Skip to content

Data Processing Agreement (SKELETON — counsel review required)

NOT legal advice — highest counsel priority for regulated clients. Clause checklist. Must cover the Azure sub-processor relationship + data residency (the DoD), and align with the client's framework (GDPR/HIPAA/etc.).

Clauses to include

  1. Roles — client = controller; SnowOps = processor (clarify per scenario; for the read-only audit SnowOps may be a limited processor of metadata, not client end-user data).
  2. Subject-matter & duration — scope of processing = the engagement; duration = the SOW term.
  3. Nature & purpose — platform engineering + (Advanced) evidence collection; processing is largely metadata/posture, not client end-user PII where possible — state this (SnowOps's read-only audit reads resource metadata, not data-plane content).
  4. Categories of data & data subjects — define precisely; minimize.
  5. Sub-processorsMicrosoft Azure is a named sub-processor; list region(s); client consent/notification for changes. (This is the DoD's "Azure sub-processor" requirement.)
  6. Data residency — processing/storage region(s) named; data stays in the client-chosen Azure region(s); ties to M6 (data-residency policy) SnowOps can enforce technically.
  7. Security measures — reference the technical controls SnowOps deploys (encryption, least-privilege, logging — the Y7 set) + the cloud-access authorization.
  8. Confidentiality of personnel — bound; named-personnel only.
  9. Data-subject rights assistance — how SnowOps assists the controller (DSAR support; ties to M7 roadmap).
  10. Breach notification — timeline + process to notify the controller.
  11. Audit rights — client's right to audit SnowOps's processing (SnowOps's own evidence-as-code helps here).
  12. Return/deletion on termination — state archive/handover (W4) + credential revocation; no residual access.
  13. International transfer — India-based delivery / global clients → SCCs or equivalent per counsel.

The DoD: DPA covers Azure sub-processor + data-residency, and references read-only/PIM-scoped grants consistent with G0/B-series.