Snowflake Transfer Mechanism Site

Last Updated: January 12, 2024

The below Transfer Mechanisms and U.S. State Specific Contract Clauses are made available by Snowflake under the written agreement or electronic terms of service or subscription agreement between Snowflake and Customer that expressly references this site (the “Agreement”), and, where applicable, are incorporated into the Agreement by reference. All capitalized terms not defined herein shall have the meanings set forth in the Agreement.

1. Definitions

• “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
• “Data Privacy Framework” means (as applicable) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.
• “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.
• “European Transfer” means a transfer (directly from Customer to Snowflake or via onward transfer by Snowflake) of Customer Personal Data that is subject to EU & UK Data Protection Law or Data Protection Laws of Switzerland to a country outside the European Economic Area, the United Kingdom, and Switzerland.
• “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to Commission Decision (EU) 2021/91 of 4 June 2021 located here. 
• “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018 located here.

2. European Transfers

If the Data Privacy Framework applies to the European Transfer, Snowflake shall ensure that it provides at least the same level of protection to such Customer Personal Data as is required by the Data Privacy Framework Principles. 

If Data Protection Laws applicable to the European Transfer require the European Transfer to be subject to appropriate safeguards, the Standard Contractual Clauses will apply to such European Transfer, and Snowflake and Customer shall enter the Standard Contractual Clauses (with respect to Customer’s transfer of Customer Personal Data from the European Economic Area or Switzerland) and the UK Addendum (with respect to Customer’s transfer of Customer Personal Data from the United Kingdom), and the respective European Transfer shall be governed by such terms. The Standard Contractual Clauses and UK Addendum (as applicable) shall be incorporated into the Agreement and deemed signed by the Parties. For clarity, for transfers from Switzerland, references in the Standard Contractual Clauses shall be interpreted to include applicable terminology for Switzerland (e.g., “Member State” shall be interpreted to mean “Switzerland”). 

If the Data Privacy Framework or Standard Contractual Clauses apply and Snowflake makes a determination that (i) it can no longer comply with its obligations under the Data Privacy Framework or Standard Contractual Clauses respectively, and (ii) use of another Transfer Mechanisms is not possible, Snowflake shall promptly notify Customer and work with Customer to take reasonable and appropriate steps to remediate such non-compliance.

3. U.S. State-Specific Contract Clauses Prescribed by Data Protection Laws

California: If Customer uploads Customer Personal Data to the Service, which includes personal information governed by the CCPA, then the below clauses shall additionally apply in relation to Snowflake’s role as a ‘Service Provider’ for such Customer Personal Data. Terms used below that are defined by the CCPA shall have the definition in the CCPA.

1. Snowflake shall not sell or share Customer Personal Data.
2. Snowflake shall not combine Customer Personal Data with Personal Information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. However, Customer’s use of the Service to combine Customer Personal Data with Personal Information which it receives from or on behalf of another person or persons shall be deemed combining by Customer, and not Snowflake.
3. Snowflake shall process the Customer Personal Data on behalf of Customer only to provide the Snowflake Offerings and acknowledges that Customer is disclosing the Customer Personal Data to Snowflake only for the limited and specified business purpose(s) set forth within the Agreement. For the avoidance of doubt, the specific business purposes include; the Service and Technical Services (both as defined in the Agreement), as well as any support and other ancillary services (including, without limitation, services to prevent or address service or technical problems) provided pursuant to the Agreement.
4. Snowflake shall not retain, use, or disclose the Customer Personal Data (i) for any purposes (including commercial purposes) other than those business purposes specified in the Agreement and as described in section 3 above, or (ii) outside the direct business relationship between Snowflake and Customer, unless, in each case, expressly permitted by the CCPA and its regulations.
5. Snowflake shall comply with all applicable sections of the CCPA and its regulations, including, with respect to Customer Personal Data, providing the same level of privacy protection as required of businesses by the CCPA and its regulations.
6. Snowflake’s commitments related to security and safeguards for Customer Personal Data, audits, use of its own service providers, and Snowflake’s cooperation in connection with data subject requests are all as set forth in the Agreement.
7. Snowflake shall notify Customer no later than five business days after Snowflake makes a determination that it can no longer meet its obligations under the CCPA and its regulations. Upon such notice from Snowflake, Customer may direct Snowflake to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by deleting all or the relevant portion of Customer Personal Data from the Service or by such other means as agreed between the parties.