Data Processing Agreement

Data Processing Agreement

(Updated: June 3, 2025)

This Data Processing Agreement (“DPA”) is incorporated into and supplemental to the Social Snowball order form and agreement (“Agreement”) entered into between Social Snowball, Inc. (“Service Provider”) and the merchant company (“Company”) for the provision of Services by Service Provider to Company. This DPA governs the Processing of Personal Data as required under Applicable Data Protection Law. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Definitions

Unless otherwise defined in the Agreement, capitalized terms used in this DPA shall have the meanings given below:

Applicable Data Protection Law” means all privacy and data protection laws applicable to the  Processing of Personal Data under the Agreement, including the EU GDPR, UK GDPR, and CPRA.
Business” shall have the meaning set forth under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, the “CPRA”.
Company Data” means Personal Data provided or made available by Company to Service Provider in connection with the Services.
Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
Processor” means the entity which Processes Personal Data on behalf of the Controller.
Service Provider Processing” means any Processing of Company Data by Service Provider as a Processor on behalf of Company in connection with the Services.
Personal Data” means any information relating to an identified or identifiable natural person.
Personal Data Breach” means  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed
Sub-Processor” means a third party engaged by Service Provider to Process Personal Data on behalf of the Company.

Relationship of the parties

Company is the Controller of Company Data. Service Provider acts only as a Processor of Company Data and shall Process Company Data solely on behalf of and under the documented instructions of Company. Nothing in this DPA shall be construed as granting Service Provider the right to Process Company Data for any purpose other than for the provision of Services.

Compliance with Laws

3.1 Each party shall comply with its respective obligations under Applicable Data Protection Law.
3.2 Company shall ensure it has all necessary consents and notices in place to enable lawful transfer of Company Data to Service Provider for the duration and purposes of the Agreement.
3.3 Service Provider shall not retain, use, or disclose Personal Data:For any purpose other than the specific purpose of performing the Services;Outside the direct business relationship with Company;For commercial purposes not permitted under the Agreement.

Instructions and Limitations on Use
Service Provider shall only Process Company Data in accordance with Company’s documented instructions, including this DPA and the Agreement. Service Provider shall not process Personal Data other than on the documented instructions of Company, unless required to do so by applicable law.Details of the Processing activities, including the subject matter, duration, nature and purpose of Processing, the types of Personal Data, and categories of Data Subjects are set forth in Schedule D (Details of Processing Activities).Service Provider shall immediately notify Company if it believes any instruction infringes

Applicable Data Protection Law.

Security Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those listed in Schedule A.
Sub-Processing
6.1 Company authorizes Service Provider to engage Sub-Processors as necessary to perform the Services, provided that: Service Provider enters into a written agreement with each Sub-Processor with data protection obligations equivalent to this DPA.A current list of Sub-Processors is maintained at: https://help.socialsnowball.io/en/articles/11452398-social-snowball-sub-processors-page
6.2 Company may object to a new Sub-Processor within ten (10) business days of notice. If the objection is reasonable, the parties shall work in good faith toward a resolution.
International Transfers Transfers of Personal Data outside the EEA, UK, or Switzerland will be conducted in accordance with Module 2 of the Standard Contractual Clauses in Schedule B and, if applicable, Schedule C.Company acknowledges that Service Provider is located in the United States and consents to such transfer under the safeguards provided in the Schedules.
Personal Data Breach In the event of a Personal Data Breach affecting Company Data, Service Provider shall:Notify Company without undue delay and, in any event, within 72 hours;Provide sufficient information for Company to comply with any obligations;Cooperate with Company in breach remediation.
Deletion or Return of Data Upon termination or expiration of the Agreement, at Company’s choice, Service Provider shall delete or return all Company Data, unless retention is required by law.
Data Subject RightsService Provider shall assist Company in responding to Data Subject requests, including access, correction, deletion, and data portability, where applicable and to the extent required by law. Service Provider shall assist Company, to the extent reasonably possible and at Company’s cost, with its obligations under Articles 32 to 36 of the GDPR, including data protection impact assessments and prior consultations with supervisory authorities.
Audits and RecordsService Provider shall provide Company with documentation or reports necessary to demonstrate compliance with this DPA and allow for audits as specified in Schedule A.
 Miscellaneous
12.1 This DPA shall prevail in the event of any conflict with the Agreement regarding the Processing of Personal   Data.
12.2 This DPA, including its Schedules, constitutes the entire agreement between the parties on this subject.




SCHEDULE A

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Hosting and Physical Security
Social Snowball servers are hosted on AWS. As such, Social Snowball inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
You can read further about AWS here:
aws.amazon.com/security/




Isolation of Services
Social Snowball servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server Processes are restricted to a particular directory and do not have access to the local filesystem.
Network Security
Social Snowball’s services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Social Snowball uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Social Snowball servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Social Snowball, based on role and business need.
Access to databases used in the Social Snowball service is over an encrypted link (TLS).
Authentication
Clients login to Social Snowball using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
Development Process
Social Snowball developers have been trained in secure coding practices. Social Snowball application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Social Snowball application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
Employee Screening and Policies
As a condition of employment all Social Snowball employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
Security Issues
At Social Snowball, we consider the security of our systems a top priority. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.
We currently observe the Security Measures described in this Annex II. For more information on these security measures, please refer to https://social-snowball.trustshare.com/home.
We maintain and adhere to an internal, written Information Security Policy. You can visit the Social Snowball Trust Center, which provides an overview of our security standards.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing Customer Personal Data in their Social Snowball account.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Data encryption In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the Social Snowball products. Our HTTPS implementation uses industry standard algorithms and certificates.
Data encryption At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered approach of at-rest encryption technologies to ensure Customer Data and Customer-identified Permitted Sensitive Data are appropriately encrypted.
Vulnerability Remediation Schedule: We maintain a vulnerability remediation schedule aligned with industry standards. We take a risk-based approach to determining a vulnerability’s applicability, likelihood, and impact in our environment.


SCHEDULE BEU STANDARD CONTRACTUAL CLAUSES 2021/914/EU


Located at: Standard Contractual Clauses (SCC)


SCHEDULE CUK Agreement to the EU Commission Standard Contractual ClausesLocated at: UK Addendum to the EU SCCs

SCHEDULE DDetails of Processing Activities

LIST OF PARTIES
1
Exporter
Name: Company [customer] NameAddress: Address stated in the AgreementContact person’s name, position and contact details: Stated in the AgreementActivities relevant to the data transferred under these Clauses: Use of Service Provider’s ServicesSignature and date: Incorporated into AgreementRole (controller/processor): Controller

DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Company’s clients (Affiliates) under a written services Agreement who are designated by Company to use the services under the AgreementPotential Company clients (Affiliates)

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous during the term of the AgreementNature of the processingService Provider will provide services to Company under the Agreement
Purpose(s) of the data transfer and further processingTo enable Service Provider to provide the Services to Company under the terms of the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. Data retained until instructed by Company to remove, or until the Agreement or DPA is terminated, whichever is earliest.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

See above

© 2023 Social Snowball
Product
Start NowSchedule DemoReferralsInfluencersSafelinksTikTok Shop AffiliatePricingFAQsAffiliate Marketplace WaitlistStatus
Partners
Hire an affiliate marketing expertZapierStoretaskerIntegrationsBecome a Partner
Resources
BlogNewsletterHelp CenterSubmit a RequestPlaybooks and GuidesSocial Snowball AcademyAffiliate Commission Calculator
Legal
Merchant Terms of ServicePrivacy PolicyAffiliate Terms of ServiceData Processing
Contact
support@socialsnowball.io