Data Processing Agreement

Data Processing Agreement
‍
(Updated: July 29, 2025)
‍

Parties to this DPA
‍
This Data Processing Agreement (“DPA”) is incorporated into and supplemental to the Social Snowball order form and agreement (“Agreement”) entered into between Social Snowball Holdings, Inc. (“Service Provider”) and the merchant company (“Company”) for the provision of Services by Service Provider to Company. This DPA governs the Processing of Personal Data as required under Applicable Data Protection Law. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Definitions
‍
‍All capitalised terms in this DPA shall have the meaning as prescribed by the Social Snowball Merchant Terms of Service located at https://socialsnowball.io/terms-of-servicehttps://socialsnowball.io/terms-of-service (“Terms”)or as otherwise agreed between the parties, unless otherwise specified below. 
‍
“Applicable Law” means as applicable and binding on the Company, the Service Provider and /or the Services:
(a) any law, statue, regulation, byelaw or subordinate legislation in force from time to time which a party is subject and /or in any jurisdiction that the Services are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgement or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

“Applicable Data Protection Law” means all privacy and data protection laws applicable to the Processing of Personal Data under the Agreement, including the EU GDPR, UK GDPR, and CPRA.
“Associated Company” means a company belonging to the same group as either party;

“Business” shall have the meaning set forth under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, the “CPRA”.
“Company Data” means Personal Data provided or made available by Company to Service Provider in connection with the Services.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Service Provider Processing” means any Processing of Company Data by Service Provider as a Processor on behalf of Company in connection with the Services.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Personal Data Breach” means  any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data transmitted, stored, or otherwise processed
“Sub-Processor” means another Processor engaged by the Service Provider for carrying out processing activities in respect of the Personal Data on behalf of the Company.
‍
‍1 Interaction with the Agreement
1.1 This DPA will take effect from the date on which the Company accepts the terms of this DPA (or signs an order form incorporating the Terms and the terms of this DPA) and shall continue until the end of the Service Provider’s provision of the Services (including any period of suspension, where relevant) (“Term”).
1.2 Except for the changes made by this DPA, the Terms and the order form remain in full force and effect.
2 Relationship of the parties
‍
‍The parties agree that in relation to Company Data (as it may be applicable to the parties under Data Protection Laws), the Company is the Controller and Service Provider shall be the Processor.
Service Provider acts only as a Processor of Company Data and shall Process Company Data solely on behalf of and under the documented instructions of Company. Nothing in this DPA shall be construed as granting Service Provider the right to Process Company Data for any purpose other than for the provision of Services.
‍
3 Compliance with Laws
‍
3.1 The Service Provider shall process Company Data in compliance with:
3.1.1 the obligation of Processors under Data Protection Laws in respect of the performance of its obligations herein; and
3.1.2 the terms of this DPA, the Terms and the order form which sets out the Company’s instructions in relation to such processing activities.
3.2 The Company shall comply with:
3.2.1 all Data Protection Laws in connection with the processing of Company Data, use of the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
3.2.2 the terms of this DPA.
3.3 The Company warrants, represents and undertakes, that:3.3.1 all data sourced by the Company for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Company providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
3.3.2 all instructions given by it to the Service Provider in respect of Company Data shall at all times be in accordance with Data Protection Laws.
3.4 The Company shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by the Service Provider in order to ensure the Services and the Service Provider (and each Sub-Processor) can comply with Data Protection Laws.


4 Instructions and Limitations on Use
4.1 By entering into this DPA, the Company instructs the Service Provider to Process Company Data only in accordance with Applicable Law:
4.1.1 To provide the Services;
4.1.2 As further specified by the Company’s use of the Services;
4.1.3 As documented in the form of the terms and this DPA; and
4.1.4 As further documented in any other written instructions provided by the Company and acknowledged by the Service Provider as being instructions for the purposes of this DPA.
4.2 Insofar as the Service Provider processes Company Data on behalf of the Company the Service Provider:
4.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Company Data only on and in accordance with the Company’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties
Details of the Processing activities, including the subject matter, duration, nature and purpose of Processing, the types of Personal Data, and categories of Data Subjects are set forth in Schedule D (Details of Processing Activities).
4.2.2 If Applicable Law requires it process Company Data other than in accordance with the processing instructions, shall notify the Company of any such requirement before processing the Company Data (unless Applicable Law prohibits such information on important ground of public interest); and
4.2.3 shall inform the Company if the Service Provider becomes aware of a processing instruction that, in the Service Provider’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 4 and 3.3; and
(b) to the maximum extent permitted by mandatory law, the Service Provider shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Company's processing instructions following the Company’s receipt of that information.
4.3 The Service Provider confirms that it has appointed a data protection officer where such appointment is required by Data Protection Law. The appointed data protection officer may be contacted by email at Privacy@socialsnowball.io
4.4 Further to the above, the Service Provider acknowledges that its processing of Company Data is limited to that as set out in this DPA in order to supply the Services to the Company and in accordance with the Terms

‍5 Security

The Service Provider shall implement and maintain appropriate technical and organizational measures in relation to the processing of Company Data by the Service Provider. These measures are outlined in Schedule A.

Sub-Processing

‍6.1 The Company specifically authorizes the engagement of Social Snowball’s existing and future Associated Companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors listed at: https://help.socialsnowball.io/en/articles/11452398-social-snowball-sub-processors-page

6.2 The Company may object (on reasonable grounds and only relating to data protection laws) to the use or replacement Sub-Processor appointed per clause above within ten (10) business days of the Service Provider’s notice: If the Company notifies the Service Provider in writing of any objections to the proposed appointment: both parties shall work in good faith toward a resolution. If a solution cannot be found, the Company may by written notice to the Service Provider with immediate effect terminate the order form to the extent that it relates to the Services which require the use of the proposed Sub-Processor. This termination right is the Company’s sole and exclusive remedy to Company objection of any Sub-Processor appointed by the Service Provider during the Term.
6.3 The Service Provider shall ensure:
6.3.1 via a written contract that the Sub-Processor only accesses and processes Company Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by the Service Provider: and
6.3.2 remain fully liable for all the acts and omission of each Sub-Processor as if they were its own.

7 International Transfers
Transfers of Personal Data outside the EEA, UK, or Switzerland will be conducted in accordance with Module 2 of the Standard Contractual Clauses in Schedule B and, if applicable, Schedule C. Company acknowledges that Service Provider is located in the United States and consents to such transfer under the safeguards provided in the Schedules.

8 Personal Data Breach
In the event of a Personal Data Breach affecting Company Data, the Service Provider shall: Notify Company without undue delay and, in any event, within 24 hours from when the Service Provide becomes aware of the same:
8.1.1 notify the Company of the Personal Data Breach; and
8.1.2 provide the Company, where possible, with details of the Personal Data Breach.
8.2 Notice of a Personal Data Breach as contemplated under 8.1.1 above shall include:
8.2.1 the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
8.2.2 the likely consequences of the Personal Data Breach; and
8.2.3 the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
8.2.4 such information as may be required by Data Protection Law.


9 Deletion or Return of Data
Upon termination or expiration of the Agreement, at Company’s choice, Service Provider shall delete or return all Company Data, unless retention is required by Applicable law and, if so, the Service Provider shall inform the Company of any such requirement

10 Data Subject Rights
10.1 The Service Provider refer all Data Subject Requests it receives to the Company within three Business Days of receipt of the request.
10.2 Further to the above and notwithstanding anything to the contrary in the Terms, the Service Provider reserves the right to disclose the identify of the Company to any relevant Data Subject following any such request.
10.3 The Service Provider shall provide such reasonable assistance as the Company reasonably requires (taking into account the nature of processing and the information available to the Service Provider) ensuring compliance with the Company’s obligations under Data Protection Laws with respect to:
10.3.1 security of processing;
10.3.2 data protection impact assessment (as such term is defined in Data Protection Laws);
10.3.3 prior consultation with a supervisory authority regarding high risk processings and
10.3.4 notifications to the supervisory authority and /or communications to Data Subjects by the Company in response to any Personal Data Breach.


11 Audits and Records
11.1 The Service Provider shall maintain, in accordance with Data Protection Laws binding on the Service Provider, written records of all categories of processing activities carried out on behalf of the Company.
11.2 The Service Provider shall, in accordance with Data Protection Laws, make available to the Company such information as is reasonably necessary to demonstrate the Service Provider’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Company (or another auditor mandated by the Company) for this purpose, subject to the Company:
11.2.1 giving the Service Provider reasonable prior notice of such information request, audit and/or inspection being required by the Company;
11.2.2 ensuring that all information obtained or generated by the Company or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the supervisory authority or as otherwise required by Applicable Law);
11.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the Service Provider’s business and the business of other Clients of the Service Providerand
11.2.4 paying the Service Provider’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits on-site, calculated on a time & materials basis.


12 Miscellaneous
12.1 This DPA shall prevail in the event of any conflict with the Agreement regarding the Processing of Personal Data.
12.2 This DPA, including its Schedules, constitutes the entire agreement between the parties on this subject.





SCHEDULE A
‍
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
‍
Hosting and Physical Security
Social Snowball servers are hosted on AWS. As such, Social Snowball inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
You can read further about AWS here:
aws.amazon.com/security/
‍
‍
Isolation of Services
Social Snowball servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server Processes are restricted to a particular directory and do not have access to the local filesystem.
Network Security
Social Snowball’s services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Social Snowball uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the data center and between the data center and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Social Snowball servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Social Snowball, based on role and business need.
Access to databases used in the Social Snowball service is over an encrypted link (TLS).
Authentication
Clients login to Social Snowball using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
Development Process
Social Snowball developers have been trained in secure coding practices. Social Snowball application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Social Snowball application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
Employee Screening and Policies
As a condition of employment all Social Snowball employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
Security Issues
At Social Snowball, we consider the security of our systems a top priority. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.
We currently observe the Security Measures described in this Annex II. For more information on these security measures, please refer to https://social-snowball.trustshare.com/home.
We maintain and adhere to an internal, written Information Security Policy. You can visit the Social Snowball Trust Center, which provides an overview of our security standards.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing Customer Personal Data in their Social Snowball account.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Data encryption In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the Social Snowball products. Our HTTPS implementation uses industry standard algorithms and certificates.
Data encryption At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered approach of at-rest encryption technologies to ensure Customer Data and Customer-identified Permitted Sensitive Data are appropriately encrypted.
Vulnerability Remediation Schedule: We maintain a vulnerability remediation schedule aligned with industry standards. We take a risk-based approach to determining a vulnerability’s applicability, likelihood, and impact in our environment.


SCHEDULE B
EU STANDARD CONTRACTUAL CLAUSES 2021/914/EU


Located at: Standard Contractual Clauses (SCC)


SCHEDULE C
UK Agreement to the EU Commission Standard Contractual Clauses Located at: UK Addendum to the EU SCCs

SCHEDULE D
Details of Processing Activities

LIST OF PARTIES
1
Exporter
Name: Company [customer] Name Address: Address stated in the Agreement Contact person’s name, position and contact details: Stated in the Agreement Activities relevant to the data transferred under these Clauses: Use of Service Provider’s Services Signature and date: Incorporated into Agreement Role (controller/processor): Controller

DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Company’s clients (Affiliates) under a written services Agreement who are designated by Company to use the services under the Agreement Potential Company clients (Affiliates)

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous during the term of the Agreement Nature of the processing Service Provider will provide services to Company under the Agreement
Purpose(s) of the data transfer and further processing To enable Service Provider to provide the Services to Company under the terms of the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. Data retained until instructed by Company to remove, or until the Agreement or DPA is terminated, whichever is earliest.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

See aboveSensitive Data (if applicable)
Social Snowball does not expect clients to upload or collect Sensitive Data in the service. The Client should be aware that uploading sensitive information, including but not limited to special category data, health information, and financial information, may be prohibited, or require additional controls depending on the region the Client operates in or the location of a Data Subject.
It is the sole responsibility of the Client to ensure that they inform Social Snowball when any Sensitive Data is uploaded to the service by sending an email to privacy@socialsnowball.io and to comply with all applicable laws and regulations in the region the Client operates in or the location of Data Subjects. This includes, but is not limited to, data protection laws, privacy regulations, and any other relevant legal requirements.