federal Act on Data Protection 2020,
Lei Geral de Protecao de Dados (Brazil’s General Data Protection Law), the Personal Information Protection
and Electronic Documents Act (Canada) (S.C. 2000, c. 5) (“PIPEDA”), Canada’s Anti-Spam Legislation (SC
2010, c. 23), and all legislation and regulations in the United States relating to the protection of Personal Data,
including the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act
and any implementing, derivative or related legislation, rule, regulation and binding regulatory guidance, in
each case as any of them are amended, revised or replaced from time to time
1.3 Data Processor means the natural or legal person who is considered to be the ‘data processor’ in relation to
the Personal Data under Data Privacy Laws.
1.4 Data Subject has the meaning ascribed to ‘data subject’ under Data Privacy Laws.
1.5 Data Sub-Processor means a data processor engaged by the Data Processor.
1.6 Personal Data means information that is considered under Data Privacy Laws to be “personal data” which
SnippetSentry, as Data Processor, Processes on behalf of Customer, as Data Controller under this Agreement.
1.7 Personal Data Breach has the meaning ascribed to “personal data breach” under Data Privacy Laws, to the
extent that such breach occurs with respect to the Personal Data.
1.8 Processing has the meaning ascribed to “process” or “processing” under Data Privacy Laws, and ‘Process’
shall be construed accordingly.
1.9 Service Provider has the meaning set forth in CCPA
2.0 SnippetSentry (as data processor) agrees with Customer (as data controller) that it shall:
2.1 Process the Personal Data subject to the CCPA as a Service Provider on Customer’s behalf for one or more
business purposes in accordance with Customer’s documented instructions that are set out in the Agreement
including the Appendix to this DPA or as otherwise permitted by the CCPA. SnippetSentry shall not retain, use
or disclose Customer’s Personal Data other than for those purposes, including retaining, using or disclosing
such Personal Data for a commercial purpose other than performing the Services;
2.2 ensure that SnippetSentry’s personnel, agents and contractors that Process the Personal Data are subject to
appropriate contractual or statutory obligations of confidentiality;
2.3 implement the technical and organizational security measures in relation to the Personal Data that are set
out in Part B of the Appendix to this DPA and which SnippetSentry may update from time to time;
2.4 comply with all obligations applicable to it as Service Provider under the CCPA and provide personal
information with the same level of privacy protection as required by the CCPA.
2.5 taking into account the nature of SnippetSentry’s Processing activities in respect of Personal Data and at
Customer’s cost and request, assist Customer by appropriate technical and organizational measures, insofar as
this is possible, to fulfill the Data Controller’s obligations to respond to requests made by Data Subjects in
relation to their rights under Data Privacy Laws;
2.6 taking into account the nature of SnippetSentry’s Processing of the Personal Data and the information
available to SnippetSentry,
(a) notify Customer of a Personal Data Breach in relation to the Personal Data without undue delay; and
(b) at Customer’s request provide reasonable assistance to Customer in relation to any mandatory obligations
applicable to the Data Controller in relation to such Personal Data Breach, under Data Privacy Laws, in each
case at the Customer’s cost except to the extent that the Personal Data Breach was caused by SnippetSentry;
2.7 taking into account the nature of SnippetSentry’s Processing of the Personal Data and at Customer’s cost
and request, provide reasonable assistance to Customer in relation to any mandatory obligations applicable to
the Data Controller in relation to:
(a) the performance of data protection impact assessments by the Data Controller under Data Privacy Laws
and, where applicable,
(b) carrying out consultations with the supervisory authority in relation to same;
2.8 not have the Personal Data Processed by a Data Sub-Processor except to the extent:
(a) any such Data Sub-Processor is bound by data protection obligations no less protective as those contained in
paragraph 2 of this DPA in respect of the Personal Data;
2.9 limit cross-border transfers of Personal Data Processed where the necessary legal conditions for such
transfer and Processing under Data Privacy Laws apply to such transfer and Processing, including but not
limited, if applicable, EU Standard Contractual Clauses, or a European Commission positive adequacy decision
under Article 45 GDPR is in force and covers such transfer, or the EU-US Data Privacy Framework;
2.10 to the extent required by Data Privacy Laws, and at Customer’s cost and prior written request, make
available to Customer information necessary to demonstrate compliance with its data protection obligations
under this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller
or another auditor mandated by the Data Controller, but in each case only in relation to the Personal Data and
in no circumstances more than once per calendar year, unless a Security Breach occurs that impacts Personal
Data;
2.11 at the election of Customer and at Customer’s cost, delete or return all the Personal Data to Customer at
the end of the term of the Agreement, and delete existing copies of such data unless SnippetSentry is subject to
a legal requirement to store such data beyond the term of the Agreement. Only to the extent CCPA applies to
SnippetSentry’s processing, SnippetSentry may convert Customer Personal Data into aggregated or de-
identified information, which it may use for statistical analysis, business reporting, and marketing purposes.
3.0 Customer agrees and acknowledges that:
3.1 with respect to paragraph 2.1 above, Customer’s instructions that are set out in the Agreement and the
Appendix to this DPA accurately reflect the instructions of the Data Controller to the extent that Customer is a
Data Processor of the Data Controller;
3.2 with respect to paragraph 2.3 above, the technical and organizational security measures that SnippetSentry
has agreed to implement with respect to the Personal Data ensure a level of security appropriate to the risk to
such data;
3.3 with respect to paragraph 2.8 above, SnippetSentry may have the Personal Data Processed by a Data Sub-
Processor to the extent that:
(a) any such Data Sub-Processor is bound by the same data protection obligations as contained in this DPA;
3.4 with respect to paragraph 2.8 above, Customer consents to SnippetSentry appointing hosting providers
(such as Amazon Web Services (AWS)) as third-party processors of personal data under this Agreement and
such other processors as SnippetSentry shall notify to the Customer in writing.
3.5 it has taken measures concerning the Personal Data to ensure compliance with its personal data security and
other obligations prescribed by Data Privacy Law for Data Controllers;
3.6 except in case of Data Sub-Processor or Service Provider engaged by Data Processor, SnippetSentry shall
not be responsible for any loss, alteration, destruction, or disclosure of any Personal Data caused by any third
party, including as a result of any third party service provider’s error, fault, or negligence that causes theft,
abuse, alteration, destruction, or disclosure of data.
3.7 it shall and shall cause, appropriate notices to be provided to, and (where applicable) valid consents to be
obtained from, Data Subjects, in each case that are necessary for SnippetSentry to Process (and have Processed
by Data Sub-Processors) Personal Data under or in connection with the Agreement, including Processing
outside the European Economic Area on the basis of any of the legal conditions for such transfer and
Processing set out in paragraph 2.9 above; and
3.8 it shall not, by act or omission, cause SnippetSentry to violate any Data Privacy Laws, notices provided to,
or consents obtained from, Data Subjects as a result of SnippetSentry or its Data Sub-Processors Processing
Personal Data.
APPENDIX PART A – Details of the Processing Activities
This Appendix describes the subject, scope, nature and purpose of the Personal Data Processing operations that
are governed by the provisions hereof, of which it forms an integral part.
Subject Matter Processing text messages in connection with regulatory compliance
Duration For the Term of the Agreement.
Nature & Purpose of the Processing SnippetSentry will assist customers with the capture, encryption (during
transit only), delivery, and archiving of text messages over agreed channels
Types of Personal Data i.e. any information relating to an identified or identifiable person.
Demographic Data As input by Customer
Contact Details As input by Customer
Government Identifiers As input by Customer
Channel ID As input by Customer
Other As input by Customer
PART B – Security
In accordance with paragraph 2(c) of the DPA, SnippetSentry will adopt and maintain appropriate (including
organizational and technical) security measures in dealing with the Personal Data in order to protect against
unauthorized or accidental access, loss, alteration, disclosure or destruction of such Personal Data.
In determining the technical and organizational security measures required in paragraph 2.3 of the DPA,
SnippetSentry will take account the costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
SnippetSentry’s technical safety measures include: access restrictions to server environment, server access
audits, and mandatory employee security training on the safe handling of data.
Application – Purpose – Location
Gmail – Email Communication – USA
HubSpot – Customer Relationship Management – USA
Slack – Messaging and Collaboration – USA
PandaDoc – Contract and e-Signature Platform – USA
MacStadium – Infrastructure Services – USA
Google Gloud Platfom – Infrastructure Services – USA
SMTP2Go – SMTP Services – USA
Sendgrid – SMTP Services – USA
CloudAMQP – RabbitMQ Services – USA
Contact
For information or questions about the SnippetSentry Data Processing Agreement (DPA) or data we collect, please contact our Data Protection Officer.By Email: dpo@snippetsentry.com
In Writing:
SnippetSentry Inc.
Attention: Data Protection Officer
3001 Bishop Dr. Suite 300
San Ramon CA
94583
If you are a resident of the European Union and wish to exercise your right to access, rectify, delete or object to further processing of the Personal Data we may have about you, please fill out the Personal Data Access, Rectification, and Erasure Request Form.