Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between SnapConsent ("Processor") and the Customer ("Controller") for the provision of consent management services.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws including GDPR and CCPA.

Definitions

Processing of Personal Data

Processor Obligations

SnapConsent shall:

• • Process personal data only on documented instructions from the Controller
• • Ensure persons authorized to process personal data are bound by confidentiality
• • Implement appropriate technical and organizational security measures
• • Assist the Controller in responding to data subject requests
• • Delete or return all personal data at the end of the service provision
• • Make available all information necessary to demonstrate compliance
• • Immediately inform the Controller if an instruction infringes data protection laws

Security Measures

SnapConsent implements and maintains the following security measures:

• • Encryption of data in transit and at rest
• • Regular security assessments and penetration testing
• • Access controls and authentication mechanisms
• • Regular backups and disaster recovery procedures
• • Employee training on data protection
• • Incident response and breach notification procedures
• • Physical security of data centers

Sub-processors

The Controller authorizes the use of the following sub-processors:

The Processor shall notify the Controller of any intended changes concerning sub-processors with 30 days notice.

Data Breach Notification

In the event of a personal data breach, SnapConsent will:

• • Notify the Controller without undue delay and within 72 hours
• • Provide details about the nature and scope of the breach
• • Describe the likely consequences of the breach
• • Detail measures taken or proposed to address the breach
• • Cooperate fully with the Controller in investigating and remediating the breach

Data Subject Rights

SnapConsent shall assist the Controller in fulfilling data subject requests including:

• • Right of access
• • Right to rectification
• • Right to erasure ("right to be forgotten")
• • Right to restrict processing
• • Right to data portability
• • Right to object
• • Rights related to automated decision-making

International Data Transfers

For transfers of personal data outside the EEA, SnapConsent will ensure appropriate safeguards are in place:

• • Standard Contractual Clauses (SCCs) as approved by the European Commission
• • Adequacy decisions where applicable
• • Additional technical and organizational measures as required

Audits and Inspections

SnapConsent shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable notice and during regular business hours, minimizing disruption to SnapConsent's operations.

Liability and Indemnification

Each party shall be liable for damages caused by its processing that infringes Data Protection Laws. The Processor shall be liable for damages caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

Term and Termination

This DPA shall remain in effect for the duration of the main service agreement. Upon termination, SnapConsent shall, at the choice of the Controller:

• • Return all personal data to the Controller
• • Delete all personal data and certify such deletion
• • Retain data only as required by applicable law

Contact Information

For questions regarding this Data Processing Agreement or data protection matters: