Last modified: February 12, 2024

This SND Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the SND Subscription Services under the SND Customer Terms of Service available at between you and us (also referred to in this DPA as the “Agreement”). 

1. Definitions.  Capitalized terms that are not specifically defined in this DPA have the same meanings as set forth in the Agreement. Unless the context otherwise requires, the use of the term “Agreement” alone shall be interpreted to include the Agreement, the Order and this DPA, as well as any other agreement between the parties made part of or pursuant to the Agreement. The following definitions shall apply:

“Applicable Data Protection Law” means any applicable data privacy, data protection, and data security law or regulation governing the collection, use and processing of Personal Information, including, but not limited to, where applicable the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Privacy Act (“VCDPA”).

“Authorized Persons” means SND’s employees, contractors, and agents who have a need to know or otherwise access Personal Information to enable SND to perform its obligations under this Agreement, and who are bound by confidentiality and other obligations sufficient to protect Personal Information in accordance with the terms and conditions of this Agreement.

“Contracted Business Purpose” means the Services described in the Agreement.

“Data Breach” means any unauthorized access to or disclosure or acquisition of Personal Information as defined under Applicable Data Protection Law.

“Personal Information” means information that Customer provides or for which Customer provides access to SND, or information which SND creates or obtains on behalf of Customer, in accordance with this Agreement that: (i) directly or indirectly identifies an individual (including, for example, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers); or (ii) can be used to identify or authenticate an individual (including, without limitation, employee identification numbers; government-issued identification numbers; passwords or PINs; user identification and account access credentials or passwords; financial account numbers; biometric, genetic, or health data; answers to security questions; an individual’s internet activity or similar interaction history; inferences drawn from other personal information to create consumer profiles; geolocation data; an individual’s commercial, employment, or education history; and other personal characteristics and identifiers). Customer’s business contact information is not by itself Personal Information, unless otherwise required by Applicable Data Protection Law.

2. SND’s Obligations.

2.1 SND will comply with the terms and conditions set forth in this Agreement.

2.2 SND will only collect, use, retain, or disclose Personal Information in furtherance of the Contracted Business Purposes. 

2.3 SND will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

2.4 SND will not disclose Personal Information to any person other than its Authorized Persons without Customer’s prior written consent unless required by Applicable Data Protection Law, in which case, SND will use reasonable efforts to notify Customer before such disclosure or as soon thereafter as reasonably possible, consistent with the requirements of Applicable Data Protection Law.

2.5 SND will reasonably comply with any Customer request or instruction to SND to provide, amend, transfer, or delete personal information, or to stop, mitigate, or remedy any unauthorized processing of Personal Information. Further, SND will provide reasonable assistance to Customer in responding to data privacy related inquiries, including responding to verifiable consumer requests, taking into account the nature of the SND’s processing and the information available to SND.

2.6 If a Contracted Business Purpose requires the direct or indirect collection of personal information from individuals on the Customer’s behalf, SND will provide a compliant notice under Applicable Data Protection Law at the time of collection.

2.7 SND may aggregate, deidentify, or anonymize personal information collected pursuant to this Agreement so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes. SND will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.

2.8 SND will employ reasonable security measures to protect Personal Information in accordance with accepted industry standards.

3. Customer’s Obligations.

3.1 Customer will comply with the terms and conditions set forth in this Agreement.

3.2 Customer is responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information that is under its control or in its possession.

3.3 Customer will comply with Applicable Data Protection Law and use only secure methods, according to accepted industry standards, when transferring or otherwise making Personal Information available to SND.

3.4 Customer will ensure that only Personal Information that is reasonably necessary and proportionate to achieve the Contracted Business Purposes is provided to SND by Customer or its Authorized Persons.

3.5 Customer will provide written notice to SND if any information Customer directly provides to SND under this Agreement contains Personal Information of end consumers of Customer’s products or services. SND will not be responsible for determining on its own that any such information that Customer directly provides to SND qualifies as Personal Information.

4. Subcontractors.  SND may use subcontractors in connection with the provision of the Contracted Business Purpose, provided that where appropriate, SND contractually obligates each subcontractor to terms at least as protective as those in this Agreement with respect to the processing of Personal Information. Notwithstanding the use of any subcontractor, SND shall remain fully liable to Customer for any failure by any of its subcontractors to fulfill its obligations under this Agreement in relation to the processing of Personal Information. For each subcontractor used, SND will provide Customer an up-to-date list disclosing the subcontractor name, contact information and type of service provided. If no objection is received within ten (10) business days of providing such updated list, SND will deem the subcontractor approved. 

A current list of subcontractors includes:

Name Contact Information Type of Service
Amazon Web Services, Inc. PO BOX 84023 
Seattle, WA 98124-8423
Cloud infrastructure hosting
Heroku, Inc. / SalesForce 415 Mission Street
Suite 300
San Francisco, CA 94105
Cloud infrastructure hosting
MongoDB 1633 Broadway
38th floor
New York, NY 10019
Cloud infrastructure hosting
Redis, Inc. 1 Market St.
Suite 300
San Francisco, CA 94105
Cloud infrastructure hosting

5. Data Breach Procedures.

5.1 SND will notify Customer of a Data Breach involving Customer’s Personal Information as soon as reasonably practicable after SND becomes aware of it.

5.2 Immediately following SND’s notification to Customer of a Data Breach, the parties will coordinate with each other, as necessary, to investigate the Data Breach. 

5.3 SND agrees that it will not inform any third party of any Data Breach without Customer’s prior consent, other than to inform a complainant that the matter has been forwarded to Customer’s attention, unless otherwise required by Applicable Data Protection Law.