Snakk.ai Logo

DPA

Data Processing Agreement (DPA)

Between Snakk Teknologi AS and Customer

Last Updated: December 9, 2025

1. Parties and Background

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

Data Processor:

Snakk Teknologi AS ("Snakk," "Processor," "we," "us")

Organization No: 835 505 812

Email: rd@snakk.ai

Data Controller:

The entity identified in the account registration ("Customer," "Controller," "you")

This DPA applies whenever Snakk processes Personal Data on behalf of the Customer in connection with the Services provided under the Agreement. It is governed by Norwegian law and complies with the GDPR (EU 2016/679) and the Norwegian Personal Data Act (Personopplysningsloven).

2. Definitions

  • Applicable Data Protection Law: GDPR, the Norwegian Personal Data Act, and any other relevant data protection legislation.
  • Personal Data: Any information relating to an identified or identifiable natural person processed by Snakk on behalf of Customer.
  • Processing: Any operation on Personal Data, including collection, storage, use, disclosure, erasure, or destruction.
  • Data Subject: An identified or identifiable natural person whose Personal Data is processed (e.g., your customers).
  • Sub-processor: Any third party engaged by Snakk to process Personal Data on behalf of Customer.
  • Personal Data Breach: A breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

3.1 Subject Matter

Snakk provides a cloud-based platform for creating and deploying AI-powered voice agents. In delivering these Services, Snakk processes Personal Data on behalf of the Customer.

3.2 Purpose

Processing is performed solely to provide the Services, including:

  • Operating AI voice agents (inbound/outbound calls).
  • Transcribing and logging conversations (as configured by Customer).
  • Storing conversation history and analytics.
  • Executing Customer-configured integrations (APIs, webhooks).
  • User authentication and platform management.

3.3 Duration

Processing continues for the duration of the Agreement and thereafter only as required by law or for a limited period to allow data export/deletion (Section 8).

3.4 Types of Personal Data

May include, but is not limited to:

  • Phone numbers and technical identifiers.
  • Voice recordings and audio data.
  • Text transcriptions of conversations.
  • Metadata (timestamps, call duration, routing data).
  • Any other data voluntarily provided by Data Subjects during calls.

3.5 Categories of Data Subjects

  • End Users interacting with Customer's AI agents.
  • Customer employees using the Platform.

4. Customer Obligations (Data Controller)

The Customer acknowledges and agrees that they are the Data Controller and are solely responsible for:

  1. Lawful Basis: Ensuring a valid legal basis for Processing (e.g., consent or contract) under Applicable Data Protection Law.
  2. Notices and Consent: Providing necessary privacy notices to End Users and obtaining any required consents for voice recording and data processing before sending data to Snakk.
  3. Instructions: Ensuring that instructions given to Snakk comply with Applicable Data Protection Law.
  4. Data Minimization: Not using the Services to process Special Categories of Personal Data (sensitive data like health or biometric ID data) unless explicitly agreed in writing and supported by the technical setup.

5. Processor Obligations (Snakk)

5.1 Processing Limitations

Snakk will process Personal Data only according to Customer's documented instructions (including this DPA and Platform configurations), unless required otherwise by law. Snakk will not sell, rent, or use Personal Data for its own marketing purposes.

5.2 Confidentiality

Snakk ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Snakk implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

  • Since Snakk utilizes a cloud-native architecture, security relies heavily on the robust measures of our Sub-processors (see Annex B).
  • Internal measures include access controls, encryption in transit, and multi-factor authentication for administrative access.

5.4 Sub-processors

Customer grants Snakk a general authorization to engage Sub-processors (listed in Annex A) to provide the Services.

  • Snakk ensures that Sub-processors are bound by written agreements requiring at least the same level of data protection as this DPA.
  • Snakk remains fully liable to the Customer for the performance of the Sub-processors' data protection obligations.
  • Changes: Snakk will notify Customer of any intended changes to Sub-processors. Customer may object within 14 days for justifiable reasons related to data protection.

5.5 Data Subject Rights

Snakk will utilize the technical capabilities of the Platform to assist Customer in responding to requests from Data Subjects (e.g., deletion or access). If Snakk receives a request directly, we will notify the Customer.

5.6 Personal Data Breach

Snakk will notify Customer without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach affecting Customer’s data. The notification will describe the nature of the breach, likely consequences, and measures taken.

6. International Data Transfers

The Customer acknowledges that Snakk’s primary infrastructure (including OpenAI and Telnyx) is located in the United States and/or the EU.

  • Transfers of Personal Data to third countries (outside EEA) are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other valid transfer mechanisms (e.g., EU-U.S. Data Privacy Framework where applicable).
  • By using the Services, Customer explicitly consents to the transfer of data to the Sub-processors listed in Annex A for the purpose of fulfilling the Service.

7. Audit Rights

Customer may request information necessary to demonstrate compliance with this DPA up to once per year.

  • If Customer requires a physical audit or a dedicated report beyond standard compliance documentation, this shall be performed at Customer’s expense and must not unreasonably interfere with Snakk’s business operations.
  • Certifications or audit reports provided by Snakk’s Sub-processors (e.g., SOC 2 reports from OpenAI or AWS) shall generally be deemed sufficient to demonstrate compliance for the relevant parts of the infrastructure.

8. Data Retention and Deletion

  • During Term: Data is retained according to the configuration of the Services (e.g., logs are kept until deleted by Customer or defined retention periods expire).
  • Termination: Upon termination of the Agreement, Customer may request the return or deletion of Personal Data within 30 days. After this period, Snakk will delete all Customer data, except where storage is required by law.

9. Liability

Each party’s liability for any breach of this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement (Terms of Service), except where such limitation is prohibited by Applicable Data Protection Law.

10. Final Provisions

  • Governing Law: This DPA is governed by the laws of Norway.
  • Precedence: In the event of a conflict between this DPA and the Agreement regarding data protection, this DPA shall prevail.

Annex A – List of Sub-processors

Snakk utilizes the following third-party service providers to deliver the Platform. By agreeing to this DPA, Customer authorizes the use of these Sub-processors:

Category

Sub-processor

Location

Function

AI / LLM

Microsoft Azure (OpenAI)

Sweden (EU)

Standard & Realtime AI processing (Default).

AI / LLM

Anthropic, PBC

USA

LLM processing (Optional - Customer selected).

AI / LLM

Google LLC

USA / EU

LLM processing (Optional - Customer selected).

AI / LLM

Mistral AI

EU (France)

LLM processing (Optional - Customer selected).

AI / LLM

Meta Platforms, Inc.

USA / EU

Llama models (Optional - Customer selected).

Telephony

Telnyx LLC

EU / Global

SIP trunking & call routing (EU Pinned).

Real-Time

LiveKit

EU (Germany)

Voice infrastructure (EU Region Pinned).

Database

Supabase

EU (Ireland)

Database hosting & Storage (AWS).

Auth

Clerk

USA

User authentication (Covered by EU-U.S. DPF).

Hosting

Railway

EU (Netherlands)

Application hosting.

Monitoring

Sentry

EU (Germany)

Error tracking & System monitoring.

Email

Lettermint

EU (Netherlands)

Transactional emails (System notifications).

Analytics

PostHog

EU (Germany)

Product analytics (Optional).

Payments

Stripe

USA / EU

Payment processing.

Payments

Dintero / Vipps

Norway

Payment processing (if applicable).

Annex B – Security Measures

Snakk Teknologi AS is a cloud-native software provider. We do not own or operate our own physical data centers. Instead, we leverage industry-leading infrastructure providers.

1. Infrastructure Security (Sub-processors)

Our Platform runs on infrastructure provided by Sub-processors (listed in Annex A) who maintain rigorous security standards. We verify that our critical infrastructure providers hold valid certifications, including:

  • SOC 2 Type II (OpenAI, Supabase, Clerk, Railway, Telnyx)
  • ISO 27001 (Telnyx, Stripe, Clerk)
  • PCI DSS Level 1 (Stripe, Telnyx)

2. Technical Measures (Implemented by Snakk)

  • Encryption: All data in transit is encrypted via TLS (Transport Layer Security). Data at rest is encrypted using the capabilities of our underlying storage providers (e.g., Supabase/AWS AES-256).
  • Access Control: Access to production data is restricted to necessary personnel only. We utilize Multi-Factor Authentication (MFA) for all administrative access to our infrastructure.
  • Isolation: Customer data is logically separated within our database architecture.
  • Backups: Automated backups are performed regularly by our infrastructure providers to ensure data availability.

3. Organizational Measures

  • Confidentiality: All employees and contractors are subject to strict non-disclosure agreements (NDAs).
  • Least Privilege: We follow the principle of least privilege, granting access only to those who need it to maintain the Service.
  • Vendor Management: We review the security posture of new Sub-processors before integration.

Annex C – Standard Contractual Clauses (SCCs)

For data transfers from the EEA to countries not recognized as providing an adequate level of protection (e.g., the United States), the EU Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), specifically Module 2 (Controller to Processor), are hereby incorporated by reference.

  • Data Exporter: Customer
  • Data Importer: Snakk Teknologi AS (and its US-based Sub-processors)
  • Governing Law: The laws of Norway.
  • Competent Supervisory Authority: The Norwegian Data Protection Authority (Datatilsynet).