Data Processing Addendum

This Snovio Data Processing Addendum (hereinafter ‘DPA’) supplements the Snovio Terms and Conditions (hereinafter ‘Terms’), the agreement between you (hereinafter ‘User’ ‘Customer’, ‘you’, ‘your’) and Snovio Inc. (hereinafter ‘Company’, ‘Snov.io’, ‘Snovio’, ‘we’, ‘us’ or ‘our’) which is governing the processing of personal data that you upload or otherwise provide Snovio in connection with the Services or of any personal data that Snovio obtains in connection with the performance of the Services, hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’.

Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in Snovio’s Terms and Conditions. This DPA shall remain in force until the termination of the Terms between you and us governing your use of the Services.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, Brazil, applicable to the processing of personal data under the Terms as amended from time to time, such as GDPR, UK Data Protection Laws, or other applicable laws and regulations.

“General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).

“EU Standard Contractual Clauses (EU SCCs)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“controller”, “processor”, “data subject”, “personal data”, “processing” have the meanings given in Data Protection Laws and Regulations.

“Customer Data” means personal data that you upload or otherwise provide Snovio in connection with the Services or of any personal data that Snovio obtains in connection with the performance of the Services.

“Sub-processor” means any entity which provides processing services to Snovio in furtherance of Snovio’s processing on behalf of Customer.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities.

“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of the data protection legislation.

Where Snovio processes Customer Data on your behalf in connection with Services, you acknowledge and agree that with regard to the processing of Customer Data, you are a controller or processor and we are a processor or sub-processor (as defined by the Applicable Data Protection Law) acting on your behalf. A description of such processing is set out in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles and not apply to situations where we act as a controller in accordance with Snovio’s Privacy Policy.

The Parties agree that this DPA and the Terms (including the provision of instructions via browser extensions) constitute your complete and final documented instructions regarding our processing of Customer Data on your behalf (hereinafter ‘Instructions’). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.

The processing of Customer Data on your behalf in connection with Services is described in Schedule 1 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality which is part of the Services.

Within the scope of the DPA and Terms and your use of the Services, including our integration with HubSpot and/or Pipedrive, you will be solely responsible for complying with all requirements that apply to you under the Data Protection Laws and Regulations. You represent and warrant that you will be solely responsible for:

(i) the accuracy, quality, integrity, confidentiality and security of collected Customer Data;

(ii) complying with all necessary transparency, lawfulness, fairness and other requirements under Data Protection Laws and Regulations for the collection and use of the personal data by: establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of Customer; providing us only with data that has been lawfully and validly obtained and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third-party accessing or using Customer Data on your behalf; and

(iii) ensuring that your Instructions to us regarding the processing of Customer Data comply with the Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation.

6.1. General Obligations

With regard to the processing of Customer Data we shall:

(i) process Customer Data using appropriate technical and organisational security measures, and in compliance with the Instructions received from Customer subject to Section 3 of this DPA;

(ii) inform Customer if, in our opinion, a Customer’s Instructions may be in violation of the provisions of the Data Protection Laws and Regulations;

(iii) follow Customer’s instructions regarding the collection of Customer Data, in case we are obtaining Customer Data from data subjects on behalf of Customer under Terms;

(iv) take reasonable steps to ensure that any employee/contractor to whom we authorise access to Customer Data on our behalf comply with respective provisions of the Terms and this DPA.

6.2. Notices to Customer

Upon becoming aware, we shall inform you of any legally binding request for disclosure of Customer Data by a Public Authority, unless we are otherwise forbidden by law to inform Customer, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Customer Data under this DPA conducted between you and us.

6.3. Security measures

We shall implement and maintain appropriate technical and organisational measures to protect Customer Data from personal data breaches (hereinafter ‘Security Incidents’), in accordance with our security standards set out in Schedule 2 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 2 of this DPA at our sole discretion provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA.

6.4. Security Incident

Upon becoming aware of a Security Incident, we shall:

(i) notify you without undue delay after we become aware of the Security Incident;

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and

(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgement by us of any fault or liability regarding the Security Incident.

6.5. Confidentiality

We will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). We shall ensure that any employee/contractor whom we authorize to access Customer Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Customer Data.

6.6. Return or deletion of Customer Data

Upon termination or expiration of the Terms concluded between you and us, we shall delete all Customer Data in our possession or control; except that this requirement shall not apply to the extent, we are required by applicable law or respective contractual obligations to retain some or all of the Customer Data.

6.7. Reasonable Assistance

We agree to provide reasonable assistance to Customer regarding:

(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Data that we process on behalf of Customer. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;

(ii) the investigation of Security Incident and communication of necessary notifications regarding such Security Incidents subject to Section 6.4 of this DPA;

(iii) preparation of data protection impact assessments and, where necessary, consultation of Customer with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8. Audit and Certification

If a Supervisory Authority requires an audit of the data processing facilities from which we process Customer Data to ascertain or monitor Customer's compliance with Data Protection Laws and Regulations, we will cooperate with such audit. The Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

Customer may, prior to the commencement of processing, and at regular intervals, thereafter, audit the technical and organisational measures taken by us. If Customer is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide Customer with all information necessary to demonstrate compliance with its obligations laid down in the Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer with respect to such processing.

We shall, upon Customer’s written request and within a reasonable period, provide Customer with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

In the event that a data subject contacts us with regard to the exercise of their rights under Data Protection Laws and Regulations (in particular, requests for access to, rectification or deletion of Customer Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.

You agree that we may engage Sub-processors to assist in fulfilling our obligations with respect to the provision of the Services under the Terms. Agreed list of Sub-processors are set out in Schedule 3 of this DPA.

9.1. General

Parties agree that when the processing of Customer Data on behalf of Customer in connection with Services constitutes a transfer under Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to incorporated into and form part of this DPA as further described in subsections 9.2 and 9.3 of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict

9.2. Transfers under GDPR

When the processing of Customer Data on behalf of Customer in connection with Services constitutes a “transfer” under GDPR, Standard Contractual Clauses shall apply. When you are a controller and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor and we are a sub-processor, Module Three of the EU SCCs shall apply.

For the purpose of the EU SCCs, we are a “data importer” and you are a “data exporter”. The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing of data exporter shall be 10 days;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, a particular option shall apply depending on the specific case;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Federal Republic of Germany;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Federal Republic of Germany;

(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;

(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.

9.3. Transfers under UK Data Protection Laws

When the processing of Customer Data on behalf of Customer in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, UK Addendum shall apply. When you are a controller and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor and we are a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA.

For the purpose of the UK Addendum, we are an “Importer” and you are a “Exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with information set out in Schedule 1 of this DPA, and official registration number of Importer is 6896854 and official registration number of Exporter is contained in the Customer’s account, if any;

(ii) Table 2 in Part 1 is deemed completed accordingly with information set out in subsection 9.2 of this DPA;

(iii) Table 3 in Part 1 is deemed completed with information set out in Schedules 1, 2 and 3 of this DPA;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.

SCHEDULE 1 - DESCRIPTION OF PROCESSING

A. LIST OF PARTIES

Name: You, «Customer», «User»

Address: the relevant information is contained in the Customer’s account.

Contact person’s name, position and contact details: the relevant information is contained in the Customer’s account.

• Activities relevant to the data transferred under these Clauses: provision of Snovio Inc.’s services (e.g., CRM, verification, integration of information with other services)

Signature and date: By entering into the Terms, data exporter is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

Name: Snovio Inc.

Address: 220 East 23rd Street, №401, New York, NY, USA 10010

Contact person’s name, position and contact details: the Director Eugene Medvednikov, admin@snov.io

Activities relevant to the data transferred under these Clauses: provision of Snovio Inc.’s services (e.g., CRM, verification, integration of information with other services).

Signature and date: By entering into the Terms, data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: processor

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:

• Users’ customers;
• Users’ prospects;
• Other third parties.

2. Categories of personal data transferred:

• personal data of prospects that can include the following information:
• email address;
• first name;
• last name;
• corporate email;
• location (not precise);
• industry;
• current and previous position;
• place of work;
• links to social media;
• сlient’s notes about a particular prospect;
• personal data provided to us within the Snovio CRM service, including information used in ‘Deals’ and ‘Tasks’ features of CRM;
• business information such as company name, location, website, HQ phone, year of foundation, industry, company size, and company social media that may include personal data;
• synchronized data provided by the Customer during the integration of their HubSpot and/or Pipedrive account with the data importer’s platform.
• any other personal data, which is uploaded to the data importer’s platform by the data exporter.

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

The data importer does not obtain access to the special categories of data (sensitive data).

4. The frequency of the transfer:

The personal data is transferred on a continuous basis.

5. Nature of the processing:

Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

6. Purpose(s) of the data transfer and further processing:

The purpose of the data processing under these Clauses is the performance of the services for data exporter by the data importer under the Terms concluded between the data importer and the data exporter.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The personal data shall be stored for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

subject matter: the performance of services

nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

duration: the performance of the services for data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the data exporter.

SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

• The data importer is committed to preserving the confidentiality, integrity, availability and resilience of all the personal data in question throughout the data importer processing activities and ensuring that personal data are protected against loss and destruction by implementing appropriate internal information security policies and procedures.
• The data importer has adopted data encryption and anonymisation and pseudonymisation policies that are designed to protect the privacy of data subjects by ensuring the security of personal data processing.
• The data importer has implemented measures designed to ensure that personal data, in the event of a physical or technical incident, may be restored in a timely manner.
• The data importer maintains a regular schedule of operating system and software updates to its equipment and other devices. Also, all servers of the data importer are protected by firewalls that are maintained and supplied with updates and patches.
• The data importer has implemented measures designed to deny unauthorised persons access to processing equipment used for processing of personal data and prevent the use of automated processing systems by unauthorised persons. All data importer’s staff members have a randomly generated password in accordance with data importer’s password policy. The personal data is subject to a strictly need-to-know principle of access and can be displayed to the authorised users only.
• The data importer has implemented measures designed to ensure that the confidentiality and integrity of personal data are protected during transfers of personal data.
• The data importer has implemented measures designed to prevent the unauthorised input of personal data and the unauthorised inspection, modification or deletion of stored personal data.
• The data importer has implemented the following measures for ensuring physical security of locations at which personal data are processed:
• all staff members must work only using the data importer’s equipment;
• equipment is accounted for and has an identified owner;
• anytime when staff member stops performing its work, they must block access to their equipment;
• the data importer has a security alarm system;
• access to the data importer’s facilities is strictly regulated;
• the data importer has adopted the clear desk and clear screen and brought your own device policies.
• The data importer has implemented measures designed to ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input.
• The data importer’s staff shall comply with data importer’s internal information security policies, procedures and other applicable documents. It is required to read the current version of such documents to any staff member before undertaking any of their responsibilities regarding personal data processing. All staff members shall receive appropriate security training or instructions concerning processing of personal data.
• The data importer always checks whether its hosting providers are SOC 2 certified in order to ensure the hosting provider securely manages personal data. In addition, the data importer engages an independent security code auditor who conducts source code review to discover if there are any potential security weaknesses, bugs, exploits or violations of programming standards.
• The data importer has adopted information security policies, procedures and other documents for ensuring the fulfillment of data minimization, data quality, limited data retention and accountability principles and ensuring system configuration.
• The data importer has implemented a user data detection policy that ensures that data subjects can enjoy their rights under the GDPR, including right to erasure for deletion of their accounts and related personal data.

SCHEDULE 3 - SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Name: Amazon.com, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal

Contact person’s name, position and contact details: https://console.aws.amazon.com/support/home

Description of processing: storage of personal data on the servers of Amazon.com, Inc.