Last Updated: November 15, 2022
The below Data Transfer Mechanisms and U.S. State Specific Contract Clauses are made available by Snowflake under the written agreement or electronic terms of service or subscription agreement between Snowflake and Customer that expressly references this site (the “Agreement”), and, where applicable, are incorporated into the Agreement by this reference. Capitalized terms not defined herein have the meaning set forth in the Agreement.
Data Transfer Mechanisms
a. EEA & Switzerland: If Customer transfers Customer Personal Data from the EEA or Switzerland to Snowflake in a non-adequate country, such transfers shall be governed by the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021 located here. For clarity, for transfers from Switzerland, references in the standard contractual clauses shall be interpreted to include applicable terminology for Switzerland (e.g., “Member State” shall be interpreted to mean “Switzerland”).
b. United Kingdom: If Customer transfers Customer Personal Data from the United Kingdom to Snowflake in a non-adequate country, such transfers shall be governed by the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018 located here.
Contract Clauses Prescribed by Data Protection Law
a. California: If Customer uploads Customer Personal Data to the Service which includes personal information governed by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, “CCPA”), then the below clauses shall additionally apply in relation to Snowflake’s role as a ‘Service Provider’ for such Customer Personal Data. Terms used below that are defined by CCPA shall have the definition in CCPA.
1. Snowflake shall not sell or share Customer Personal Data.
2. Snowflake shall not combine Customer Personal Data with Personal Information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. However, Customer’s use of the Service to combine Customer Personal Data with Personal Information which it receives from or on behalf of another person or persons shall be deemed combining by Customer, and not Snowflake.
3. Snowflake shall process the Customer Personal Data on behalf of Customer only to provide the Snowflake Offerings and acknowledges that Customer is disclosing the Customer Personal Data to Snowflake only for the limited and specified business purpose(s) set forth within the Agreement. For the avoidance of doubt, the specific business purposes include; the Service and Technical Services (both as defined in the Agreement), as well as any support and other ancillary services (including, without limitation, services to prevent or address service or technical problems) provided pursuant to the Agreement.
Snowflake shall not retain, use, or disclose the Customer Personal Data (i) for any purposes (including commercial purposes) other than those business purposes specified in the Agreement and as described in section 3 above, or (ii) outside the direct business relationship between Snowflake and Customer, unless, in each case, expressly permitted by the CCPA and its regulations.
4. Snowflake shall comply with all applicable sections of the CCPA and its regulations, including, with respect to Customer Personal Data, providing the same level of privacy protection as required of businesses by CCPA and its regulations.
5. Snowflake’s commitments related to security and safeguards for Customer Personal Data, audits, use of its own service providers, and Snowflake’s cooperation in connection with data subject requests are all as set forth in the Agreement.
6. Snowflake shall notify Customer no later than five business days after Snowflake makes a determination that it can no longer meet its obligations under the CCPA and its regulations. Upon such notice from Snowflake, Customer may direct Snowflake to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer. Personal Data by deleting all or the relevant portion of Customer Personal Data from the Service or by such other means as agreed between the parties.