SnapLogic Home Page
Book Demo
Platform Overview
Security & Compliance
Snaps(Pre-built Connectors)
SLIM(Legacy Migration Tool)
Interactive Product ToursNEW
Pricing
SnapLogic AI
AgentCreator
SnapGPT(Integration Copilot)
AI Agent Showcase
Data Integration
AutoSync(Easy ELT)
What is Data Integration?
Application Integration
API Management
What is iPaaS?
Use Case Overview

By Industry

Manufacturing
Retail
Financial Services
Higher Education

By Function

Human Resources
IT
Sales
Marketing
Finance

By Popular Workflow

Employee Onboarding
Quote-to-Cash
Invoice Processing

By Solution

OEM/Embedded
Agentic Integration
Legacy Modernization
Enterprise Automation
Cloud Data Warehouse
Partners Overview
Log in to Partner Connect
Become a Partner
Consulting Partners
OEM/Embedded
Customers Overview
Integration Nation
Innovators Program
SnapLogic Academy
Sigma Framework
Resource Library
Blog
Podcast
eBooks
Events & Webinars
Getting Help
Support Desk
Documentation
Training Workshops
SnapLogic Academy
About Us
Careers
Our Community
Newsroom
Press Releases
Contact Us
Book a Demo
Log in
Book a Demo
Platform Overview

All-in-one data and application integration platform.

Security & Compliance
Snaps (Pre-built Connectors)
SLIM (Legacy Migration Tool)
Pricing
SnapLogic AI

Build enterprise-grade agents, assistants, and automations.

Data Integration

Mobilize data to the cloud with visual ETL/ELT and reverse ETL.

Application Integration

Connect every application with our no-code/low-code iPaaS solution.

AgentCreator
SnapGPT (Integration Copilot)
AI Agent Showcase
AutoSync (EasyELT)
Data Integration Product Tour
API Management
iPaaS Product Tour
Request a demo

Experience the leading self-service integration platform for yourself.

AI at Work
AI at Work 2025 Survey Report

Discover how 3,000 workers and leaders use AI tools and agents every day.

Use Case Overview

Bring automation to every part of your organization.

By Industry

Manufacturing
Retail
Financial Services
Higher Education

By Function

Human Resources
IT
Sales
Marketing
Finance

By Popular Workflow

Employee Onboarding
Quote-to-Cash
Invoice Processing

By Solution

OEM/Embedded
Agentic Integration
Legacy Modernization
Enterprise Automation
Cloud Data Warehouse
Partners Overview

Drive profitability and growth through joint sales and marketing strategies.

Log in to Partner Connect

Access the SnapLogic Partner Connect Portal or request an account.

Become a Partner

Gain access to a world-class partner ecosystem.

Consulting Partners

Discover the partner opportunities and tiers for system integrators.

OEM/Embedded

Partnerships for ISV, MSP, OEM, and Embedded providers.

Explore Our Partners

Search for partners in our robust global network.

Customers Overview

Our customers’ accomplishments continue to shape SnapLogic’s success.

Integration Nation

Our community for thought leadership, peer support, customer education, and recognition.

Innovators Program

Recognizing individuals for their contributions to the SnapLogic community.

SnapLogic Academy

Enhance your expertise about intelligent integration and enterprise automation.

Sigma Framework

Extract maximum value from your SnapLogic investment with a standardized set of best practices.

Case Studies

Learn more about how our customers benefit from using SnapLogic.

SnapLogic customer logos
Resource Library

Our home for eBooks, white papers, videos, and more.

Blog
eBooks
Podcast
Events & Webinars
Getting Help

SnapLogic is here to support you throughout your entire experience.

Support Desk
Documentation
Training Workshops
SnapLogic Academy
Company

SnapLogic is on a mission to bring enterprise automation to the world.

Careers
Newsroom
How We Compare
Contact Us

We’re here to help.

We’d love to hear from you.

Request a Demo
Become a Partner
Join Our Community
See Locations
Enterprise Data Orchestration for dummies eBook rendering
Enterprise Data Orchestration For Dummies

Get the guide to modern data orchestration.

AgentFest
AgentFest Virtual Summit 2026

Join us on April 16th for a two-hour deep dive into integrating agents with core business systems.

Data Processing Addendum

This Data Processing Addendum (the “DPA”) is incorporated into and forms part of the Master Subscription Agreement or other agreement (the “Agreement”) between SnapLogic and the party identified in the Agreement as the “Customer” (together the “Parties”). Capitalized terms used in this DPA but not defined herein shall have the meanings set forth in the Agreement.

1. Subject Matter and Duration.

  1. Subject Matter. This DPA reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Personal Data in the provision of SnapLogic’s Services pursuant to the Agreement. To the extent that language in this DPA or any of its Exhibits conflict with the Agreement, this DPA shall control.
  2. Duration and Survival. This DPA is effective on the date that it has been duly executed by both Parties and forms a part of the Agreement by and between the Parties. SnapLogic will Process Personal Data until the Agreement terminates. SnapLogic’s obligations and Customer’s rights under this DPA will continue in effect so long as SnapLogic Processes Personal Data.

2. Definitions.

For the purposes of this DPA, the following terms apply.

  1. Applicable Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question (as they may be amended, superseded, or replaced from time to time), including, where applicable:
    • EU Data Protection Law”: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.
    • Swiss DPA”: the Swiss Federal Act on Data Protection 1992.
    • UK Data Protection Law”: the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
    • US Data Protection Law”: all applicable comprehensive state data protection laws and regulations in each case as may be amended or superseded from time to time, including the California Privacy Rights Act (“CPRA”); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act.“
  2. Controller” “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR and include equivalent terms in other Applicable Data Protection Laws, in each case as applicable to the Services.
  3. Personal Data” means any Customer Data: (a) relating to an identified or identifiable individual, within the meaning of GDPR (regardless of whether GDPR applies), (b) constituting “personal information” as such term is defined in US Data Protection Law, and (c) equivalent terms in other Applicable Data Protection Laws. “SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Exhibit A to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses.
  4. “Security Measures” meansthe security measures applicable to the specific Services purchased by Customer, as updated from time to time, including at minimum the measures set forth in Annex II.
  5. Security Incident(s)” means the breach of security leading to the accidental or unlawful loss, unauthorized disclosure of or unauthorized access to Customer Personal Data Processed by SnapLogic.
  6. Services” means any and all services that SnapLogic performs under the Agreement.
  7. Sub-processor” means SnapLogic’s authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Personal Data.

3. Data Use and Processing.

  1. Compliance with Laws. Personal Data shall be Processed in compliance with the terms of this DPA and all Applicable Data Protection Law(s).
  2. Documented Instructions. SnapLogic and its Sub-processors shall Process Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this DPA, the Agreement, or any applicable Statement of Work. SnapLogic will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or if it otherwise seeks to Process Personal Data in a manner that is inconsistent with Customer’s instructions.
  3. Authorization to Use Sub-processors. To the extent necessary to fulfill SnapLogic’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes SnapLogic to engage Sub-processors. Any Sub-processor Processing of Personal Data shall be consistent with Customer’s documented instructions and comply with all Applicable Data Protection Law(s).
  4. SnapLogic and Sub-processor Compliance. SnapLogic agrees to (i) enter into a written agreement with each Sub-processor regarding its Processing of Personal Data that imposes on such Sub-processor data protection and security requirements for Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for SnapLogic’s Sub-processors’ failure to perform their obligations with respect to the Processing of Personal Data in accordance with such instructions, the Agreement and this DPA.
  5. Right to Object to Sub-processors. SnapLogic shall make available to Customer the current list of Sub-processors for the Services who process Customer-supplied Personal Data https://www.snaplogic.com/privacy-subprocessors (“Sub-processor List”). SnapLogic shall make available to Customer a subscription mechanism to receive notification of new Sub-processors. SnapLogic shall provide at least thirty (30) days’ advance notification to subscribing Customers of a new Sub-processor(s) before authorizing the new Sub-processor(s) to process Personal Data via the Services. If Customer has legitimate objections to the appointment of any new Sub-processor, the parties will work together in good faith to resolve the grounds for the objection for up to thirty (30) days, and failing any such resolution, Customer may terminate the part of the Service performed under the Agreement that cannot be performed by SnapLogic without use of the objectionable Sub-processor. SnapLogic shall refund any pre-paid fees to Customer prorated in respect of the terminated part of the Service. 
  6. Confidentiality. Any person or Sub-processor authorized to Process Personal Data must agree to maintain the confidentiality of such information or be under an appropriate ethical, statutory or contractual obligation of confidentiality.
  7. Personal Data Inquiries and Requests. SnapLogic agrees to comply with all reasonable instructions from Customer related to any requests from individuals/data subjects exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, SnapLogic agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible.
  8. Data Protection Impact Assessment and Prior Consultation. SnapLogic agrees to provide reasonable assistance at Customer’s expense to Customer when, in Customer’s judgment, the type of Processing performed by SnapLogic is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale or systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
  9. Demonstrable Compliance. SnapLogic agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.
  10. CPRA Requirements. With respect to Personal Data to which the CPRA applies (capitalized terms used in this section having the meanings provided in CPRA):
    1. SnapLogic shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Personal Data solely to provide the Service and for no other commercial purpose.
    2. SnapLogic shall not Sell or Share, disclose, release, transfer, make available or otherwise communicate any Personal Data to another business or third party without Customer’s prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, subject to the obligations above to enter written agreements with Sub-processors. Notwithstanding the foregoing, nothing in this DPA shall restrict SnapLogic’s ability to disclose Personal Data to comply with applicable laws; provided that if such disclosure is required, SnapLogic will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order.

4. Cross-Border Transfers of Personal Data.

  1. Consent. SnapLogic may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer’s prior written consent, except in compliance with Section 6.2 below (in each case a “Transfer”).
  2. Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where SnapLogic has implemented a Transfer solution compliant with Applicable Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses; (c) the Data Privacy Framework administered by the US Department of Commerce (and its successor(s), if any); (d) another appropriate safeguard pursuant to Article 46 of GDPR or equivalent safeguard under GDPR, the Swiss DPA or UK Data Protection Law; or (e) a derogation pursuant to Article 49 of GDPR or its equivalent under or the Swiss DPA or UK Data Protection Law.

5. Security

  1. SnapLogic agrees to implement appropriate technical and organizational measures designed to protect Personal Data as required by Applicable Data Protection Law(s), as set forth in the Security Measures. Such measures shall include:
    1. Pseudonymization of Personal Data where appropriate, and encryption of Personal Data in transit and at rest;
    2. ii) The ability to ensure the ongoing confidentiality, integrity and availability of SnapLogic’s Processing and Personal Data;
    3. The ability to restore the availability and access to Personal Data in the event of a physical or technical incident;
    4. A process for regularly evaluating and testing the effectiveness of SnapLogic’s Information Security Program to ensure the security of Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

6. Security incidents.

  1. Security Incident Procedure. SnapLogic will follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability of or access to Personal Data in a timely manner.
  2. Notice. SnapLogic agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Customer’s Designated POC (as defined in Section 9) if it knows that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

7. Audits

  1. Right to Audit; Permitted Audits. In addition to any other audit rights described in the Agreement, Customer and its regulators shall have the right to an on-site audit of SnapLogic’s architecture, systems, policies and procedures relevant to the security and integrity of Personal Data, or as otherwise required by a governmental regulator:
    1. Following any notice from SnapLogic to Customer of a Security Incident involving Personal Data for which SnapLogic was at fault;As required by governmental regulators; andFor any reason, or no reason, once in any calendar year.Audit Terms. Any audits described in this Section shall be:
    2. As required by governmental regulators; and
    3. For any reason, or no reason, once in any calendar year.
  1. Audit Terms. Any audits described in this Section shall be:
    1. Conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties;
    2. Conducted during SnapLogic’s customary business hours;
    3. Conducted upon reasonable advance notice to SnapLogic; and
    4. Of reasonable duration and shall not unreasonably interfere with SnapLogic’s day-to-day operations.
  1. Third Parties. In the event that Customer conducts an audit through a third-party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a nondisclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect SnapLogic’s and SnapLogic’s customers’ confidential and proprietary information. In any event, SnapLogic shall be entitled to a copy of any audit report. Regulators shall not be required to enter into a nondisclosure agreement.

8. Data Storage and Deletion.

  1. Data Storage. SnapLogic does not store or persist any Personal Data except as necessary to perform the Services under the Agreement.
  2. Post-Termination Data Access and Deletion. Upon expiration or termination of the Agreement, at Customer’s written request made within 30 days after such termination or expiration, SnapLogic will allow Customer to retrieve any Customer Data or transaction log data left in SnapLogic’s system.

9. Contact Information.

  1. SnapLogic and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). SnapLogic has appointed a data protection officer. The appointed person may be reached at [email protected]. Customer’s Designated POC is identified in the Order Form.

10. General Terms.

  1. This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.
  2. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement except as otherwise described in Exhibit B.

IN WITNESS WHEREOF, each party’s authorized signatory has read, understands, and agrees to the terms and conditions set forth in this Agreement.

Exhibit A

Subject Matter of ProcessingThe subject matter of Processing is the Services pursuant to the Master Subscription Agreement.
Duration of ProcessingThe Processing will continue until the expiration or termination of the Master Subscription Agreement.
Categories of Data SubjectsIncludes the following: Prospects, customers, business partners and vendors of Customer (who are natural persons)Employees or contact persons of Customer’s prospects, customers, business partners and vendorsEmployees, agents, advisors, freelancers of Customer (who are natural persons)Customer’s users authorized by Customer to use the Services
Nature and Purpose of ProcessingIncludes the following: The purpose of Processing of Personal Data by SnapLogic is the performance of the Services pursuant to the Master Subscription Agreement.
Types of Personal InformationIncludes the following: a name and surname;a home address;an email address such as [email protected];an identification card number;location data (for example the location data function on a mobile phone);an Internet Protocol (IP) address;a cookie ID;the advertising identifier of your phone
Sensitive data transferred (if applicable) and applied restrictions or safeguardsThe types of Personal Data processed are determined by Customer and may include Personal Health Information. Other limited sensitive data types may be Processed via the Services with SnapLogic’s prior written approval as appropriate.

Exhibit B

Standard Contractual Clauses

[Incorporating MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor]

  1. By entering into this DPA, the Parties are deemed to sign the Standard Contractual Clauses and their applicable Annexes.
  2. For cross border data transfers that are subject to Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:
    1. Customer is the “exporter”, whose contact information is set forth below.
    2. SnapLogic is the “importer”, whose contact information is set forth below.
    3. Module Two will apply to the extent that Customer is a controller of the Personal Data, and Module Three will apply to the extent that Customer is a processor of the Personal Data on behalf of a third-party controller;
    4. in Clause 7, the optional docking clause will not apply;
    5. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Clause 9 of this DPA;
    6. in Clause 11, the optional language will not apply;
    7. Annexes I – III will be deemed completed with the information set out in Annexes I – III to this DPA.
  3. EU SCCs. Personal Data from the European Union will be governed by the SCCs in accordance with the provisions above and completed as follows:
    1. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
    2. in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.
  4. UK SCCs. Personal Data transfers from the United Kingdom will be governed by the SCCs in accordance with the provisions above and the UK International Data Transfer Addendum (the “IDTA”), completed as follows.
    1. In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement and this DPA;
    2. The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA;
    3. References to the EU, member states and GDPR are amended mutatis mutandis to refer to the United Kingdom and UK Data Protection Law;
    4. In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.
  5. Swiss SCCs. Personal Data transfers from Switzerland will be governed by the SCCs in accordance with the provisions above and completed as follows:
    1. references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
    2. references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;
    3. references to ‘EU’, ‘Union’, and ‘Member State’ will be deemed replaced with ‘Switzerland’;
    4. references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);
    5. In Clause 17, the EU SCCs will be governed by the laws of Switzerland, and
    6. Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
  6. If any provision of the Agreement (including this DPA) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

ANNEX I

A.  LIST OF PARTIES

Controller(s) / Data exporter(s): Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name:As set forth in the Agreement
Address:As set forth in the Agreement
Contact person’s name, position and contact details:As set forth in the Agreement or as separately provided in writing to Processor/Sub-processor
Activities relevant to the data transferred under these Clauses:As described in the Agreement
Role (controller/processor):Controller/processor

Processor(s) / Data importer(s): Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection

Name:SnapLogic, Inc.
Address:1825 S. Grant Street, 5th Floor, San Mateo, California 94402, USA
Contact person’s contact details:SnapLogic has appointed a data protection officer. The appointed person may be reached at [email protected].
Activities relevant to the data transferred under these Clauses:Provision of the Services described in the Agreement
Role (controller/processor):Processor/Sub-processor

В.    DESCRIPTION OF TRANSFER 

As described in Exhibit A

C.  COMPETENT SUPERVISORY AUTHORITY

As described in Exhibit B

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The security measures SnapLogic implements to protect Customer Personal Data are set out in SnapLogic’s Security Policy. This policy is subject to change as industry standards and best practices are updated. The latest version of this policy can be available upon request. A current version of the Security Policy as of the Effective Date of this DPA is set forth below:

SNAPLOGIC SECURITY POLICY

This SnapLogic Security Policy (the “Security Policy“) outlines the technical and procedural measures that SnapLogic undertakes to protect Customer Data from unauthorized access or disclosure. SnapLogic maintains these security measures in a manner consistent with SOC 2 Type 2. SnapLogic follows OWASP coding practices for product development and follows guidelines from ISO 27001, NIST and other industry-standard practices. This Security Policy is referenced in and made a part of your customer agreement with SnapLogic (the “Agreement“). In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern. Capitalized terms used but not defined in this Security Policy have the meanings set forth in the Agreement or in the Documentation.

1.  CUSTOMER DATA ACCESS AND MANAGEMENT

1.1.      Customer controls access to its Account in the Service via User IDs and passwords.

1.2.      Access to SnapLogic production systems and production data, including Personal Data, are restricted according to the principle of least privilege unless Customer provides access to its SnapLogic account to such SnapLogic Personnel. “SnapLogic Personnel” means SnapLogic employees and individual subcontractors engaged in the Processing of Personal Data. SnapLogic uses Customer Data only as necessary to provide the Service to Customer, as provided in the Agreement.

1.3.      Customer Data is stored only in the Service production environment.

1.4.      The Service does not persist data, including Personal Data. By design any temporary storage used by the Service is ephemeral storage, only used while the Service is running, and does not persist after the Service is no longer running. Ephemeral storage is used as a non-billable resource included in the operation of a Service. Ephemeral storage is suited for the temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content during the execution of the application. If Customer does not configure storage options, the Services may default to SnapLogic’s built in temporary storage.

1.4.      SnapLogic shall create and maintain flow diagram(s) indicating how Customer Data flows through the Service. SnapLogic shall provide such flow diagram(s) upon Customer’s reasonable request.

1.5.      After termination of all subscriptions associated with a customer, Customer Data contained within the Service is retained in an inactive status for 30 days, after which it is securely removed from all production environments, and fully removed from our virtual backup system within 180 days. This process is subject to applicable legal requirements.

2.  ENCRYPTION AND LOGICAL SEPARATION OF CUSTOMER DATA

2.1.      The Service in the production storage environment encrypts Customer Data while at rest with AES 256-bit encryption.

2.2.      The Service encrypts Customer Data in transit using TLS 1.2 or higher when communicating across untrusted networks such as the Public Internet.

2.3.      The Service assigns a unique Client ID for each client tenant on the Service. All end customer data is stored with this Client ID as a direct or chained foreign key in our database. This Service application’s data model is designed with multi-tenancy as a requirement.

2.4.      The Service uses a key management system (“KMS”) that is FIPS 140-2 compliant (or better) for the  management and storage of encryption keys. Encryption keys and key encrypting keys are separate from the Customer Data by database table or location on file system. The Service safeguards top level encryption keys by tightly managing key access and utilizing split knowledge and dual control along with regular rotation as described by our Security Policies and Procedures.

3.  SNAPLOGIC SERVICE INFRASTRUCTURE ACCESS MANAGEMENT

3.1.      Access to the systems and infrastructure that support the Service is restricted to SnapLogic Personnel who require such access as part of their job responsibilities.

3.2.      Unique User IDs are assigned to SnapLogic Personnel requiring access to the SnapLogic servers that support the Service.

3.3.      Server password policy for the Service in the production environment adheres to the policies consistent with SOC 2 Type 2 password requirements.

3.4.      Access privileges of separated SnapLogic Personnel are disabled immediately. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.

3.5.      User access to the systems and infrastructure that support the Service is reviewed quarterly.

3.6.      Access attempts to the systems and infrastructure that support the Service are logged and monitored.

3.7.      AWS Security Groups have deny-all default policies and only enable business required network protocols for egress and ingress network traffic.

4.  RISK MANAGEMENT

4.1.      SnapLogic System’s Risk Management process is modeled on CIS and NIST, Risk Management guidelines.

4.2.      SnapLogic conducts risk assessments of various types throughout the annual attestation cycle, including self- and third-party assessments and tests, automated scans, and manual reviews.

4.3.      Results of assessments, including formal reports as relevant, are reported to the Director of Security and Compliance. A Security Committee meets at least quarterly to review reports, identify control deficiencies and material changes in the threat environment, and make recommendations for new or improved controls and threat mitigation strategies to senior management.

4.4.      Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.

4.5.      Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

5.  VULNERABILITY SCANNING AND PENETRATION TESTING

5.1.      Static and dynamic code scans are executed looking for OWASP top 10 and the SANS top 25 vulnerabilities prior to new code being released into our production environments.

5.2.      Internal and external vulnerability scans are performed monthly, and independent third-party penetration testing is performed quarterly on systems required to operate and manage the Service. The vulnerability database is updated regularly.

5.3.      Potential impact of vulnerabilities that trigger alerts are evaluated by staff.

5.4.      Vulnerabilities that trigger alerts and have published exploits are reported to the Security Committee, which determines and supervises appropriate remediation action.

5.5.      Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.

6.  REMOTE ACCESS NETWORK

6.1.      All access to the SnapLogic client facing environments require authentication through a secure connection via approved methods such as VPNs and MFA.

6.2.      VPN access is further enforced by mutual Transport Layer Security (TLS) authentication.

6.3.      SnapLogic corporate office networks do not have access to customer services networks. A VPN connection is required to gain access to customer services networks.

6.4       No wireless networks are used to operate and manage the Service. Including, corporate wireless networks do not have access to customer services networks.

6.5       Customer Data is logically segregated from that of other customers.

6.6       Development/test and production environments are segregated.

6.7.      SnapLogic maintains a policy of not storing Customer Data on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of SnapLogic Operations.

7.  SNAPLOGIC SERVICE LOCATION

7.1.      Customer Data is stored in the available Service Region for the account requested by Customer.

8.  SYSTEM EVENT LOGGING

8.1.      Monitoring tools and services are used to monitor systems including network, server events, and AWS security events, availability events, and resource utilization.

8.2.      SnapLogic infrastructure Security Event Logs are collected in a central system and protected from tampering. Logs are stored for 90 days.

8.3.      All application logs for the last 30 days are immediately available online to our customers through our UI (web portal).

8.4.      All security logs are written to a central logging service with write once technology in place.

9.  SYSTEM ADMINISTRATION AND PATCH MANAGEMENT

9.1.      SnapLogic shall create, implement and maintain system administration procedures for systems that access Customer Data that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications) and proper installation of threat detection software as well as daily signature updates.

9.2.      SnapLogic Security reviews new vulnerability announcements and assesses their impact to SnapLogic based on a SnapLogic-defined risk criteria, including applicability and severity.

9.3.      Applicable security updates rated as “high” or “critical” are addressed in the production environment in adherence to the policies consistent with SOC 2 Type 2 patch management requirements.

9.4.      Patch management is conducted via IaC and manual patching based on severity to ensure all software vulnerabilities are patched in accordance with SOC 2 Type 2 requirements.

10.  SNAPLOGIC SECURITY TRAINING AND SNAPLOGIC PERSONNEL

10.1.    SnapLogic maintains a security awareness program for SnapLogic Personnel, which provides initial education, ongoing awareness and individual SnapLogic Personnel acknowledgment of intent to comply with SnapLogic System’s corporate security policies. New hires complete initial training on topics which include but are not limited to  general security awareness, communication, Smishing/Phishing, cloud services, AI services, PCI-DSS, HIPAA, and GDPR. They also sign a proprietary information agreement, and digitally sign the information security policies that cover key aspects of the SnapLogic Information Security Policy and personnel policies.

10.2.    SnapLogic Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Customer Data.

10.3.    SnapLogic Personnel are required to satisfactorily complete annual security training.

10.4     SnapLogic developers are required to complete initial training and annual training on secure coding training topics that include: OWASP top 10 and developer best practices.

10.5.    SnapLogic performs criminal background screening as part of the SnapLogic hiring process, to the extent legally permissible.

10.6.    SnapLogic will ensure that its subcontractors, vendors, and other third parties that have direct access to the Customer Data in connection with the Services adhere to the same security standards in place for SnapLogic employees.

11.  PHYSICAL SECURITY

11.1.    The Service is hosted in AWS, leveraging AWS’s security and compliance capabilities. All physical security controls are managed by AWS. SnapLogic reviews the SOC 1 Type 2 & SOC 2 Type 2 report annually to ensure appropriate physical security controls:

11.1.1.    AWS data centers that store or process sensitive information are Tier-3 data centers that maintain SSAE 18.

11.1.2.    Visitor management including tracking and monitoring physical access.

11.1.3.    Physical access to servers are managed by electronic access control devices.

11.1.3.    Monitor and alarm response procedures.

11.1.4.    Use of CCTV cameras at facilities.

11.1.5.    Video capturing devices in data centers with 90 days of image retention.

12.  NOTIFICATION OF PERSONAL DATA INCIDENT

12.1.    SnapLogic will notify Customer in writing within seventy-two (72) hours of a confirmed Personal Data Incident.

12.2.    Such notification will describe the Personal Data Incident and the status of SnapLogic System’s investigation.

12.3.    SnapLogic will take appropriate actions to contain, investigate, and mitigate the Personal Data Incident.

13.  DISASTER RECOVERY AND BUSINESS CONTINUITY

13.1.    SnapLogic maintains a Disaster Recovery Plan (DRP) for the Services. The DRP is tested at least annually.

13.2.    The Service is deployed within different AWS availability zones and AWS regions to ensure application availability.

13.3.    SnapLogic has defined RTO and RPO objectives for recovery purposes.

13.4.    DR services are part of our standard product offering for clients residing in our multi-tenant Services.

14.  SNAPLOGIC SECURITY, CERTIFICATIONS, AND THIRD-PARTY ATTESTATIONS

14.1.        SnapLogic hires accredited third parties to perform audits and to attest to various compliance and certifications annually including:

14.1.1.  SOC 1 Type 2

14.1.2.  SOC 2 Type 2

14.1.3.  SSAE 22 Type 2

14.1.4.  ISAE 3402 Type 2

14.1.5.  HIPAA (HITECH)

14.1.6.  EU-U.S. Data Privacy Framework

14.1.7.  Swiss-U.S. Data Privacy Framework

14.1.8.  UK Extension to the EU-U.S. Data Privacy Framework

15.  CUSTOMER RESPONSIBILITIES

15.1.    Customer is responsible for managing its own user accounts and roles within the Service and for protecting its own account and user credentials. Customer will comply with the terms of its Agreement with SnapLogic as well as all applicable laws.

15.2.    Customer will promptly notify SnapLogic if a user credential has been compromised or if Customer suspects possible suspicious activities that could negatively impact security of the Service or Customer’s account. Customer may not perform any security penetration tests or security assessment activities without the express advance written consent of SnapLogic.

15.3.    Customer is responsible for maintaining the relationship and ensuring that all necessary agreements (i.e. Data Processing Agreements) are in place with other Processors that the Customer engages with and transmits Personal Data to, through its use of SnapLogic’s service.

15.4     Customer is solely responsible for implementing proper security controls on its endpoint applications and devices, including defining the encryption settings. SnapLogic recommends that Customer executes the following best practices whenever possible:

15.4.1 Customer enabling session connection encryption using the then most current implementation of SSL or TLS for any connection between the Customer applications and the Services.

14.5.2 Where session connection encryption is not available for a particular Customer application, Customer encrypting the data payload using strong encryption (128-bit encryption or better).

14.5.3 Customer utilizing industry-best practice authentication control for user access to the Services.

ANNEX III

LIST OF SUB-PROCESSORS                                         

Customer has authorized the use of the following Sub-processors: https://www.snaplogic.com/privacy-subprocessors