Crunchy Bridge Data Processing Addendum

Last Updated: June 27, 2025

This Crunchy Bridge Data Processing Addendum (“Data Processing Addendum”) is entered into as of the Addendum Effective Date by and between: (1) Snowflake Inc. (“Snowflake ”); and (2) the natural or legal person that is a party to the Agreement with Snowflake (“Customer”).

1. INTERPRETATION

1.1. In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1, unless expressly stated otherwise:

(a)   “Addendum Effective Date” means the effective date of the Agreement.

(b)   “Agreement” means the Crunchy Bridge Terms of Service at https://www.snowflake.com/en/legal/.

(c)   “California Consumer Privacy Act“ or “CCPA“ means the California Consumer Privacy Act of 2018, as may be amended from time to time

(d)   “Cessation Date” has the meaning given in Paragraph 9.1.

(e)   “Crunchy Bridge Offering” has the meaning set forth in the  Agreement.

(f)   “Customer Personal Data” means any Customer Data that is Personal Data Processed by or on behalf of Snowflake on behalf of Customer under the Agreement.

(g)   “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, GDPR and the CCPA.

(h)   “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR, in respect of Customer Personal Data.

(i)   “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

(j)   “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.

(k)   "EEA" means the European Economic Area.

(l)   “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

(m)   “GDPR” means the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018). References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

(n)   “Personal Data Breach” means means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data

(o)   “Personnel” means a person’s employees, agents, consultants or contractors.

(p)   “Post-cessation Storage Period” has the meaning given in Paragraph 9.2.

(q)   “Relevant Body”:

(i)   in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or

(ii)   in the context of the EEA and EU GDPR, means the European Commission.

(r)   “Restricted Country”:

(i)   in the context of the UK, means a country or territory outside the UK; and

(ii)   in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK),

that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the GDPR.

(s)   “Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person, which would be prohibited without a legal basis therefor under Chapter V of the GDPR.

(t)   “Security Addendum” means the Crunchy Bridge Security Addendum at https://www.snowflake.com/en/legal/.

(u)   “Standard Contractual Clauses” means the standard contractual clauses issued or approved by the Relevant Body (from time-to-time) for the transfer of Personal Data from Controllers to Processors established in Restricted Countries, the current form of which is available here.

(v)   “Subprocessor” means any third party appointed by or on behalf of Snowflake to Process Customer Personal Data.

(w)   “Supervisory Authority”:

(i)   in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and

(ii)   in the context of the EEA and EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.

(x)   “UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

1.2. In this Data Processing Addendum:

(a)   the terms, “Controller”, “Processor”, “Personal Data”, and “Process/Processing/Processed” shall have the meaning ascribed to the corresponding terms in the GDPR; and

(b)   unless otherwise defined in this Data Processing Addendum, all capitalised terms in this Data Processing Addendum shall have the meaning given to them in the Agreement.

2. PROCESSING OF CUSTOMER PERSONAL DATA

2.1. The Parties acknowledge that:

(a)   Snowflake acts as a Processor (or subprocessor) acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein; and

(b)   Customer acts as the Controller or (Processor on behalf of a third party data Controller).

2.2. Snowflake shall:

(a)   comply with the Data Protection Laws in Processing Customer Personal Data; and

(b)   not Process Customer Personal Data other than:

(i)   pursuant to Customer’s instructions as described herein; and

(ii)   as required by applicable laws.

2.3. Customer instructs Snowflake to Process Customer Personal Data as necessary:

(a)   to provide the Crunchy Bridge Offering to Customer; and

(b)   to perform Snowflake ’s obligations and exercise Snowflake ’s rights under the Agreement.

2.4. Annex 1 (Data Processing Details) sets out certain information regarding Snowflake ’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.

2.5. Where Snowflake receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Snowflake shall inform Customer.

2.6. Customer acknowledges and agrees that any additional instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Snowflake pursuant to or in connection with the Agreement, requires the written agreement of Snowflake:

2.7. Customer is responsible for obtaining all consents and rights for the Processing by Snowflake of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).

3. SUPPLIER PERSONNEL

Snowflake shall take reasonable steps to ensure the reliability of any Snowflake Personnel who Process Customer Personal Data, ensuring:

(a)   that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data for the purposes described in this Data Processing Addendum; and

(b)   that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. SECURITY

4.1. Snowflake shall implement appropriate technical and organisational measures designed to protect Customer Personal Data from Security Incidents (as defined in the Security Addendum) and to preserve the security and confidentiality of the Customer Personal Data in accordance with the Security Addendum. 

5. SUBPROCESSING

5.1. Customer provides a general authorization to appoint Subprocessors set forth at snowflake.com/legal in addition to Crunchy Data Teknoloji Limited Şirketi in accordance with this Paragraph 5.

5.2. Snowflake shall give Customer prior written notice of the appointment of any proposed Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within fourteen (14) days of receipt of that notice, Customer notifies Snowflake in writing of any objections (on reasonable grounds) to the proposed appointment the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Snowflake that the new Subprocessor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Snowflake cannot provide an alternative Subprocessor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may provide written notice to Snowflake terminating the Agreement with respect only to those aspects of the Crunchy Bridge Offering which cannot be provided by Snowflake without the use of the new Subprocessor.

5.3. With respect to each Subprocessor, Snowflake shall ensure that the arrangement between Snowflake and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (taking into consideration the nature of the services provided by such Subprocessor).

6. DATA SUBJECT RIGHTS

6.1. Taking into account the nature of the Processing, Snowflake shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.

6.2. Snowflake shall:

(a)   promptly notify Customer if it receives a Data Subject Request, where such request identifies Customer; and

(b)   ensure that it does not respond to any Data Subject Request unless as required by applicable laws.

7. PERSONAL DATA BREACH

7.1. Snowflake shall notify Customer without undue delay upon Snowflake becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Snowflake ’s possession) to allow Customer to meet any obligations under the GDPR to report the Personal Data Breach to:

(a)   affected Data Subjects; or

(b)   the relevant Supervisory Authority(ies) (as may be determined in accordance with the GDPR).

7.2. Snowflake shall take such reasonable commercial steps as related to the investigation, mitigation and remediation of each such Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Snowflake shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Snowflake.

9. DELETION OR RETURN OBLIGATIONS

9.1 Upon termination or expiration of the Agreement, Customer may retrieve or delete Customer Personal Data as described in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Snowflake promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” described in the Agreement.

10. AUDIT RIGHTS

10.1. Snowflake shall make available to Customer on request such information as Snowflake (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.

10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Snowflake pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Snowflake ’s compliance with this Data Processing Addendum, Snowflake shall allow for audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Snowflake.

10.3. In order to request any audit or inspection contemplated byParagraph 10.2, Customer must provide at least fourteen (14) days’ prior written notice unless required by a Supervisory Authority and, in the event Snowflake grants the audit or inspection (i.e., the audit or inspection does not fall within a category listed in Paragraph 10.4), Customer and any auditor must not cause any damage, injury or undue disruption to Snowflake’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Snowflake’s other customers or the availability of Snowflake’s services to such other customers) while conducting any audit or inspection.

10.4. Snowflake need not give access to its premises for the purposes of such an audit or inspection:

(a)   to any individual unless he or she produces reasonable evidence of his or her  identity and authority;

(b)   to any auditor whom Snowflake has not given its prior written approval (not to be unreasonably withheld);

(c)   unless the auditor enters into a non-disclosure agreement with Snowflake on terms acceptable to Snowflake ;

(d)   where, and to the extent that, Snowflake considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Snowflake ’s other customers or the availability of Snowflake ’s services to such other customers;

(e)   outside normal business hours at those premises; or

(f)   on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is required to carry out under the GDPR or by a Supervisory Authority, where Customer has identified the relevant requirement in its notice to Snowflake of the audit or inspection.

10.5. The Parties shall discuss and agree upon the costs of any inspection or audit to be carried out by or on behalf of Customer pursuant to this Paragraph 10.4 in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, Customer shall bear any third party costs in connection with such inspection or audit and reimburse Snowflake for all costs incurred by Snowflake and time spent by Snowflake (at Snowflake ’s then-current professional services rates) in connection with any such inspection or audit.

11. RESTRICTED TRANSFERS

11.1. Subject to Paragraph 11.2, to the extent that any Processing by either Snowflake or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:

(a)   Customer – as “data exporter”; and

(b)   Snowflake or Subprocessor (as applicable) – as “data importer”,

shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.2.

11.2. the Standard Contractual Clauses will apply to such Restricted Transfer, (with respect to Customer’s transfer of Customer Personal Data from the European Economic Area or Switzerland) and the UK Addendum (with respect to Customer’s transfer of Customer Personal Data from the United Kingdom), and the respective European Transfer shall be governed by such terms. The Standard Contractual Clauses and UK Addendum (as applicable) shall be incorporated into the Agreement and deemed signed by the Parties. For clarity, for transfers from Switzerland, references in the Standard Contractual Clauses shall be interpreted to include applicable terminology for Switzerland (e.g., “Member State” shall be interpreted to mean “Switzerland”). 

12. INCORPORATION AND PRECEDENCE

12.1. This Data Processing Addendum is hereby incorporated into and forms part of the Agreement with effect from the Addendum Effective Date.

12.2. In the event of any conflict or inconsistency between:

(a)   this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or

(b)   any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum and/or the Agreement, those Standard Contractual Clauses shall prevail provided that, it is agreed that the following shall apply:

(i)   in the event of any request under Clause 5(j) of the Standard Contractual Clauses that Snowflake provide copies of any Subprocessor agreement(s) to the Customer, Snowflake may remove or redact all commercial information or all or part of any clauses, recitals, schedules annexes, appendices etc., unrelated to the Standard Contractual Clauses or their equivalent beforehand;

(ii)   the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Paragraph 10, and shall be subject to any relevant conditions, limitations or restrictions therein;

(iii)   any authorisations or approvals of current and future Subprocessors given to Snowflake pursuant to Paragraph 5 will constitute Customer’s prior written consent to the subcontracting by Snowflake of the Processing of Customer Personal Data if and as such consent is required under Clause 5(h) of the Standard Contractual Clauses; and

(iv)   certification of deletion of Customer Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer’s written request.