Terms of Service
Table of Contents
Effective Date: Jul 31, 2017|Revised Date: Nov 6, 2024
GENERAL TERMS
This Agreement is entered into by and between the person accepting these Terms and, if applicable, the organization you represent as further detailed below (“you” or “your”) and either SNYK, INC., a company incorporated in Delaware, having an office at 100 Summer Street, 7th Floor, Boston, MA 02110 if you are located in the United States; or SNYK LIMITED, a company incorporated in England and Wales (No. 09677925), having its registered office at Suite 4, 7th Floor, 50 Broadway, London, SW1H 0DB United Kingdom if you are located in any other country (email address for legal notices: [email protected]) (“Snyk”, “we”, “us”, or “our”).
These Terms govern your access and use of the Web Application Vulnerability Scanner cloud-based solution provided by us, or any subcontracted entity (the “Probely Scanner”), as well as related applications that integrate with or otherwise support the Probely Scanner, and the Site (collectively, the “Probely Service(s)”).
By registering for or using any of the Probely Services, you agree to be bound by these Terms. If you are accepting these Terms or using the Probely Services on behalf of an organization, you are agreeing to these Terms for that organization and representing to us that you have the authority to bind that organization to these Terms (in which event, “you” and “your” will refer to that organization) unless that organization has a separate paid contract in effect with us, in which event the terms of that contract will govern your use of the Probely Services. You may use the Probely Services only in compliance with these Terms and applicable law, and only if you have the power to form a valid contract with us pursuant to these terms. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, YOU MAY NOT ACCESS OR OTHERWISE USE THE PROBELY SERVICES. Should you have any questions concerning these Terms, please contact [email protected].
CHANGES TO THESE TERMS
- We reserve the right to revise these Terms from time to time. We will date and post the most current version of these Terms on https://probely.com/terms-of-service/ or any successor websites (the “Site”). Any changes will be effective on the date indicated at the top of the revised Terms.
ACCESS TO THE PROBELY SERVICES
You may use the Probely Service, on a non-exclusive basis, solely in strict compliance with these Terms and all applicable laws.
We reserve the right, in our sole discretion, to make necessary unscheduled deployments of changes, updates, or enhancements to the Probely Service at any time. We may add or remove functionalities or features, and we may suspend or stop a Probely Service altogether.
The Probely Service has been designed to operate on recent versions of most web browsers, namely Chrome and Firefox. The Probely Scanner is intended for and has been designed to operate against any web application, as long as there’s connectivity between the Probely Scanner’s servers and the server that hosts the web application being tested.
YOUR ACCOUNT
To obtain access to the Probely Services you are required to obtain an account with us (become a “Registered User”), by completing a registration form and designating a user ID and password. Until you apply for an account, your access to the Probely Services will be limited to the areas, if any, that we make available to the general public. When registering to become a Registered User or otherwise submitting information to us in connection with account creation, you must: (a) provide true, accurate, current and complete information about yourself as requested by the Probely Service’s registration form (such information being the “Registration Data”); and (b) maintain and promptly update the Registration Data to keep it true, accurate, current and complete at all times. We may cancel, suspend, or delete, temporarily or permanently, your account at any time if you:
- fail to comply with these Terms,
- assign your contractual position to a third party without our prior consent, and/or
- act in such a way as to present risk or cause losses to us or other users. If it is necessary to deactivate your login, we will endeavor to inform you by e-mail.
If a third party such as an employer created an account for you, that party has rights to your account and may manage and cancel your account. If you are an individual Registered User of the Probely Services, and the domain of the primary email address associated with your account is owned by an organization and was assigned to you as an employee, contractor or member of such organization, and that organization wishes to establish a commercial relationship with us and add your account to such relationship, then, if you do not change the email address associated with your account, your account may become subject to the commercial relationship between us and such organization and controlled by such organization.
Only you may use your Probely Services account. You must keep your account and passwords confidential and not authorize any third party to access or use the Probely Service on your behalf, unless we provide an approved mechanism for such use. You bear sole responsibility for any loss or damage arising from any unauthorized use of your accounts. If you know or suspect that someone has access to your login and password, you must inform us immediately at [email protected].
You may request, at any time, the cancellation of your Probely Services account. However, with the exception of the situations expressly required under applicable law and these Terms, cancellation does not confer any right to reimbursement of amounts already paid for the use of the Probely Service.
YOUR TARGETS
When you add a Target on the Probely Services , you are asked to enter the base URL of the target.
A “Target” is a web application, website or API you wish to scan. The Target defines the scope of the scan. The Probely Scanner is designed to stay within the Target’s scope, i.e., it is designed to solely scan pages that are prefixed with the Target’s base URL.
You can choose to have more than one Target with the same URL or base URL, should you wish to have different scanning settings or organize your security testing that way. For illustrative purposes, the following URLs could represent 4 different Targets: https://app1.example.com, https://example.com/app1, https://example.com/app2, https://example.com.
CONTRACTING THE PROBELY SERVICE
Unless otherwise agreed in writing, the use of the paid Probely Service is dependent on the up-front payment of the fees set forth on an applicable Order Form (“Subscription Fees”). The Subscription Fees are generally determined in accordance with the number of sites to be scanned and the term of the applicable Order Form (the “Subscription Term”). Payment obligations are non-cancelable, fees paid are non-refundable, and quantities purchased cannot be decreased during the applicable Subscription Term. You will pay all fees without any set-off, counterclaim, deduction or withholding of any kind, except as may be required by law. If any withholding or deduction is required by law, you will, when making the payment to which the withholding or deduction relates, pay to us such additional amount as will ensure that we receive the same total amount that we would have received if no such withholding or deduction had been required.
Except where otherwise specified in writing between the parties, Order Forms shall automatically renew for additional periods of the same duration as the initial Subscription Term.
All prices are exclusive of taxes and you will bear any sales, use, value, goods or services, withholding or similar duties, whether domestic or foreign, related to the transactions under these Terms, other than taxes based on the income of Snyk.
The amount due may be paid by credit card (e.g., Visa, American Express, MasterCard) or bank transfer following the receipt of our invoice. Bank transfers are only available for annual subscriptions.
The invoice for the Probely Service will be issued electronically with the information you provide us and sent to the e-mail address that you indicate.
Once payment has been confirmed, you will typically receive an e-mail confirming the payment and the commencement of, or continued access to, as applicable, the Probely Service.
If you are on a historical plan that contemplates different fee structures or payment methods, you will continue to operate under that plan unless and until notified by us.
SUSPENSION AND TERMINATION OF USE OF THE SERVICE
- We reserve the right to temporarily suspend or terminate your access to the Probely Service at any time in our sole discretion, with or without notice, and without incurring liability of any kind, for any one or more of the following reasons: (a) the actual or suspected violation of these Terms; (b) the use of the Probely Services in a manner that may cause us to have legal liability or may disrupt others’ use of the Probely Services; (c) the detection of suspicious behavior in your account; (d) scheduled downtime and recurring downtime; (e) use of excessive storage capacity or bandwidth; or (f) unplanned technical problems and outages or other emergency situation, as determined in our discretion. If, in our sole discretion, the suspension is indefinite and/or we have elected to terminate your access to the Probely Service, we will use commercially reasonable efforts to notify you through the Probely Service and/or by email to the email address associated with your account. You acknowledge that if your access to the Probely Service is suspended or terminated, you may no longer have access to the Content that is stored with the Probely Service.
ACCEPTABLE USE
You must not use the Probely Service to harm others or the Probely Service. For example, you must not use the Probely Service to harm, threaten, or harass another person, organization, or Snyk and/or to build a similar service or website. You must not: damage, disable, overburden, or impair the Probely Service (or any network connected to the Probely Service); resell or redistribute the Probely Service or any part of it; use any unauthorized means to modify, reroute, or gain access to the Probely Service or attempt to carry out these activities; or use any automated process or Probely Service (such as a bot, a spider, or periodic caching of information stored by Snyk) to access or use the Probely Service. In addition, you undertake that you will not and will not encourage or assist any third party to:
use the Probely Service in connection with any Targets that are not owned by you or your affiliates, or that you do not have a right to scan, access or use; (b) upload or input to the Probely Service: (i) any virus; or, (ii) any material that is illegal or infringes any third-party intellectual property right; (c) upload to the Probely Service, or otherwise make accessible to the Probely Scanner or Snyk, any sensitive data or regulated data (except pursuant to the DPA with respect to non-sensitive Personal Data), such as health or financial information; (d) license, sell, rent, lease, distribute, display, commercially exploit, or otherwise make the Probely Services available to any third party; (e) copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Probely Service; (f) reverse compile, disassemble, reverse engineer, or otherwise reduce to human-perceivable form, all or any part of the Probely Service; (g) circumvent or disable any security or other technological features of the Probely Service; (h) perform any actions that would interfere with the proper working of the Probely Service or prevent access to or use of the Probely Service by Snyk’s other customers; (i) use the Probely Service to perform any benchmarking activities on the applications or any third-party applications; (j) use the Probely Service to provide business process outsourcing services to third parties (e.g., as a service bureau); (k) remove any proprietary notices or labels from the Probely Service; (l) use or input any data into the Probely Service in breach of: (i) applicable law; or, (ii) license terms or other contractual obligations owing to a third party; (m) access or use the Probely Service to develop or sell a competing product or service, or for purposes that are competitive with Snyk; or, (n) access or use the Probely Service from any country or region subject to a comprehensive U.S. embargo. A breach of any of the foregoing restrictions is deemed to be a material breach of these Terms.
access or use the Probely Service in any way intended to improperly avoid incurring fees, or exceeding usage limits or quotas. As such, you are entitled to no more than 2 concurrent scans of the same Target or 60 scans of the same Target on a monthly basis.
SERVICE LEVEL TERMS
We use reasonable endeavours designed to ensure that the Probely Services are always available. Snyk commits to availability of 99.9% for paid access to the Probely Scanner, calculated on a 90-day period, excluding holidays and weekends and scheduled maintenance. If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance. Further, any Downtime resulting from the following will also be excluded from any such calculation: (a) third party connections or utilities or other reasons beyond Company’s control; (b) your acts or omissions; (c) the failure or malfunction of equipment, applications or systems not owned or controlled by Snyk; (d) any inconsistencies or changes in your source environment, including either intentional or accidental connections or disconnections to the environment; (e) force majeure events; (f) any suspension of the Probely Services in accordance with these Terms; (g) your use of the Probely Services in a manner inconsistent with our documentation; (h) scheduled downtime; or, (i) emergency downtime.
If Snyk fails to meet the guaranteed availability (“Downtime”) in any calendar month, except as otherwise provided herein you will be eligible for a credit as described below.
Downtime shall begin to accrue as soon as you (with notice to Snyk) recognize that downtime is taking place and continues until the availability of the Probely Scanner is restored. In order to receive Downtime Credit, you must notify Snyk in writing within 24 hours from the initial Downtime, and failure to provide such notice will forfeit the right to receive Downtime Credit. Downtime Credits shall be your sole and exclusive remedy in the event of any failure to meet these availability commitments. Downtime Credits will be applied to the next invoice following your request and Snyk’s confirmation that credits are applicable. If availability is less than 95% for (a) three consecutive months, or, (b) any three months during any twelve-month period, you may terminate these Terms upon written notice to Snyk.
Snyk’s blocking of data communications or other portions of the Probely Services in accordance with its policies shall not be deemed to be a failure of Snyk to provide adequate service levels under these Terms.
SNYK PROPRIETARY RIGHTS
When using the Probely Services, you may have access to certain software stored at a data center, owned, leased, rented or used by us to provide the Probely Service (the “Software”). During the applicable Subscription Term you have the limited, non-exclusive, non-transferable, non-sublicenseable right to access and use the Software exclusively for your internal business purposes and solely in furtherance of your use of the Probely Services as expressly permitted under these Terms. We reserve all other rights to the Software. Any Software access is provided on a subscription basis, and is licensed and not sold. Unless we notify you otherwise, your right to access and use the Software ends when the applicable Subscription Term ends. The Software is subject to applicable export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Software. These laws include restrictions on destinations, end users, and end use.
As between Snyk and you, Snyk or its licensors own and reserve all right, title and interest in and to the Probely Services, Software, and all other hardware, software and other items used to provide the Probely Services, other than the rights explicitly granted to you to use the Probely Services in accordance with these Terms. No title to or ownership of any proprietary rights related to the Probely Services is transferred to you pursuant to these Terms. All rights not explicitly granted to you are reserved by us. In the event that you provide comments, suggestions and recommendations to us with respect to the Probely Service (including, without limitation, with respect to modifications, enhancements, improvements and other changes to the Probely Service) (collectively, “Feedback”), you hereby grant to Snyk a world-wide, royalty free, irrevocable, perpetual, and freely transferable and sublicensable (through multiple tiers) license to use and otherwise incorporate any Feedback in connection with the Probely Service, without any payment or attribution.
We may (a) collect, analyse and otherwise process Usage Data internally for its business purposes, including for the purposes of security and analytics, to improve and enhance the Probely Services, or for other development, diagnostic and corrective purposes in connection with the Probely Services or other Snyk products or services, and (b) publicly disclose Usage Data only in an aggregated and/or de-identified form in connection with its business in a manner that does not identify you. “Usage Data” means information relating to the provision, use and performance of various aspects of the Probely Services and related systems and technologies (including information concerning your and, if these Terms are being agreed on behalf of an organization, your associated users’ use of the various features and functionality of the Probely Services and analytics and statistical data derived therefrom).
NO WARRANTY
SNYK PROVIDES THE PROBELY SERVICES “AS IS” AND “AS AVAILABLE”. WE DO NOT GUARANTEE THAT THE PROBELY SERVICES ARE FREE FROM ERRORS, BUGS, OR VIRUSES OR THAT THEY WILL PERFORM AS INTENDED. WE STRONGLY RECOMMEND THAT YOU USE THE PROBELY SERVICES SOLELY IN STAGING AND TESTING TARGETS. SNYK WILL INCUR NO LIABILITY FOR ANY USE OF THE PROBELY SERVICES IN CONNECTION WITH A PRODUCTION TARGET. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SNYK MAKES NO (AND SPECIFICALLY DISCLAIMS ALL) REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY THAT THE PROBELY SERVICE WILL BE UNINTERRUPTED, ERROR-FREE OR FREE OF HARMFUL COMPONENTS, THAT THE CONTENT WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED, OR ANY IMPLIED WARRANTY OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, AND ANY WARRANTY ARISING OUT OF ANY COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE. THE PROBELY SERVICES ARE DESIGNED TO IDENTIFY VULNERABILITIES IN TARGETS, BUT WE DO NOT WARRANT OR REPRESENT THAT IT WILL DETECT ALL VULNERABILITIES NOR SHALL WE BE LIABLE IF SOME VULNERABILITY IS UNDETECTED. SNYK WILL NOT BE LIABLE TO YOU FOR ANY ‘FALSE POSITIVE’ OR ‘FALSE NEGATIVE’ VULNERABILITIES INCORRECTLY IDENTIFIED BY THE PROBELY SERVICES OR FOR ANY DAMAGE OR LOSS ARISING FROM ACTIONS TAKEN BY YOU BASED ON SUCH IDENTIFICATION. SOME JURISDICTIONS DO NOT ALLOW THE FOREGOING EXCLUSIONS. IN SUCH AN EVENT SUCH EXCLUSION WILL NOT APPLY SOLELY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
LIMITATION OF LIABILITY
TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL SNYK, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS BE LIABLE FOR (A): ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, COVER OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, REVENUE, GOODWILL, USE OR CONTENT) HOWEVER CAUSED, EVEN IF SNYK HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH DAMAGES, WHERE APPLICABLE.
EXCEPT AS OTHERWISE PROVIDED IN SECTION 11.3, IN NO EVENT WILL SNYK’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS AND/OR YOUR ACCESS TO OR USE OF THE PROBELY SERVICES, WHETHER ARISING UNDER OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, EXCEED THE GREATER OF THE TOTAL SUBSCRIPTION FEES PAID OR PAYABLE TO SNYK UNDER THESE TERMS FOR THE 12 MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR $100. THE FOREGOING LIMITATIONS APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
THE EXCLUSION OF DAMAGES AND LIMITATION ON MONETARY LIABILITY SET FORTH ABOVE SHALL NOT APPLY TO: (A) A PARTY’S FRAUD, GROSS NEGLIGENCE OR WILFUL MISCONDUCT; (B) LOSSES FOR DEATH OR BODILY INJURY; OR (C) LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW. EACH PROVISION OF THESE TERMS THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THESE TERMS BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY SNYK TO YOU AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. THE LIMITATIONS IN THIS SECTION 11 (LIMITATION OF LIABILITY) WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THESE TERMS.
NOTICES
We may send you, in electronic form, information about the Probely Service, additional information, and information the law requires us to provide. We may provide required information to you by email at the address you specified when you signed up for the Probely Service or by access to a website that we identify. Notices emailed to you will be deemed given and received when the email is sent. If you don’t consent to receive notices electronically, you must stop using the Probely Service. Any legal notices or other notices required by these Terms must be sent to us via email to [email protected], or via post to Snyk’s registered address. Any such notice, in either case, must specifically reference that it is a notice given under these Terms.
CONFIDENTIALITY
“Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), that would be considered confidential by a reasonable party given the nature of the information and the circumstances of disclosure. Snyk’s Confidential Information includes the Probely Services. The Confidential Information of each party includes such party’s business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that:
is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party,
was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party,
is received from a third party without breach of any obligation owed to the Disclosing Party, or
was independently developed by the Receiving Party.
The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) and
not use any Confidential Information of the Disclosing Party for any purpose outside the scope of these Terms, and
except as otherwise authorized by the Disclosing Party in writing, disclose Confidential Information of the Disclosing Party only to those of its and its affiliates’ employees and contractors who need that access for purposes consistent with these Terms and who are subject to confidentiality obligations no less stringent than those herein.
The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law or by the order of a court or similar judicial or administrative body to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.
If you are accessing and using the Probely Services on behalf of an organization, to the extent that Snyk processes Personal Data on your behalf when performing its obligations under these Terms, the Data Processing Addendum (the “DPA”) included below as Schedule 1 will apply and form part of these Terms. If you are accessing and using the Probely Services on an individual basis, a description of our personal data processing is accessible at https://probely.com/privacy-policy/.
CONSENT TO ELECTRONIC COMMUNICATIONS AND SOLICITATION
By registering for the Probely Services, you understand that we may send you communications or data regarding the Probely Services, including but not limited to: (a) notices about your use of the Probely Services, including any notices concerning violations of use; (b) updates, via electronic mail. Please also see our Privacy Policy that may apply in this respect.
GOVERNING LAW AND DISPUTE RESOLUTION
If you are located in the United States, these Terms will be governed by and construed in accordance with the law of the State of Delaware, excluding its conflicts of laws rules and each party irrevocably agrees that the courts located in Dover, Delaware shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms. If you are located outside of the United States, these Terms will be governed by and construed in accordance with the laws of England and Wales, excluding its conflicts of law rules and each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms.
MISCELLANEOUS
- These Terms apply to the maximum extent permitted by relevant law. If a court holds that we cannot enforce a part of these Terms as written, you and we will replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms will remain in effect.
- This is the entire contract between you and us regarding the Probely Service. It supersedes any prior contract or oral or written statements regarding your use of the Probely Service.
- We may assign, transfer, or otherwise dispose of our rights and obligations under this contract, in whole or in part, at any time without notice. You may not assign this contract or transfer any rights to use the Probely Service.
- The non-exercise, or late or partial exercise, of any right which we have under these Terms cannot under any circumstance imply the waiver of such a right, or the expiry of the same and, therefore, any such right will remain valid and effective despite not being exercised.
TRADEMARKS
“Probely” and “Snyk” are trademarks owned by us. The use of our trademarks without our express written approval is prohibited.
DATA PROCESSING ADDENDUM
This Data Processing Addendum, including all annexes attached hereto, (the “DPA”) is incorporated into and subject to the Probely Terms of Service (the “Agreement”) entered into by and between Customer and Snyk. All capitalized terms used, but not defined in this DPA shall have the meanings set forth in the Agreement. In the event of an express conflict between the Agreement and the DPA, the terms of the DPA shall prevail.
DEFINITIONS
Data Protection Laws means all national, federal, and state data protection laws and regulations, as may be amended or updated from time to time, applicable to Snyk’s processing of Personal Data to provide the Probely Services as described in the Agreement. Such Data Protection Laws shall include, as applicable:
- The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”);
- The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) or the “UK GDPR” which means the UK General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018; and
- The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) or the “UK GDPR” which means the UK General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018; and
- The Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”).
- EU SCCs means the standard contractual clauses attached to the European Commission’s Implementing Decision (EU) 2021/914 found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
- Personal Data means any information relating to an identified or identifiable natural person, which is processed by Snyk in its role as a data processor for the purposes of providing the Probely Services under the Agreement.
- Restricted Transfer means any cross-border transfer of Personal Data that would be restricted by the Data Protection Laws in the absence of the EU SCCs or UK SCCs, as applicable, including appropriate addenda.
- Swiss SCCs means the EU SCCs as amended in terms of Section 6.3 of this DPA.
- UK Addendum means the International Data Transfer Addendum to EU SCCs, issued by the ICO under s119A(1) of the Data Protection Act 2018, version B1.0 and any updates or replacements as may be issued by the ICO from time to time in accordance with S119A(1).
- UK SCCs means the UK Addendum, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.
- The terms "controller", "processor", "data subject", "process" and "supervisory authority” and their derivatives and analogous terms shall have the same meaning as set out in applicable Data Protection Laws.
RIGHTS AND OBLIGATIONS
- The parties acknowledge and agree that with respect to the processing of Personal Data, Customer is the controller and Snyk is the processor. The parties agree that the Agreement and this DPA, as well as Customer’s configuration of the Probely Services, shall constitute the Customer's instructions for the processing of Personal Data. Each Party shall comply with its respective obligations under the Data Protection Laws. Customer will not instruct Snyk to process Personal Data in violation of applicable law. To the extent required by Data Protection Laws, Snyk shall assist Customer in complying with Customer’s obligations under the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data it provides or otherwise makes available to Snyk, and the means by which Customer acquired and transferred such Personal Data to Snyk, and the legal basis to permit Snyk’s processing of such Personal Data under the Agreement and this DPA. Snyk will cooperate with reasonable requests by Customer for documentary audits of Snyk's security and privacy practices. The time, duration, place, scope, and manner of the audit must be mutually agreed by the parties, but in no event will an audit be conducted more frequently than once per year. Taking into account the nature of the request and to the extent reasonably feasible from a technical and operational perspective, Snyk will provide Customer with any information necessary to enable Customer to comply with applicable law or request from a regulatory body, provided that Snyk will not release any proprietary or confidential information. If a regulator wishes to carry out an audit of Snyk or its activities under this Agreement, Customer will provide Snyk with no less than 30 days’ notice, unless the regulator has given less notice to Customer. In the event of a breach of security resulting in an unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Data (including Personal Data, as defined in the DPA) (a “Security Incident”), upon becoming aware of the Security Incident, Snyk will (i) promptly take reasonable action to mitigate the Security Incident, and (ii) without undue delay, notify Customer of the Security Incident. Any such notification is not an acknowledgement of fault or responsibility. In addition, Snyk will provide reasonable assistance to Customer (and any law enforcement or regulatory official with proper jurisdiction) to fulfil Customer’s obligations under applicable law to investigate and respond to the Security Incident.
- As required by Data Protection Law, Snyk shall keep a written record of its processing activities with respect to the Personal Data. Customer’s audit rights with respect to Personal Data are specified in this DPA.
SUB-PROCESSORS
- Customer grants Snyk general authorization to engage third parties to process the Personal Data ("Sub-processors"). Snyk shall maintain an up-to-date list of Sub-processors at https://snyk.io/policies/subprocessors/ and https://probely.com/privacy-policy.
- Snyk will provide Customer with thirty (30) day notice (the “Notice Period”) prior to adding or replacing any Sub-processor by posting details at https://snyk.io/policies/subprocessors/ or https://probely.com/privacy-policy. In the event Customer reasonably objects to the addition or replacement of such Sub-processor, Customer will provide Snyk written notice of its objection and its reasonable grounds for objection within the Notice Period and the parties will discuss in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Snyk will either not appoint the new Sub-processor with respect to Customer’s use of the Probely Services, or permit Customer to suspend or terminate the affected Probely Services without liability to either party. Notwithstanding the foregoing, Snyk may replace a Sub-processor if the need for the change is urgent and necessary to provide the Probely Services. In such instance, Snyk shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor.
- Snyk shall ensure each Sub-processor is appointed pursuant to a written contract conferring a materially the same obligations with respect to Personal Data as this DPA and shall be responsible for ensuring each such Sub-processor complies with all such obligations.
DATA REQUESTS
- Snyk shall, to the extent required by applicable Data Protection Law, notify Customer if Snyk receives any valid requests from a data subject identified in connection with Customer’s subscription to the Probely Services to exercise his or her individual rights under Data Protection Law. Snyk shall, to the extent permitted by law and taking into account the nature of the processing, provide reasonable assistance to Customer in responding to valid requests from data subjects under the Data Protection Laws.
- In the event Snyk becomes subject to a request from a public authority, Snyk shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Snyk shall promptly notify Customer in writing of any such request. Snyk shall in respect of any such request only disclose the minimum amount of Personal Data it assesses is reasonably required.
GDPR
- This Section shall apply only to the extent as Personal Data contains personal information subject to the GDPR, UK GDPR, or FADP and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA. The parties agree that Snyk may process Personal Data as part of providing the Probely Services pursuant to the Agreement. Snyk shall inform Customer if it becomes aware that Customer’s instructions infringe GDPR, UK GDPR or FADP (as applicable) but without obligation to actively monitor Customer's compliance therewith.
INTERNATIONAL DATA TRANSFERS
- Customer acknowledges and agrees that Snyk may transfer, access and process Personal Data on a global basis as necessary to provide the Probely Services in accordance with the Agreement. Snyk will make any such transfers in compliance with the Data Protection Laws.
The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the EU SCCs:
- Clause 7, the (Docking Clause), shall not apply;
- Clause 9, (Use of Sub-processors) Option 2, General Written Authorisation, shall apply and the “time period” shall be 30 days;
- In Clause 11 (Redress) the optional language shall not apply;
- Annex I.A (List of Parties) shall be deemed to be Customer as data exporter and Snyk as data importer;
- Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Annex 1;
- Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority of Ireland; and
- Annex 2 (Technical and Organisational Measures) shall be deemed to refer to Annex 2 of this DPA.
The parties agree that the terms of the EU SCCs Module Two (Controller to Processor) apply to any Restricted Transfer under FADP from Customer (as data exporter) to Snyk (as data importer) to the same extent recorded in Section 6.2, subject to the following amendments:
- References to “Regulation (EU) 2016/679” or to “GDPR” shall be interpreted as references to FADP
- References to “EU”, “Union”, or “European Union”, “EU Member State” or “Member State”: (a) shall be interpreted to include “Switzerland”; and (b) shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of seeking to exercise their rights in Switzerland;
- Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the Swiss Federal Data Protection and Information Commissioner; and
- Clause 17 (Option 1) and Clause 18(b) shall be deemed to refer to the applicable governing law and courts in Section 8.1 below, save to the extent otherwise required by FADP, or to give effect to Section 6.3.2(b) above, in which case, the governing law shall be Swiss Law and disputes will be resolved before the courts of Switzerland (“Swiss SCCs”).
The parties agree that the terms of the UK SCCs apply to any Restricted Transfer under the UK GDPR from Customer (as data exporter) to Snyk (as data importer). The parties agree that for the purposes of the UK SCCs:
- Tables 1 shall be deemed populated with Customer as data exporter and Snyk as data importer;
- Table 2 is deemed populated with the corresponding details and selections described in Section 6.2 above;
- Table 3 is deemed populated with the corresponding details and selections described in Section 6.2.4, 6.2.5, and 6.2.7 above, and Schedule 1; and
- Table 4 to the UK Transfer Addendum is completed by only ‘Importer’ being selected.
To the extent that Snyk makes an onward transfer which is a Restricted Transfer, it shall take such measures as may be necessary to ensure that the transfer is made in compliance with the Data Protection Laws.
CCPA
- This Section shall apply only to the extent that Personal Data contains personal information subject to the CCPA and shall apply in addition to the other requirements of the Agreement and the other provisions of this DPA.
- Snyk will promptly notify Customer if it determines that it can no longer meet its obligations under this DPA or the CCPA.
- Customer may, upon providing Snyk prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by Snyk.
- Snyk processes the Personal Data subject to CCPA for or on behalf of Customer for the business purposes specified in the Agreement. Snyk shall not retain, use, or disclose Personal Data for any purposes other than pursuant to the business relationship of the parties and performing the Probely Services under the Agreement or as otherwise permitted by for Service Providers by the CCPA.
- Snyk shall not sell the Personal Data within the meaning of the CCPA. To the extent the CCPA is applicable, the parties acknowledge that Customer's transfer of Personal Data to Snyk is not a "sale" and Snyk provides no monetary or other valuable consideration to Customer in exchange for the Personal Data.
- To the extent any Personal Data hereunder is deidentified by Snyk or Customer, Snyk shall take reasonable measure to ensure the deidentified Personal Data cannot be associated with a consumer or household and shall not attempt to reidentify such deidentified Personal Data.
- Snyk certifies that it understands the obligations and restrictions contained in this Section 7 and will comply with them.
GENERAL
Governing Law. Unless otherwise required, the parties agree that:
- If the Agreement is between Customer and Snyk, Inc., this DPA shall be governed by and construed in accordance with the laws of the jurisdiction set forth in the Agreement and the parties agree to submit to the jurisdiction of the courts specified in the Agreement.
- If the Agreement is between Customer and Snyk Limited, this DPA shall be governed by and construed in accordance with the laws of Ireland and the parties agree to submit to the jurisdiction of the courts located in Ireland.
Updates. Snyk may modify this DPA as required as a result of (a) changes in Data Protection Laws; (b) a merger, acquisition, corporate reorganization or other similar occurrence; or (c) the release of new features, functions, products or services or material changes to any of the existing Probely Services. Snyk may make such modifications by posting a revised version of this DPA at https://probely.com/terms-of-service/ or by otherwise notifying Customer. Snyk will provide at least seven (7) days’ advance notice of any modifications. Subject to the seven (7) day advance notice requirement, the modified version of the DPA will become effective upon posting. By continuing to use the Probely Services after the effective date of any modifications to this DPA, the Customer agrees to be bound by the modified DPA.
Annex 1 - DATA PROCESSING DETAILS
Categories of data subjects:
Developers and other employees of Customer who are users of the Probely Scanner or otherwise contribute to Customer’s code base and data subjects whose personal data may be incidentally processed in the course of Customer's use of the Probely Scanner.
Categories of personal data:
- First and last name, employer, title, and position
- Email Addresses
- User IDs or tags related to source code repositories or other services integrated with Snyk by the Customer’s users
- Connection and/or localization data
- Personal data may be incidentally processed in the course of Customer's use of the Probely Service.
Sensitive data transferred (if applicable):
None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Ongoing.
Nature of the processing:
The processing of certain personal data by Snyk on behalf of the Customer in relation to allowing access of the Customer’s users to Snyk’s platform for the purposes of reviewing software projects submitted to the platform.
Purpose(s) of the data transfer:
Providing the Probely Scanner pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
As set forth in the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:
See https://snyk.io/policies/subprocessors/ and https://probely.com/privacy-policy for details.
Annex 2 - TECHNICAL AND ORGANISATIONAL MEASURES
The following list is a non-exhaustive list of security controls we implement with respect to our Probely Scanner:
- We employ industry-standard encryption technology.
- All of our infrastructure is hosted in a top-tier cloud provider, where security has been scrutinized. Our cloud provider’s security features and controls are configured to segregate and monitor our service networks, for audit logs, and for security event management. The frontend, backend, and database servers use private and segregated networks controlled by security groups.
Where appropriate we implement the following security practices, including (but not limited to):
- Principle of the least privilege (to access our systems and data),
- Server hardening and security updates,
- Requiring 2-factor authentication,
- Central logging,
- Secure Software Development Life cycle, including periodic security assessments
Notwithstanding the outlined security measures, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting data via the internet.