ARBITRATION NOTICE: YOU ARE BOUND BY THE ARBITRATION PROVISION SET FORTH IN THE BUSINESS SERVICES TERMS. IF YOU ARE CONTRACTING WITH SNAP INC., THEN YOU AND SNAP INC. WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

This Data Sharing Agreement (”Agreement”) forms a legally binding contract between you and Snap, applies to the extent you and Snap share Customer Personal Data as described below, and is incorporated into the Business Services Terms. Some terms used in this Agreement are defined in the Business Services Terms. Snap Inc. acts as the data controller under this Agreement regardless of which Snap entity you contract with for the underlying Business Services.

“Customer Personal Data” means the personal data of EEA, Switzerland, UK, and Brazilian data subjects that is provided to you or Snap (the “Receiving Party”) by or on behalf of the other party (the “Disclosing Party”) when both the Receiving Party and Disclosing Party are each a controller.

“Data Protection Law” means the EEA, Switzerland, UK, and Brazilian data protection laws applicable to the processing of Customer Personal Data under this Agreement, including the GDPR, UK Data Protection Laws and LGPD.

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“LGPD” means Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by a party.

“UK” means the United Kingdom.

"UK Data Protection Laws" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK ("UK GDPR") and the Data Protection Act 2018.

The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR, UK Data Protection Laws or LGPD, as applicable, in each case irrespective of whether Data Protection Law applies.

a. Roles of Parties. You and Snap Inc. are each an independent data controller of Customer Personal Data that will, subject to any restrictions set forth in this Agreement and the Business Services Terms, including any Supplemental Terms and Policies, independently determine the purposes and means of the processing of Customer Personal Data under Data Protection Law.

b. Transparency and Data Protection Rights. You and Snap Inc. will individually inform data subjects and allow data subjects to exercise their rights under Data Protection Law.

c. Details of Data Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.

d. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement.

e. Data Security. In accordance with Data Protection Law, each party will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.

f. Confidentiality. Each party will ensure that only personnel who may be required to assist in meeting its obligations under the Business Services Terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.

a. Notification. You will notify Snap without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. You will also provide Snap with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by Snap relating to the Personal Data Breach.

b. Investigation. You agree to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with Snap’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.

a. If there are any transfers of Customer Personal Data from one party to the other outside the EEA or UK, then the Data Transfer Agreement shall:

(i) apply to such transfers; 

(ii) take precedence over all other terms, including the terms of this Agreement, in respect of such transfers;

(iii) form a legally binding contract between you as the data exporter and Snap as or on behalf of the data importer; and 

(iv) be hereby incorporated into the Business Services Terms. 

b. With respect to personal data of EEA, Switzerland, and UK data subjects, you and Snap Inc. agree that each party may process Customer Personal Data outside the EEA, Switzerland, and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.

c. With respect to Personal Data of Brazilian data subjects, you and Snap Inc. agree that each party may process Customer Personal Data outside of Brazil, and represent and warrant that such transfer of Customer Personal Data is in compliance with LGPD.

This Agreement will terminate automatically upon termination of the Business Services Terms.

If this Agreement or the Data Transfer Agreement conflicts with the Business Services Terms, any Supplemental Terms and Policies, or the Snap Terms of Service, then to the extent of the conflict the governing documents will be, in descending order: the Data Transfer Agreement (but only to the extent it applies under section 4.a above), this Agreement, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.

You are the data exporter, with the name, address, and contact details as provided to Snap via the Business Services. The activities relevant to the data transferred under these Clauses include the use of the relevant Business Services in accordance with the Business Services Terms and applicable Supplemental Terms and Policies. The data exporter shall be in the controller role.

The data importer shall be Snap Inc., with its address at 3000 31st Street, Santa Monica, California 90405. The activities relevant to the data transferred under these Clauses include Snap’s provision of the Services in accordance with the Business Services Terms and applicable Supplemental Terms and Policies. The data importer shall be in the controller role.

The data sharing activities carried out by Snap under this Agreement are as follows:

Snap's provision of the Services.

The data sharing is for the purpose of Snap providing the Services in accordance with and as described in the Business Services Terms and this Agreement.

Customer Personal Data relating to individuals provided by the Disclosing Party to the Receiving Party via the Business Services, which may include:

• email address

• telephone number

• mobile ad ID (IDFA/AAID)

• IP address

• cookie ID

• browser user agent

• demographic data

• connections between users

• session, transaction, and user IDs

• gender, height, weight, age, and other personal characteristics

• product data such as productID, product category path, product description, sizing information and data, EAN, product color and product fit information

• transaction data such as purchases and returns information

• actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods

• photos

Not applicable

Continuous

Data subjects include EEA, Swiss, UK, and Brazilian individuals about whom personal data is provided by the Disclosing Party to the Receiving Party via the Business Services.

The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).

1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Customer Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data controller, the data controller's customers, or the data controller's employees; and any anticipated threats or hazards to the security or integrity of such information.

2. Adopting and implementing reasonable policies and standards related to security.

3. Assigning responsibility for information security management.

4. Devoting adequate personnel resources to information security.

5. Carrying out verification checks on permanent staff who will have access to the Customer Personal Data.

6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Customer Personal Data to enter into written confidentiality agreements.

7. Conducting training to make employees and others with access to the Customer Personal Data aware of information security risks and to enhance compliance with Snap's policies and standards related to data protection.

8. Preventing unauthorized access to the Customer Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, Snap has implemented and complies with, as appropriate and without limitation:

• Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);

• Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);

• Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization;

• Data transmission control measures to ensure that the Customer Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Snap's information security program will be designed:

  • To encrypt in storage any data sets in Snap's possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards, including AES -256, and storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and

  • To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Snap's IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission;

• Data entry control measures to ensure Snap can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed;

• Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testings, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;

• Subprocessor supervision measures to ensure that, if Snap is permitted to use subprocessors, the Customer Personal Data is processed strictly in accordance with the data controller's instructions including, as appropriate:

  • Measures to ensure that the Customer Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and

  • Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Customer Personal Data. 

9. Taking such other steps as may be appropriate under the circumstances.