Legal

Data Processing Addendum (DPA)

Terms under which SchneeAI processes personal data on behalf of its customers. Draft for counsel review — finalized before general availability.

1. Purpose and scope

This Data Processing Addendum (“DPA”) forms part of the SchneeAI Terms of Service and any other agreement governing a customer’s use of SchneeAI (“Agreement”). It applies where SchneeAI processes personal data on behalf of the customer in the provision of the services.

Capitalized terms not defined in this DPA have the meanings given in the Agreement, the Privacy Policy, or applicable data protection law.

2. Roles

The parties agree that:

  • Customer is the controller (or, where Customer has agreed to act as processor on behalf of a third-party controller, Customer processor) of personal data submitted to the services.
  • SchneeAI is the processor (or subprocessor) acting on Customer’s documented instructions.

SchneeAI processes personal data only on Customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by applicable law. SchneeAI will not engage a sub-processor without Customer’s authorization (Section 6).

3. Details of processing

ItemDetail
Categories of data subjectsCustomer’s end users, employees, contractors, and other individuals whose personal data Customer submits to the services
Categories of personal dataAccount identifiers, usage metadata, prompt and output content (which may contain personal data), billing references, operational logs. See Privacy Policy — What SchneeAI processes.
Special categories (Art. 9 GDPR)SchneeAI does not intentionally process special categories of personal data. Customer is responsible for assessing whether prompts or outputs contain such data and configuring PII handling accordingly.
Purposes of processingOperating the services for Customer: routing AI requests, recording audit events, billing for usage, preventing abuse, and providing observability — as described in the Privacy Policy — Purposes.
Duration of processingFor the term of the Agreement, subject to Customer’s retention configuration and applicable legal retention obligations
Retention post-terminationPer Privacy Policy — Data retention. Customer may request earlier deletion as described in Section 11.

4. SchneeAI’s obligations

SchneeAI shall:

  1. Process personal data only on Customer’s documented instructions, including with regard to international transfers, unless required by applicable law.
  2. Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational security measures as described in Section 5 and on the Security page.
  4. Assist Customer, by appropriate technical and organizational means, in fulfilling Customer’s obligations to respond to requests from data subjects — including access, rectification, erasure, restriction, portability, and objection.
  5. Assist Customer in meeting Customer’s obligations regarding data protection impact assessments and prior consultation, taking into account the nature of processing and the information available.
  6. Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer’s data. Provide reasonable cooperation and information to assist Customer in meeting its breach notification obligations.
  7. At Customer’s choice, delete or return personal data after the end of the provision of services, and delete existing copies — unless applicable law requires storage.

5. Security measures

SchneeAI maintains the technical and organizational measures described on the Security page and in the Privacy Policy — Security. The current control set includes:

  • Identity and access — authenticated requests only; service / tenant / user identity enforced per request.
  • Tenant isolation — data separated by tenant; cross-tenant access refused by default.
  • Encryption — TLS for data in transit; provider-managed encryption at rest supplemented by application-layer controls for sensitive artifacts (raw prompts and outputs in the Vault).
  • Audit — structured records of governance-relevant actions.
  • PII handling — configurable detection and masking across 17 categories of sensitive content.
  • Operational controls — access on need-to-know basis; change management; incident response practice.

Specific certifications (e.g., SOC 2, ISO 27001) will be added to this DPA by amendment once obtained. Until then, the controls listed above and on the Security page are the operative measures.

6. Sub-processors

Customer grants SchneeAI general authorization to engage sub-processors, subject to the conditions in this Section. The current list of sub-processors is published at /legal/sub-processors/.

SchneeAI shall:

  • Enter into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to those in this DPA.
  • Remain responsible for the sub-processor’s performance of those obligations.
  • Provide Customer with prior notice of intended changes to the sub-processor list. Customer may object to a new sub-processor on reasonable data-protection grounds by notifying SchneeAI in writing within 30 days of the notice.

7. International data transfers

Where personal data is transferred out of the European Economic Area, the United Kingdom, or other regulated regions, SchneeAI relies on appropriate safeguards — including the EU Standard Contractual Clauses (Modules Two and Three, as applicable), the UK Addendum, or another lawful transfer mechanism.

The list of transfer destinations and the safeguard relied upon for each sub-processor is published at /legal/sub-processors/. Customer is responsible for any onward transfer to its own infrastructure or downstream processors.

8. Audit rights

SchneeAI shall make available to Customer information necessary to demonstrate compliance with this DPA and shall contribute to audits — including inspections — conducted by Customer or another auditor mandated by Customer, where:

  1. Customer has a specific, documented reason to believe SchneeAI is in breach of this DPA; and
  2. Customer provides at least 30 days’ prior written notice.

Audits shall be conducted during business hours, with minimal disruption to SchneeAI’s operations, and shall not interfere with confidentiality obligations to other customers. Information made available shall be limited to what is relevant to Customer’s data.

9. Personal data breach notification

SchneeAI shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer’s data. The notification shall, to the extent known:

  • Describe the nature of the breach, including categories and approximate number of data subjects and records concerned
  • Communicate the name and contact details of SchneeAI’s contact point
  • Describe the likely consequences
  • Describe the measures taken or proposed to address the breach and mitigate its adverse effects

SchneeAI shall take reasonable steps to investigate, contain, and remediate the breach, and shall provide reasonable cooperation to Customer.

10. Deletion and return

Upon termination of the Agreement, SchneeAI shall, at Customer’s choice and within a reasonable period (not to exceed 90 days), delete or return personal data processed under this DPA — except where applicable law requires retention. Where SchneeAI retains data for legal compliance, it shall continue to protect the data in accordance with this DPA and shall not actively process it.

11. Customer’s obligations

Customer acknowledges that Customer is responsible for:

  • The lawfulness of the personal data submitted to the services.
  • Providing appropriate notices to, and obtaining any necessary consents from, data subjects.
  • Configuring retention, access control, and PII handling in line with Customer’s compliance posture. -Any instruction given to SchneeAI that affects the lawfulness of processing.

Customer shall not instruct SchneeAI to process personal data in violation of applicable law or this DPA.

12. Changes

SchneeAI may update this DPA from time to time. Material changes will be posted at least 30 days before taking effect, as described in the Privacy Policy — Changes to this policy. The most recent version is always available at this URL.

13. Contact

Questions about this DPA: [email protected]. SchneeAI will designate a legal entity, registered address, and (where required) an EU representative before general availability.

Effective date: to be set before general availability.