// April 29, 2026

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of the agreement between you (“Customer”) and SNAP2DEPLOY L.L.C. (“Snap2Deploy,” “we,” or “us”) under our Terms of Service (the “Agreement”) and governs how Snap2Deploy processes Personal Data on Customer’s behalf in connection with Snap2Deploy’s app packaging and deployment service (the “Service”).

By using the Service, Customer accepts this DPA as binding. Customers who require a counter-signed copy on letterhead may request one by emailing legal@snap2deploy.com.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following definitions apply:

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Snap2Deploy on Customer’s behalf under the Agreement.
  • “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended (“CCPA/CPRA”), and other applicable U.S. state privacy laws.
  • “Controller,” “Processor,” “Data Subject,” and “Processing” have the meanings given in the GDPR.
  • “Subprocessor” means a third party engaged by Snap2Deploy to process Personal Data on Customer’s behalf under this DPA.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles of the parties

With respect to Personal Data processed under this DPA, Customer is the Controller and Snap2Deploy is the Processor. Each party will comply with its respective obligations under applicable Data Protection Laws.

3. Scope & instructions

Snap2Deploy will process Personal Data only on Customer’s documented instructions. Customer’s use of the Service in accordance with the Agreement, including configuration of integrations with Microsoft Intune and Jamf Pro, constitutes such documented instructions. Snap2Deploy will inform Customer if, in Snap2Deploy’s opinion, an instruction infringes Data Protection Laws.

4. Categories of data & data subjects

The categories of Personal Data and Data Subjects processed by the Service are described in Annex I below.

5. Confidentiality

Snap2Deploy will ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by written contract, statutory duty, or both, that survive termination of their engagement.

6. Security measures

Snap2Deploy will implement and maintain the technical and organizational measures described in Annex II below, designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures will be reviewed and updated as appropriate to reflect evolving security practices and risks.

7. Subprocessors

Customer authorizes Snap2Deploy to engage Subprocessors to process Personal Data, subject to the requirements of this Section 7.

  • The current list of Subprocessors is published at snap2deploy.com/subprocessors and is incorporated into this DPA by reference.
  • Snap2Deploy will impose data-protection terms on each Subprocessor that are no less protective than the relevant terms of this DPA.
  • Snap2Deploy will give Customer at least thirty (30) days’ prior notice of the addition or replacement of a Subprocessor by updating the Subprocessors page and notifying the Customer’s organization owner by email at the address on file. If Customer reasonably objects to the addition on data-protection grounds, the parties will discuss in good faith; if no resolution is reached, Customer may terminate the affected portion of the Service for convenience.
  • Snap2Deploy remains liable to Customer for the acts and omissions of its Subprocessors that cause Snap2Deploy to breach this DPA.

8. International transfers

Snap2Deploy and its Subprocessors are located in the United States. Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not been deemed adequate by the relevant supervisory authority, the parties agree that the Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated into this DPA by reference and will apply to that transfer, with Customer as data exporter and Snap2Deploy as data importer. The UK International Data Transfer Addendum and the Swiss equivalent apply where relevant. Annex I and Annex II of this DPA serve as the corresponding annexes to the SCCs.

9. Data subject requests

Snap2Deploy will, taking into account the nature of the processing, provide reasonable assistance to Customer in responding to data subject requests under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Owners and admins can self-service most requests via the Service’s built-in settings; for anything that cannot be self-served, contact privacy@snap2deploy.com.

10. Personal data breaches

Snap2Deploy will notify Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Customer’s data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Snap2Deploy will provide reasonable assistance to Customer in fulfilling Customer’s breach notification obligations to supervisory authorities and Data Subjects.

11. Audits

Snap2Deploy will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including (where available) third-party audit reports such as SOC 2. Customer may, no more than once per twelve-month period and on at least thirty (30) days’ prior written notice, conduct a remote audit limited in scope and duration as agreed in writing. Customer will bear its own costs and any reasonable costs charged by Snap2Deploy for engineering time. The parties may agree to substitute the audit with a written security questionnaire response.

12. Return & deletion of personal data

Upon termination or expiry of the Agreement, Snap2Deploy will, at Customer’s choice, delete or return all Personal Data within thirty (30) days, except where retention is required by law. Owners can also delete their organization’s data at any time via the Service’s settings; deletion proceeds on the schedule described in our data handling policy.

13. Liability & precedence

This DPA is subject to the limitations of liability set forth in the Agreement. To the extent of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

14. Governing law

This DPA is governed by the laws of the State of New Jersey, USA, without regard to its conflict-of-laws principles, except where the Standard Contractual Clauses apply, in which case the SCCs are governed by the law of the EU member state designated in the SCCs themselves.

15. Changes

Snap2Deploy may update this DPA from time to time. If we make material changes, we will notify Customer at least thirty (30) days in advance via email to the organization owner’s address on file or via the Service. Continued use of the Service after the effective date of an update constitutes acceptance of the updated DPA.

16. Contact

For matters relating to this DPA, contact legal@snap2deploy.com. For data subject requests, contact privacy@snap2deploy.com.

Annex I — Description of processing

A. List of parties

  • Data exporter (Controller): the Customer identified in the Agreement.
  • Data importer (Processor): SNAP2DEPLOY L.L.C., 9 Pinewood Road, Milford, NJ 08848, United States. Contact: legal@snap2deploy.com.

B. Categories of data subjects

  • Customer’s authorized users (employees, contractors).
  • End users of devices managed via Customer’s Intune or Jamf Pro tenant, to the limited extent device or app metadata is reflected in Auto-Pilot scan results.

C. Categories of personal data

  • Account data: name, work email address, hashed password, organization role.
  • Authentication metadata: session tokens (JWT), IP address, user agent, login timestamps.
  • Tenant credentials: Microsoft Entra app credentials and Jamf Pro API credentials supplied by Customer (encrypted at rest).
  • Audit log entries: actor, action, timestamp, target resource, IP address.
  • Billing identifiers: Stripe customer and subscription IDs (no card numbers).

Snap2Deploy does not knowingly process special categories of personal data (Article 9 GDPR) and Customer agrees not to upload such data to the Service.

D. Frequency & nature of processing

Continuous, for the duration of the Agreement. Processing operations include: storage, retrieval, transmission to Customer’s designated MDM tenant, generation of derived package metadata, encryption/decryption of credentials, and deletion on Customer instruction.

E. Purpose

Provision of the Service to Customer in accordance with the Agreement: app packaging, deployment to Customer’s Intune / Jamf tenant, Auto-Pilot patch monitoring, billing, support, and audit.

F. Retention period

For the duration of the Agreement, plus the deletion windows set out in our data handling policy (typically 30 days post-deletion, expiring out of encrypted backup windows thereafter).

G. Subject matter, nature, and duration of processing by subprocessors

See /subprocessors for current subprocessor list, processing activities, and locations.

Annex II — Security measures

Snap2Deploy implements appropriate technical and organizational measures to protect Personal Data, including those summarized below and described in greater detail in our Security & Trust Center:

  • Encryption in transit: TLS 1.2 or higher for all connections; HTTP automatically redirected to HTTPS.
  • Encryption at rest: AES-256-GCM for sensitive customer-supplied secrets (e.g. integration credentials), plus provider-level disk encryption for the database and object storage.
  • Access controls: role-based access control with three roles (owner, admin, member), enforced server-side at the API layer; bcrypt-hashed passwords (work factor 12); least- privilege access for engineering personnel.
  • Tenant isolation: every record scoped to its owning organization; no cross-organization access path through the API.
  • Audit logging: sensitive actions logged per organization and retained for the life of the organization.
  • Resilience: point-in-time database recovery (Neon) within a rolling window; documented rollback playbook; stated RPO < 5 minutes and RTO < 30 minutes.
  • Secure development: all changes deployed via managed CI from a single main branch; environment secrets managed in the hosting provider’s secret store; rotation on personnel changes.
  • Vulnerability disclosure: public process at snap2deploy.com/security; two-business-day acknowledgement; safe harbor for good-faith researchers.
  • Incident response: 72-hour breach notification to affected customers as set out in Section 10 above.

Annex III — Subprocessors

The current list of Subprocessors authorized under this DPA is published at /subprocessors.