The document includes Snowflake's own affiliated group entities alongside third-party sub-processors, disclosing that Snowflake affiliates may also process customer data as part of service delivery.
This analysis describes what Snowflake's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that intra-group data transfers within the Snowflake corporate family are subject to the same sub-processor framework as third-party vendor transfers, which is a GDPR Article 28 compliance requirement and creates separate due diligence obligations for customers assessing the full scope of entities handling their data.
Interpretive note: The specific affiliates listed and their processing locations were not fully extractable from the truncated document source.
The document establishes that Snowflake affiliates, in addition to third-party vendors, are authorized to process customer data, meaning enterprise customers must account for intra-group transfers as part of their data mapping and transfer mechanism assessments.
Cross-platform context
See how other platforms handle Snowflake Affiliate Inclusion as Sub-processors and similar clauses.
Compare across platforms →Monitoring
Snowflake has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
(1) REGULATORY LANDSCAPE: Inclusion of group affiliates as sub-processors engages GDPR Article 28 obligations, which apply equally to intra-group and third-party processing relationships. Where affiliates are located in non-EEA countries, intra-group transfers must be covered by Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism. The UK GDPR applies equivalent requirements for transfers involving UK personal data. Enforcement authority rests with the relevant EU supervisory authority and the UK ICO. (2) GOVERNANCE EXPOSURE: Medium. Customers may assume that intra-Snowflake processing is limited to the contracting entity, but affiliate inclusion establishes a broader processing footprint. Compliance teams should verify that Snowflake's DPA covers affiliate processing and that any intra-group international transfers are supported by adequate transfer mechanisms, including assessment of whether Snowflake's Binding Corporate Rules or SCCs cover the affiliate entities listed. (3) JURISDICTION FLAGS: EU and UK customers face the primary exposure where affiliates are located in non-adequate jurisdictions such as the United States. Customers in sectors with strict data localization requirements should assess whether affiliate processing locations are consistent with their contractual and regulatory obligations. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that their DPA with Snowflake explicitly covers affiliate processing and specifies the transfer mechanisms applicable to intra-group data flows. Where affiliates are added or removed from the list, customers with objection rights under their DPA should assess whether the change triggers a review obligation. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map each listed affiliate against the jurisdictions in which it operates and verify the applicable transfer mechanism. Records of Processing Activities maintained under GDPR Article 30 should reflect the full scope of Snowflake affiliates listed as authorized processors, not solely the contracting Snowflake entity.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that intra-group data transfers within the Snowflake corporate family are subject to the same sub-processor framework as third-party vendor transfers, which is a GDPR Article 28 compliance requirement and creates separate due diligence obligations for customers assessing the full scope of entities handling their data.
The document establishes that Snowflake affiliates, in addition to third-party vendors, are authorized to process customer data, meaning enterprise customers must account for intra-group transfers as part of their data mapping and transfer mechanism assessments.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Snowflake.