Last Updated: March 10, 2025
This Vendor Data Protection Addendum (the “DPA“) forms part of, and is subject to the Agreement by and between the party identified as ‘Vendor’ (or as otherwise named in the Agreement) along with its Affiliates (collectively, “Vendor”) and the member of the Snowflake Group that is a party to the Agreement with Vendor for Vendor’s services (“Snowflake”). All capitalized terms not otherwise defined herein shall have the meanings set forth in the Agreement.
Vendor will provide services as described in the Agreement that will involve the Processing of Personal Data (the “Services”). In delivering the Services under the Agreement, Vendor may Process Personal Data controlled by Snowflake, Snowflake Affiliate and/or their respective representatives, customers, or business partners.
1. DEFINITIONS
“Agreement” means collectively the written agreement under which Snowflake licenses, or is provided access to, or receives the Services, which may include one or more purchase orders, contracts and/or agreements, including any evaluation or pre-release agreements.”
Applicable Privacy Law(s)” means all data protection and privacy laws and regulations worldwide applicable to the Personal Data in question, including, where applicable, European Data Protection Law and U.S. state data protection laws, including, but not limited to, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the “CCPA”).”
Authorized Person(s)” means any person who Processes Personal Data on Vendor’s behalf, including Vendor’s and its Sub-processors’ employees, officers, partners, principals and contractors.
“Data Privacy Framework” or “DPF” means (as applicable) the EU-U.S. Data Privacy Framework, the U.K. Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs as operated by the U.S. Department of Commerce, and their respective successors.
“DPF Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.
“European Data Protection Law” means all data protection and privacy laws and regulations of Europe, including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“U.K. GDPR“); (iii) the U.K. Data Protection Act 2018; (iv) the Swiss Federal Act on Data Protection (“FADP”); and (v) any national data protection laws made under or pursuant to the GDPR.
“Personal Data” means any information Snowflake and/or its Affiliate provides to Vendor pursuant to the Agreement that relates to an identified or identifiable natural person (“data subject”) and information that is deemed personal data, personal information, or personally identifiable information under Applicable Privacy Laws.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Restricted Transfer” means a transfer of Personal Data that is subject to Applicable Privacy Laws of the originating country to a country that does not provide an adequate level of protection for Personal Data according to the Applicable Privacy Laws of the originating country.
“SCCs” or “Standard Contractual Clauses” means together (i) the “EU SCCs”, found at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, or a successor website designated by the EU Commission, and (ii) the “U.K. SCCs” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the U.K. Data Protection Act 2018, currently available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“Sub-processor” means any third party (including any Vendor Affiliate) engaged directly or indirectly by Vendor to Process any Personal Data relating to this DPA and/or the Agreement.
“Vendor Security Agreement” means the applicable security agreement entered into between the Parties setting forth Vendor’s technical and organizational measures for the protection of Personal Data.
The terms “Controller“, “Processor“, and “Processing” (including Process, Processed, and Processes), shall have the respective meanings ascribed to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in European Data Protection Law will apply.
2. ROLE AND SCOPE OF PROCESSING
2.1 Roles of the Parties and Details of Processing. Vendor shall Process Personal Data solely as a Processor (or Sub-Processor) acting on behalf of Snowflake. Each party shall comply with its respective obligations under Applicable Privacy Laws.
2.2 Vendor’s Processing of Personal Data. Vendor shall at all times: (i) only Process Personal Data as described in Annex IB (the “Permitted Purpose“) and in accordance with Snowflake’s documented instructions.
2.3 Vendor’s Notification Obligations Regarding Snowflake Instructions. Vendor shall promptly notify Snowflake in writing, unless prohibited under Applicable Privacy Law, if:
(a) it becomes aware of or believes that any data Processing instruction(s) from Snowflake violates Applicable Privacy Law;
(b) it is unable to comply with Snowflake’s Processing instructions for any reason; and/or;
(c) it is unable to comply with the terms of the Agreement (including this DPA) as they relate to, or govern the Processing or security of Personal Data for any reason.
3. SUB-PROCESSING
3.1 Appointment of Sub-processors. Vendor shall not subcontract any Processing of Personal Data to a Sub-processor without the prior written consent of Snowflake. Upon execution of the Agreement, Vendor shall provide Snowflake with an up-to-date list of its then current Sub-processors. Notwithstanding the foregoing, Snowflake consents to Vendor’s engagement of additional Sub-processors provided that:
(a) Vendor provides at least twenty-one (21) days prior written notice to Snowflake of a change to existing Sub-processors or the engagement of any new Sub-processor, including legal name, address, contact person (name, position, contact details) of the Sub-processor, the description and location of the Processing, as well as other relevant details (the “Objection Period”) and, if Snowflake has not objected to the new Sub-processor pursuant to Section 3.2 below, Vendor shall update the list of Sub-processors authorized to Process Personal Data and send such updated list to Snowflake at [email protected];
(b) Vendor enters into a written agreement with each Sub-processor imposing data protection obligations no less protective of Personal Data as Vendor’s obligations under this DPA (including the SCCs and/or other data transfer provisions) to the extent applicable to the nature of the services provided by each Sub-processor;
(c) Vendor remains fully liable to Snowflake for any breach of this DPA, the Agreement, and/or Applicable Privacy Laws, that is caused by an act, error or omission of each Sub-processor; and
(d) Upon Snowflake’s request, Vendor will provide an up-to-date list of Vendor’s current Sub-processors.
3.2 Objection Right for New Sub-processors. Snowflake may object to appointments, or replacements of a Sub-processor, or changes in the scope or location of Processing to existing Sub-processors, as described in Section 3.1 above during the Objection Period provided such objection is based on reasonable grounds. In such an event, the parties shall discuss the objection in good faith with a view of achieving resolution. If the parties cannot reach a resolution within a reasonable period of time, which shall not exceed thirty (30) days, Vendor will either replace or not appoint the Sub-processor or, Snowflake may terminate the Agreement (in whole or in part), by providing written notice to Vendor. Vendor will refund Snowflake any prepaid unused fees under the Agreement following the effective date of termination. For the avoidance of doubt, Snowflake’s objection rights do not extend to where Vendor is updating contact details, including legal name, address, contact person (name, position, contact details).
4. DATA SUBJECT RIGHTS AND COOPERATION
4.1 Data Subject Request. Vendor shall reasonably cooperate with Snowflake and, if feasible, provide Snowflake with a mechanism to enable Snowflake to respond to any requests, complaints or other communications from a data subject, supervisory authority, and regulatory or judicial body relating to the Processing of Personal Data under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. If any such request or complaint or communication is made directly to Vendor, Vendor shall promptly forward it to Snowflake and shall not respond to such communication without Snowflake’s express authorization.
4.2 Subpoenas and Court Orders. If Vendor receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Vendor shall not disclose any information but shall immediately notify Snowflake in writing of such request, and reasonably cooperate with Snowflake if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
4.3 Data Protection Impact Assessments (“DPIAs”) and Consultation. Vendor shall provide reasonable assistance to Snowflake to conduct a data protection impact assessment and/or consult with applicable data protection authorities in respect of any proposed Processing activity under this DPA.
5. DATA ACCESS & SECURITY MEASURES
5.1 Confidentiality and Limitation of Access. Vendor shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data only for the purpose of delivering the Services under the Agreement to Snowflake.
5.2 Security Measures. Vendor will implement and maintain all appropriate technical and organizational security measures to protect Personal Data from Personal Data Breaches and to preserve the security, integrity and confidentiality of such data (“Security Measures”). Any Security Measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons as described in the Vendor Security Agreement which shall be incorporated by reference.
6. PERSONAL DATA BREACHES
6.1 Notification of Personal Data Breaches. In the event of a Personal Data Breach, Vendor shall notify Snowflake without undue delay, and in any case, within forty-eight (48) hours after becoming aware. The notification shall be sent to [email protected] and with written details of the Personal Data Breach, including all information necessary for Snowflake to fulfill its obligations under Applicable Privacy Laws, including data breach reporting and risk assessment obligations.
6.2 Vendor’s Obligations Following Personal Data Breach. Furthermore, in the event of a Personal Data Breach, Vendor shall:
(a) provide timely information and cooperation as Snowflake may reasonably require, including without limitation, collecting and preserving all information and evidence pertaining to the Personal Data Breach and the investigation conducted by Vendor;
(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Personal Data Breach and keep Snowflake up-to-date about all material developments in connection with the Personal Data Breach; and
(c) to the extent that a Personal Data Breach is caused by an act, error or omission of Vendor or a Sub-processor which includes a failure to comply with their obligations under this DPA and/or Applicable Privacy Laws, reimburse Snowflake, subject to any applicable limitations under the Agreement, for the reasonable costs for Snowflake to prepare and send all notifications that are legally required. At the written request of Snowflake and to the extent legally required, Vendor agrees to provide, at its sole expense, credit monitoring and identity theft protection services to individuals affected by a Personal Data Breach.
6.3 Communications. Any notification, public/regulatory communication, or press release concerning the Personal Data Breach that identifies Snowflake shall be solely at Snowflake’s discretion, except as otherwise required by Applicable Privacy Laws.
7. SECURITY REPORTS & INSPECTIONS
7.1 Vendor Security Standards. Vendor shall maintain relevant records of its information security management system. Upon request, Vendor shall provide copies of any existing relevant external information security certifications, audit report summaries and/or other documentation reasonably required by Snowflake to verify Vendor’s compliance with this DPA.
7.2 Right of Inspection. With reasonable prior notice, Snowflake (or its appointed independent third-party auditor) may carry out an inspection of the Vendor’s applicable controls, including an inspection of its facilities for the purposes of verifying Vendor’s compliance with this DPA, or, where Snowflake has reasonable concerns about Vendor’s data protection compliance following i) a Personal Data Breach, ii) a request from a regulator or data protection authority, or iii) a material gap or deficiency identified in Vendor’s answers to Snowflake’s security questionnaire.
8. INTERNATIONAL TRANSFERS
8.1 International Transfers. Vendor shall not Process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first collected or provided to Vendor unless it takes all measures necessary to ensure such Processing or transfer is in compliance with Applicable Privacy Laws.
8.2 Transfer Mechanism. To the extent that the transfer of Personal Data from Snowflake to Vendor is a Restricted Transfer, the following shall apply:
(a) DPF. If Vendor is self-certified to the Data Privacy Framework and the Personal Data transferred is within the scope of such certification, the DPF shall apply. Where the DPF does not apply to the Restricted Transfer, or the Vendor determines that it can no longer provide at least the same level of protection for such Personal Data as is required by the DPF Principles, then the Standard Contractual Clauses (SCCs) shall apply and be automatically incorporated into this DPA.
(b) SCCs. The parties agree that the SCCs (including Annexes I and II) shall be incorporated by reference where applicable and form an integral part of this DPA. Each party is deemed to have executed the SCCs by executing the Agreement incorporating this DPA. With respect to the SCCs, the following shall apply:
(i) Snowflake (acting on behalf of itself and its Affiliate) shall be the “data exporter” and Vendor shall be the “data importer”;
(ii) Module Two shall apply to the extent that Snowflake is a Data Controller and Module Three shall apply to the extent that Snowflake is a Data Processor. The same shall apply with respect to Table 2 of the U.K. SCCs;
(iii) The optional Clause 7 shall apply and Affiliate(s) of both Snowflake and Vendor may accede to the SCCs under the same terms, where applicable. The foregoing shall apply with respect to table 2 of the U.K. SCCs;
(iv) For purposes of Clause 9 of the SCCs, Option 2 (“General written authorization”) shall apply and the time period for the addition or replacement of Sub-processors shall be described in Section 3.1 (Appointment of Sub-processors), and the same shall apply with respect to Table 2 of the U.K. SCCs;
(v) The optional language in Clause 11 shall not apply;
(vi) For purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law and jurisdiction shall be the Netherlands. Part 2, Section 15(m) and Part 2, Section 15(n) of the U.K. SCCs regarding Clause 17 and Clause 18 of the EU SCCs shall apply;
(vii) Table 3 of the U.K. SCCs shall be populated with the relevant information set out at Annex I, Annex II and Section 3 (Sub-Processing) to this DPA;
(viii) With respect to Table 4 of the U.K. SCCs, either the data exporter or data importer may terminate the U.K. SCCs prior to termination of the Agreement and this DPA;
(ix) For transfers from Switzerland or other countries that adopted and/or has determined the EU SCCs are adequate for Restricted Transfers, references in the EU SCCs shall be interpreted to include applicable terminology for those territories (e.g. ‘Member State’ shall be interpreted to mean ‘Switzerland’ for transfers from Switzerland); and
(c) Where Vendor determines that it can longer comply with its obligations under the DPF and the SCCs or use another valid transfer mechanism to safeguard the Restricted Transfer, Vendor shall notify Snowflake immediately and work with Snowflake to take reasonable and appropriate steps to remediate the non-compliance.
8.3 Required Disclosures. Vendor acknowledges that Snowflake may disclose this DPA and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, European supervisory authorities or any other U.S., EU, Swiss or U.K. judicial or regulatory body upon their request.
9. DELETION & RETURN
Upon Snowflake’s request, or upon termination or expiration of this DPA, Vendor shall, at Snowflake’s choice, securely and permanently destroy or return to Snowflake all Personal Data (including copies) in its possession or control (including any Personal Data Processed by its Sub-processors). Until the Personal Data is destroyed or returned, Vendor shall continue to ensure compliance with this DPA.
10. CCPA OBLIGATIONS
10.1 To the extent that Vendor’s Processing of Personal Data is governed by the CCPA in Vendor’s role as a “service provider” or “processor” to Snowflake, then the following clauses shall apply. For purposes of this Section 10, the terms “business(es),” -“process,” “processor,” “sell,” “service provider,” and “share” shall have the meanings ascribed to them under the CCPA.
(a) Vendor shall not sell or share Personal Data.
(b) Vendor shall not combine Personal Data with any other personal data, unless expressly instructed by Snowflake for a specific purpose, and for the sole benefit of Snowflake, in providing the Services.
(c) Vendor shall not retain, use, or disclose Personal Data (i) for any purpose (including any commercial purpose) other than for the specific purpose of Vendor’s performance of the Services under the Agreement; or (ii) outside the direct business relationship between the parties, unless, in each case, expressly permitted by Snowflake or the CCPA.
(d) Vendor shall comply with all applicable sections of the CCPA, including, with respect to Personal Data, providing the same level of privacy protection as required of businesses by the CCPA.
10.2 Notwithstanding the foregoing, Vendor shall notify Snowflake no later than five business days that it can no longer meet its obligations under the CCPA or this DPA. Upon notice from Vendor, Snowflake, may provide written notice to Vendor to terminate the Agreement.
11. GENERAL
11.1 The obligations placed upon Vendor under this DPA shall survive so long as Vendor and/or its Sub-processors Process Personal Data on behalf of Snowflake. This DPA may not be modified except by a subsequent written instrument signed by both parties. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. In the event of any conflict or inconsistency between this DPA and the Agreement, the parties agree that the terms of this DPA shall prevail solely to the extent of such conflict or inconsistency.
11.2 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Agreement, unless otherwise required by Applicable Privacy Laws or as set forth in the SCCs (if applicable) pursuant Section 8.2(b)(vi) above.