Version: 1.0
Last Updated: January 15, 2026
Effective Date: January 15, 2026
PARTIES
This Data Processing Agreement ("DPA") is entered into between:
Data Controller ("Customer"):
The entity that has agreed to SnowCoder's Terms of Service and is identified in the account registration.
Data Processor ("SnowCoder," "Processor," "we," "us"):
SnowCoder, the provider of the Services.
This DPA supplements and forms part of the Terms of Service ("Agreement") between Customer and SnowCoder.
1. DEFINITIONS
1.1 "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including:
- The General Data Protection Regulation (EU) 2016/679 ("GDPR")
- The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR")
- The California Consumer Privacy Act as amended ("CCPA")
- The Lei Geral de Proteção de Dados ("LGPD")
- Other applicable privacy and data protection laws
1.2 "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
1.4 "Personal Data" means any information relating to an identified or identifiable natural person.
1.5 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
1.6 "Processor" means an entity that processes Personal Data on behalf of the Controller.
1.7 "Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of Personal Data.
1.8 "Services" means the SnowCoder platform and related services provided under the Agreement.
1.9 "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
1.10 "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for international data transfers approved by the European Commission.
2. SCOPE AND APPLICATION
2.1 Scope
This DPA applies to the processing of Personal Data by SnowCoder on behalf of Customer in connection with the Services.
2.2 Roles
- Customer acts as Controller of Personal Data uploaded to or processed by the Services
- SnowCoder acts as Processor when processing Personal Data on Customer's behalf
- SnowCoder may also act as Controller for certain operational data (e.g., account management)
2.3 Duration
This DPA remains in effect for as long as SnowCoder processes Personal Data on Customer's behalf.
3. CUSTOMER OBLIGATIONS
3.1 Lawful Processing
Customer warrants that:
- It has a lawful basis for processing Personal Data through the Services
- It has obtained all necessary consents or authorizations
- Its processing instructions comply with Applicable Data Protection Laws
- It has provided appropriate privacy notices to Data Subjects
3.2 Data Minimization
Customer agrees to:
- Only submit Personal Data necessary for the intended purpose
- Avoid submitting sensitive or special category data unless necessary
- Implement appropriate access controls within its organization
- Respond to Data Subject requests promptly
3.3 Instructions
Customer's instructions for data processing are documented in:
- This DPA
- The Terms of Service
- The Privacy Policy
- Documented requests through support channels
4. SNOWCODER OBLIGATIONS
4.1 Processing Limitations
SnowCoder shall:
- Process Personal Data only on Customer's documented instructions
- Not process Personal Data for any purpose other than providing the Services
- Not sell, rent, or disclose Personal Data except as permitted by this DPA
- Inform Customer if legal requirements prevent compliance with instructions
4.2 Confidentiality
SnowCoder shall:
- Ensure personnel processing Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need it
- Maintain appropriate access controls and authentication
4.3 Security Measures
SnowCoder implements appropriate technical and organizational measures including:
Encryption:
- Data at rest: AES-256-GCM encryption
- Data in transit: TLS 1.3 minimum
- Key management through AWS SSM Parameter Store
Access Control:
- Role-based access control (RBAC)
- Multi-factor authentication for administrative access
- Principle of least privilege
Network Security:
- VPC with private subnets
- Web Application Firewall (WAF)
- DDoS protection
Monitoring:
- Security event logging
- Intrusion detection
- Regular security assessments
See our Security Assurance Pack for detailed security controls.
4.4 Sub-processors
Current Sub-processors:
|
|
| Sub-processor |
Location |
Purpose |
Data Processed |
| Amazon Web Services |
EU/US |
Infrastructure hosting |
All customer data |
| Anthropic |
US |
AI model provider |
Prompts, conversations |
| Cloudflare |
Global |
CDN, security |
IP addresses, requests |
| Stripe |
US |
Payment processing |
Billing information |
| SendGrid |
US |
Email delivery |
Email addresses |
Sub-processor Management:
- Customer authorizes the current list of Sub-processors
- SnowCoder will notify Customer of new Sub-processors via email
- Customer has 30 days to object to new Sub-processors
- If Customer objects and no resolution is reached, Customer may terminate
4.5 Data Subject Rights
SnowCoder shall assist Customer in responding to Data Subject requests for:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
Process:
- Data Subject contacts Customer
- Customer submits request to SnowCoder via [email protected]
- SnowCoder responds within 10 business days
- Additional time may be required for complex requests
4.6 Data Protection Impact Assessments
SnowCoder shall provide reasonable assistance to Customer for:
- Data Protection Impact Assessments (DPIAs)
- Prior consultations with supervisory authorities
- Providing information about processing activities
5. SECURITY INCIDENTS
5.1 Notification
In the event of a Security Incident affecting Customer's Personal Data, SnowCoder shall:
- Notify Customer without undue delay (within 72 hours of becoming aware)
- Provide information about the nature and scope of the incident
- Describe measures taken or proposed to address the incident
- Designate a contact point for further information
5.2 Incident Response
SnowCoder shall:
- Take immediate steps to contain and mitigate the incident
- Investigate the root cause
- Implement measures to prevent recurrence
- Cooperate with Customer's incident response
- Assist Customer with regulatory notifications as required
5.3 Notification Content
Incident notifications will include (to the extent known):
- Nature of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the incident
- Measures taken or proposed to address the incident
6. INTERNATIONAL DATA TRANSFERS
6.1 Transfer Mechanisms
Personal Data may be transferred outside the European Economic Area (EEA) to:
- Countries with EU adequacy decisions
- Recipients covered by Standard Contractual Clauses
- Recipients certified under approved frameworks
6.2 Standard Contractual Clauses
For transfers to third countries without adequacy decisions:
- The EU SCCs (Module Two: Controller to Processor) are incorporated by reference
- Customer acts as "data exporter"
- SnowCoder acts as "data importer"
SCC Options Selected:
- Clause 7 (Docking Clause): Included
- Clause 9 (Use of Sub-processors): Option 2 (General written authorization)
- Clause 11 (Redress): Option not included
- Clause 17 (Governing Law): Laws of Ireland
- Clause 18 (Choice of Forum): Courts of Ireland
6.3 UK Transfers
For transfers from the UK:
- The UK International Data Transfer Addendum is incorporated
- Where the EU SCCs apply, they are modified per the UK Addendum
6.4 Supplementary Measures
SnowCoder implements supplementary technical and organizational measures:
- Encryption in transit and at rest
- Access controls and authentication
- Security monitoring and logging
- Data minimization practices
7. AUDITS AND COMPLIANCE
7.1 Audit Rights
Customer has the right to:
- Request compliance documentation
- Review security certifications and reports
- Request third-party audit reports
- Conduct audits with reasonable notice (30 days)
7.2 Audit Process
Documentation Audits:
- Available upon request via [email protected]
- Response within 15 business days
- No additional charge
On-site Audits:
- Maximum one per year (unless incident occurs)
- 30 days advance notice required
- Customer bears audit costs
- Confidentiality agreement required
- Must not interfere with operations
7.3 Certifications
SnowCoder maintains:
- SOC 2 Type II (planned)
- Security Assurance Pack documentation
- Regular third-party penetration testing
- Vulnerability assessments
8. DATA RETENTION AND DELETION
8.1 Retention
SnowCoder retains Personal Data:
- For the duration of the Agreement
- As necessary to provide the Services
- As required by applicable law
8.2 Deletion Upon Termination
Upon termination of the Agreement:
- Customer data is deleted within 30 days
- Backup copies are deleted within 90 days
- Customer may request data export before termination
- Retention may continue where required by law
8.3 Return of Data
Upon request, SnowCoder will provide:
- Export of Customer data in standard format (JSON/CSV)
- Reasonable assistance with data migration
- Confirmation of deletion upon completion
9. LIABILITY
9.1 Limitations
Liability under this DPA is subject to the limitations in the Terms of Service, except where Applicable Data Protection Laws prohibit such limitations.
9.2 Indemnification
Each party shall indemnify the other for damages arising from:
- Breach of this DPA
- Non-compliance with Applicable Data Protection Laws
- Processing outside the scope of instructions (for Processor)
10. GENERAL PROVISIONS
10.1 Conflict
In case of conflict between this DPA and the Agreement:
- This DPA prevails for data protection matters
- The Agreement prevails for other matters
10.2 Amendments
This DPA may be amended:
- In writing signed by both parties
- By SnowCoder with 30 days notice for regulatory compliance
10.3 Severability
If any provision is found invalid, the remaining provisions continue in effect.
10.4 Governing Law
This DPA is governed by:
- The laws specified in the Agreement
- The laws referenced in the SCCs for international transfers
11. ANNEXES
Annex I: Processing Details
A. List of Parties
Data Exporter: Customer (as identified in account registration)
- Activities: ServiceNow development using AI-assisted code generation
- Role: Controller
Data Importer: SnowCoder
- Activities: Providing AI-powered code generation services
- Role: Processor
B. Description of Processing
|
|
| Element |
Description |
| Categories of Data Subjects |
Customer's employees, contractors, end users |
| Categories of Personal Data |
Names, email addresses, user identifiers, usage data, ServiceNow credentials (encrypted) |
| Sensitive Data |
None routinely processed; Customer may submit at own risk |
| Frequency of Transfer |
Continuous during service usage |
| Nature of Processing |
Collection, storage, organization, retrieval, use, transmission, deletion |
| Purpose |
Providing AI-powered code generation for ServiceNow development |
| Retention Period |
Duration of Agreement + 30 days |
C. Competent Supervisory Authority
The supervisory authority of the EU Member State where the data exporter is established, or if not established in the EU, the Irish Data Protection Commission.
Annex II: Technical and Organizational Measures
See Security Assurance Pack for detailed technical and organizational measures.
Summary:
- Encryption: AES-256-GCM at rest, TLS 1.3 in transit
- Access Control: RBAC, MFA, least privilege
- Network Security: VPC, WAF, DDoS protection
- Monitoring: Audit logging, intrusion detection
- Incident Response: Documented procedures, 72-hour notification
- Business Continuity: Multi-AZ deployment, automated backups
- Personnel: Confidentiality agreements, security training
Annex III: Sub-processors
Current list maintained at: https://snowcoder.ai/legal/sub-processors
12. CONTACT
Data Protection Inquiries:
- Email: [email protected]
- Response time: 10 business days
Data Protection Officer (EU):
Security Incidents:
Registered Address:
Kumoco Limited (trading as SnowCoder)
180 Strand
London, WC2R 1EA
United Kingdom
Document Status: Production Ready
Classification: Customer-Facing (Enterprise)
Review Cycle: Annual