Data Processing Agreement

This DATA PROCESSING AGREEMENT (“DPA”) is incorporated into (a) the Services Agreement, if the Customer is using an Enterprise Subscription Plan, or (b) the Terms and Conditions available at www.snaptrude.com/terms if the Customer is using an Organisation Subscription Plan, (collectively, the “Master Agreement”), pursuant to which Snaptrude Inc. (“Snaptrude”) has agreed to provide the Customer with access to the Platform. This DPA sets out the additional terms, requirements, and conditions under which Snaptrude will process Personal Data in connection with the Platform.

In the case of conflict or ambiguity between (a) any provision contained in the body of this DPA and any provision contained in any Schedule, the provision in the body of this DPA will prevail; and (b) notwithstanding anything to the contrary in the Master Agreement, any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

  1. DEFINITIONS AND INTERPRETATION
  1. Definitions:

    1. Customer” shall mean a customer who has agreed to the Master Agreement with Snaptrude for using the Platform.
    2. Data Protection Legislation” shall mean the GDPR and all other legislation and regulatory requirements in force from time to time which apply to a party with respect to the use of Personal Data.
    3. Data Subject” shall mean an individual who is the subject of Personal Data.
    4. EEA” means the European Economic Area.
    5. Enterprise Subscription Plan” shall mean the enterprise-level Subscription Plan availed by the Customer pursuant to the Services Agreement.
    6. GDPR” means the General Data Protection Regulation ((EU) 2016/679).
    7. Organisation Subscription Plan” shall mean the organisation-level Subscription Plan availed by the Customer pursuant to the Terms and Conditions.
    8. Personal Data” shall mean any information relating to an identified or identifiable natural person that is processed by Snaptrude in connection with the Platform pursuant to the terms of the Master Agreement.
    9. Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed on systems managed or controlled by Snaptrude.
    10. Platform” shall mean Snaptrude’s platform made available to and accessed by the Customer pursuant to the Master Agreement.
    11. Processing” (and the terms “processes” and “process” shall be construed accordingly) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    12. Restricted Transfer” means any transfer of Personal Data to a jurisdiction for which additional safeguards are prescribed under Data Protection Legislation.
    13. Standard Contractual Clauses” or “SCCs” shall mean the European Commission’s Standard Contractual Clauses, as provided at www.snaptrude.com/standard-contractual-clauses.
    14. Subscription Plan” shall collectively mean the Enterprise Subscription Plan and the Organisation Subscription Plan.
  1. PERSONAL DATA TYPES AND PROCESSING PURPOSES

    1. The parties agree that for the purpose of the Data Protection Legislation, the Customer is the controller and Snaptrude is the processor with respect to the processing of Personal Data.
    2. The Customer retains control of the Personal Data and remains responsible for compliance with its obligations under the Data Protection Legislation. In this regard, the Customer warrants that all Personal Data provided to or otherwise accessed by Snaptrude under this DPA or the Master Agreement shall comply in all respects, including in terms of its collection, storage, and processing (including providing any required notices and obtaining any required consents), with the Data Protection Legislation.
  2. SNAPTRUDE'S OBLIGATIONS

    1. Snaptrude shall only process Personal Data with the Customer’s documented instructions as detailed in Schedule A or as otherwise agreed upon between the parties in writing from time to time, and to the extent necessary for the provision of the Platform. Snaptrude will not process the Personal Data and will notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.
    2. Snaptrude’s Personnel: Snaptrude will ensure that the personnel it authorises to process Personal Data are informed of the confidential nature of the Personal Data and bound by confidentiality obligations in respect of the Personal Data. Access to Personal Data shall be on a need-to-know basis and necessary for the performance of the Master Agreement.
    3. Snaptrude will extend reasonable assistance to the Customer to meet the Customer’s compliance obligations under the Data Protection Legislation, including in relation to Data Subject rights, data protection impact assessments, and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
  3. SECURITY

    1. The Customer acknowledges that in respect of the Personal Data processed, Snaptrude implements appropriate technical and organisational measures detailed in Schedule B to ensure a level of security appropriate to the risk of processing.
  4. PERSONAL DATA BREACH

    1. Snaptrude shall, within 48 (Forty Eight) hours, notify the Customer if it becomes aware of any Personal Data Breach.
    2. The Customer shall, at all times, remain solely responsible under the Data Protection Legislation for reporting Personal Data Breaches to supervisory authorities or Data Subjects, as the case may be.
    3. The parties will coordinate with each other to investigate any Personal Data Breach. Where necessary, Snaptrude shall use reasonable efforts to provide further information on the Personal Data Breach to the Customer.
  5. CROSS-BORDER TRANSFERS OF PERSONAL DATA

    1. The Customer authorises Snaptrude to transfer and process Personal Data outside the EEA solely for the purposes of providing the Platform.
    2. Where such cross-border transfers occur, Snaptrude may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
      1. Personal Data is transferred to a territory which is deemed to provide an adequate level of protection for the privacy rights of individuals under Data Protection Legislation; or
      2. if Snaptrude undertakes a Restricted Transfer, the parties shall enter into Standard Contractual Clauses to the extent required by Data Protection Legislation or carry out such other obligations as specified under Data Protection Legislation. The Standard Contractual Clauses apply, and are incorporated by reference into this DPA, where there is a Restricted Transfer.
    3. If the Customer consents to appointment by Snaptrude of a Sub-processor located outside the EEA in compliance with the provisions of Clause 7, then the Customer authorises Snaptrude to enter into SCCs with the Sub-processor in the Customer’s name and on its behalf.
  6. SUB-PROCESSORS

    1. The Customer authorises Snaptrude to appoint third parties to meet obligations under this DPA and the Master Agreement (these third parties are referred to as “Sub-processors”). A list of Sub-processors is provided under Schedule A.
    2. Snaptrude may at any time appoint a new Sub-processor or replace a Sub-processor on this list, provided that the Customer is given 10 (Ten) working days’ prior written notice and the Customer does not object to such changes within that timeframe. If the Customer objects, Snaptrude shall use reasonable efforts to make available a change in the services rendered by such Sub-processor. If Snaptrude is unable to make available such a change within a reasonable period of time, it may, by providing written notice to the Customer, terminate the DPA or the part of the services which cannot be provided without the use of the objected-to Sub-processor
    3. Snaptrude shall enter into written agreements with each Sub-processor, containing data protection obligations that provide a similar level of protection for Personal Data as those covered in this DPA, to the extent applicable with respect to the nature of services provided by such Sub-processor.
  7. TERM AND TERMINATION

    1. This DPA will remain in full force and effect so long as:
      1. the Master Agreement remains in effect; or
      2. Snaptrude retains any Personal Data related to the Master Agreement in its possession or control (“Term”).
    2. Termination or expiry of the DPA does not affect the survival of any provisions that are expressly or by implication intended to survive termination or expiry.
    3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Data Protection Legislation, they may amend the scope of or otherwise terminate the Master Agreement on written notice to the other party.
  8. DATA RETURN AND DESTRUCTION

    1. At the Customer’s request, Snaptrude will provide the Customer with a copy of or access to all or part of the Personal Data in its possession or control.
    2. On expiry or termination of the Master Agreement and upon the Customer’s request, Snaptrude will delete or destroy, to the extent technically possible, or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this DPA in its possession or control; provided, however, that this Clause shall not apply to any obligations of Snaptrude to retain any information, documents, or materials in accordance with applicable laws.
  9. AUDIT

    1. During the Term, Snaptrude will, in accordance with the Data Protection Legislation, provide the Customer with such information that is reasonably necessary to demonstrate Snaptrude’s compliance with its obligations under Article 28 of the GDPR, and allow the Customer to audit such information, subject to the following:
      1. the Customer shall provide Snaptrude with at least 30 (Thirty) days’ prior written notice of information requests or audits;
      2. the Customer and its authorised personnel shall undertake confidentiality obligations in a form and manner acceptable to Snaptrude prior to such audit or their receipt of information; and
      3. the Customer shall reimburse Snaptrude for any costs that it incurs to give effect to or enable the Customer’s rights under this Clause.
  10. MISCELLAENOUS

    1. Any notice or other communication given to a party under or in connection with this DPA must be in accordance with the provisions of the Master Agreement.
    2. This DPA shall be governed by the governing law and dispute resolution provisions of the Master Agreement.

SCHEDULE A

PERSONAL DATA PROCESSING INDEX 

  1. Subject Matter of Processing: Snaptrude’s provision of the Platform.
  2. Duration of Processing: Subject to this DPA, Snaptrude shall process Personal Data for the duration of the Subscription Plan.
  3. Nature of Processing: Snaptrude processes Personal Data on the instructions of the Customer for the purposes of providing access to the Platform
  4. Purpose: Snaptrude processes Personal Data to comply with the Customer’s instructions and to provide access to the Platform.
  5. Personal Data Categories: Profile data, contact data, transaction data, usage data and technical data.
  6. Data Subject Types: Authorised personnel of the Customer who are permitted to access and use the Platform in accordance with the Master Agreement.

LIST OF SUB-PROCESSORS:

Sr. No. Legal Entity Contact Information Purpose
1 Attio Ltd. privacy@attio.com CRM & GTM Intelligence
2 MongoDB, Inc. privacy@mongodb.com Hosting Environment
3 Amazon Web Services, Inc. aws-EU-privacy@amazon.com Hosting Environment
4 Mixpanel, Inc. dpo@mixpanel.com,
compliance@mixpanel.com		 User / Data Analytics
5 Twilio Inc. privacy@twilio.com User / Data Analytics
6 Catamorphic, Co. dba LaunchDarkly privacy@launchdarkly.com User / Data Analytics

SCHEDULE B

SECURITY MEASURES 

Snaptrude implements and maintains the security measures in this Schedule B. Snaptrude may update these measures from time to time, provided that any update does not materially decrease the overall security of the Services.

1. Security Program and Governance

Snaptrude maintains an information security program with documented policies and procedures covering access control, secure development, vulnerability management, incident response, business continuity, and vendor management. Security controls are reviewed and improved periodically based on risk and operational changes.

2. Physical and Environmental Security

Production data is hosted in physically secure third‑party data centers operated by AWS; Snaptrude does not operate its own production data‑center hardware. Physical access to cloud infrastructure is controlled by the cloud providers and restricted to authorized personnel. Snaptrude corporate offices use controlled entry, visitor management, and secure disposal practices.

3. Access Control and Data Isolation

Access is governed by centralized authentication, role‑based access control (RBAC), and least privilege. MFA is required for administrative and production access, including cloud consoles and critical SaaS tools; shared administrative accounts are not permitted. Access is provisioned/deprovisioned through documented approval workflows, logged, and periodically reviewed. Customer data is logically segregated in a multi‑tenant architecture at the application and database layers; workspace/project permissions restrict customer user access. Snaptrude personnel access to production data is limited to authorized support, troubleshooting, or security purposes, with documented justification and logging. Enterprise options may include SSO and SCIM where enabled by the customer.

4. Network and Transmission Security

Snaptrude uses layered network controls such as private subnets, deny‑by‑default security groups, segmentation, and WAF protections for internet‑facing services. Data in transit is encrypted using TLS 1.2+ (HTTPS enforced for user access; TLS for service‑to‑service communications). APIs use authentication (e.g., tokens), encryption, and rate limiting to reduce unauthorized access and abuse.

5. Secure Development, Testing, and Vulnerability Management

Snaptrude follows secure coding practices aligned with industry standards (including OWASP guidance). Code changes require peer review and protected branches prior to deployment. Security testing is integrated into CI/CD (e.g., static analysis on pull requests and dynamic testing in non‑production environments as applicable). Snaptrude maintains vulnerability scanning and periodic third‑party penetration testing; material findings are tracked to remediation and retested as appropriate. Production changes follow documented change management with testing, approvals, and rollback capability; security‑sensitive changes receive additional review. Application inputs are validated to mitigate injection and XSS risks (e.g., parameterized queries and output encoding).

6. Backups, Business Continuity, and Disaster Recovery

Snaptrude performs automated backups of production data. Backups are encrypted and are access-restricted to authorized personnel. Backup integrity is tested periodically. Snaptrude maintains business continuity/disaster recovery documentation, including recovery objectives, and tests plans periodically.

7. Encryption at Rest, Key Management, and Disposal

Customer data is encrypted at rest on supported cloud storage and database services using AES‑256 or equivalent encryption. Encryption keys are managed using AWS KMS, including secure generation, storage, rotation, and access controls; keys are protected using HSMs where supported. When storage media is decommissioned, Snaptrude follows secure destruction processes consistent with applicable cloud‑provider guidelines.

8. Monitoring, Incident Response, and Personnel/Third‑Party Security

Security monitoring (e.g., log aggregation/analysis and anomaly detection) supports detection and investigation of suspicious activity. Snaptrude maintains an incident response plan covering preparation, detection, analysis, containment, eradication, recovery, and post‑incident review; customers are notified of applicable security incidents in accordance with legal and contractual obligations. Company‑managed endpoints used for sensitive access must use full‑disk encryption, automatic screen lock, OS auto‑updates, and EDR controls. Personnel are subject to background checks to the extent permitted by law, confidentiality obligations, and security training at onboarding and at least annually thereafter. Vendors and subprocessors are assessed on a risk‑based schedule and are subject to contractual security and confidentiality requirements.

Last Updated: Feb 17, 2026