What we're doing as a 'data processor' to comply with GDPR (part 1)
General information:
1. Is Social Snowball GDPR compliant?
Social Snowball complies with its obligations under the GDPR. Specifically, as a processor, we have taken steps to ensure that we comply with the requirements of Article 28 of the GDPR. These are primarily set out in our data processing addendum.
Specifically:
In accordance with our DPA (Data Processing Agreement, we only engage sub-processors with client authorisation and ensure the same obligations are imposed with any sub-processor
The processing we undertake is governed by a written contract, documenting client instructions and ensuring the confidentiality of data, as well as ensuring compliance with Articles 32-36 GDPR (relating to notifications, security and assistance with compliance)
GDPR compliance is an ongoing exercise and we are constantly reviewing and updating our practices.
2. Is Social Snowball a controller or a processor?
For the data provided by our direct clients within the Social Snowball platform, Social Snowball is a data processor (as defined by the GDPR). For the data we hold on clients and prospects, we are a data controller.
3. Can we search for personal data on your systems?
Social Snowball holds the data that our users have uploaded with the platform in a database. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.
Deletion of data:
4. How can we request deletion of our data?
When a merchant uninstalls the Social Snowball app, a webhook notification is received which triggers our data deletion process. All associated data will be permanently deleted within 7 days.
Affiliates may request data deletion by contacting our privacy team ([email protected]). Such requests will be handled and actioned by the relevant team in line with our data protection policies.
Data Processing Agreement:
5. Do your standard contract terms include the new GDPR mandatory provisions?
We have updated Terms of Service to incorporate our data processing agreement (available for review here: Data processing). This ensures that the processing that we undertake on your behalf is clearly documented by way of a written contract. Our document has been drafted to reflect the bespoke nature of the processing activities that Social Snowball undertakes on your behalf and at your instruction.
6. Do we sell your data?
Social Snowball prioritizes data privacy and adheres to the General Data Protection Regulation (GDPR). We never sell user data and have a Data Processing Agreement (DPA) in place for our customers. This ensures your data is protected by the strictest global privacy standards.
Social Snowball Data Privacy Framework Policy
7. Do we comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”)
Social Snowball complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and as applicable. Click here to learn more.
Data breach:
8. Do you have a documented breach notification process?
Our process for reporting breaches concerning the data of individuals is addressed in our Data Processing Agreement.
9. What will Social Snowball do in the event of a data breach?
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a personal data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
In the event of data breach of data relating to our direct clients (where we are a data controller), we will report any data breach within 72 hours to the relevant regulator if a breach is likely to result in a high risk to the rights and freedoms of individuals.
Sub-processors:
10. Do any other organisations (including sub-contractors, contractors or consultants) process any of the data provided by our clients on our behalf?
Yes, Social Snowball works with third party providers/sub-processors for providing the services we offer or storing your data (personal data). Social Snowball uses sub-processors to perform various functions as explained in our Trust Centre.
A sub-processor is a third party data processor engaged by Social Snowball , including entities from within the Dotdigital Group, who has or may have access to, or process, client data. Third parties that do not have access to, or process, client data but who are used to provide the services as “subcontractors” are not sub-processors.
Storage of data:
11. How is our data stored?
To safeguard the confidentiality, integrity and availability of data, the core Social Snowball platform is hosted on high security Microsoft Azure data centres. All Azure facilities meet a broad set of compliance standards, details of which can be found here. A map showing the Azure data center locations can be found here.
12. What technical and organisational security measures does Social Snowball have in place?
The Information Security Program institutes technical, physical, and administrative safeguards to protect data and assets from unauthorized access, disclosure, or inappropriate use. The program establishes requirements and standards, and organizes them into Policy documents. Policies encompass, but are not limited to the areas listed below:
Data Backups
Encryption
Change management
Vulnerability management
Access controls
Authentication and Password
Security incident response
Business continuity
Risk management
For more information, please click here.
Contact us
We have a dedicated Privacy team who is responsible for overseeing questions in relation to this page and the handling of data at Social Snowball. If you have any questions about our processing including any requests to exercise your legal rights, please contact the Social Snowball Privacy team using the details set out below:
Social Snowball Privacy Team
