Safeguard
Security

Who Is Snyk's General Counsel, and Why Vendor Legal Governance Matters

The Snyk general counsel runs legal, privacy, and regulatory affairs for a developer security vendor. Here's what that role tells you about evaluating any security supplier.

Safeguard Research Team
Research
6 min read

The Snyk general counsel leads legal, privacy, regulatory, and government affairs for the developer security company, and understanding that function is a useful lens for anyone assessing a security vendor before signing. People searching for the Snyk general counsel are usually doing one of two things: due diligence on a supplier, or benchmarking how a security company structures its own legal and compliance operation. Both are legitimate, and both matter more than the org chart itself.

This post is not gossip about a job title. It uses the role as a starting point to explain what legal governance at a security vendor covers, and how a procurement or security team should read those signals during a vendor risk review.

Who holds the role

Snyk appointed David Morris as General Counsel in 2023, overseeing the company's legal, regulatory, and government affairs work. He previously served as General Counsel at Vivid Seats, where he built the legal function through the company's 2021 IPO, and earlier held an associate general counsel role at TripAdvisor. Leadership at fast-growing security companies rotates, so treat any named individual as a point-in-time fact and confirm the current holder on the vendor's own leadership page before you cite it in a contract or report.

The specific person is less important than the shape of the function. A general counsel at a security vendor typically owns commercial contracts, data protection, intellectual property, corporate governance, and increasingly, the legal side of how the product handles customer code and telemetry.

Why the legal function signals product maturity

When a security tool scans your source code, it touches some of your most sensitive intellectual property. The terms under which that happens are set by the vendor's legal team, not its engineers. A mature general counsel operation shows up in a few concrete places:

  • A clear, standalone Data Processing Agreement (DPA) rather than a paragraph buried in the terms of service.
  • Named subprocessors with a change-notification process.
  • Explicit statements about whether your code is used to train models, retained after scanning, or shared across tenants.
  • A published vulnerability disclosure policy and a security contact that is not a generic sales inbox.

If a vendor cannot produce these quickly, the gap is rarely a legal oversight. It usually reflects a product that was built before anyone thought hard about data handling, which is exactly the risk you are trying to avoid.

What to ask during a vendor risk review

Treat the legal review as part of your threat model, not a separate compliance chore. The questions that consistently surface real risk are narrow and specific:

  1. Where is scan data stored, and can we pin a region? Data residency drives GDPR and, for public-sector buyers, FedRAMP-style requirements.
  2. Is customer code ever used to train or fine-tune models? Get this in writing, not in a marketing FAQ.
  3. What is the breach notification window, and does it meet our regulatory obligations?
  4. Which subprocessors have access to scan results, and how are we notified when that list changes?
  5. What happens to our data on termination, and how is deletion verified?

A vendor's willingness to answer these plainly, and to put the answers in the contract, tells you more than any certification badge. Certifications like SOC 2 confirm that controls exist and were tested; the DPA tells you what the controls actually protect.

How this connects to your own posture

The same discipline you demand from a vendor should apply to how you evaluate the tools themselves. When you adopt a scanner, you are extending your software supply chain to include that vendor's infrastructure. Reading the DPA is part of the same exercise as reviewing a dependency's maintenance status before you pull it into a build. Our write-up on software supply chain security walks through that broader chain if you want the full picture.

Legal governance also intersects with how findings are handled. If a scanner surfaces a critical vulnerability in your codebase, the report itself becomes sensitive. Who can see it, where it is stored, and how long it is retained are questions the vendor's legal function should have already answered. A tool such as Snyk's SCA product or a platform like Safeguard both generate this kind of sensitive output, so the handling terms deserve the same scrutiny as the detection quality.

Reading between the lines of leadership changes

Security companies scale their legal teams in response to enterprise and public-sector demand. Hiring a general counsel with IPO and public-company experience is often a signal that a vendor is preparing for enterprise contracts, regulated-industry customers, or its own liquidity event. None of that is inherently good or bad for you as a customer, but it does shape priorities.

An enterprise-focused legal team usually means stronger contracting rigor and clearer data terms, which benefits large buyers. It can also mean less flexibility on custom terms for smaller teams. Knowing which way a vendor is leaning helps you set realistic expectations before you enter a negotiation. Pricing structure is a related tell; comparing published pricing tiers across vendors often reveals whether a company is optimizing for self-serve developers or enterprise procurement.

Practical takeaways

The Snyk general counsel role is a reminder that a security vendor is not just its scanner. It is a company that processes your intellectual property under a set of legal terms, and those terms are the real interface between your risk and theirs. When you evaluate any security supplier:

  • Read the DPA and subprocessor list before the feature comparison.
  • Confirm data residency and model-training terms in writing.
  • Treat scan output as sensitive data governed by the same contract.
  • Verify the current legal leadership on the vendor's own site rather than a third-party org chart.

Do that, and the legal function stops being a procurement afterthought and becomes a genuine input into your vendor risk decision.

FAQ

Who is Snyk's general counsel?

Snyk appointed David Morris as General Counsel in 2023, overseeing legal, regulatory, and government affairs. Leadership can change, so confirm the current holder on Snyk's official leadership page before citing it formally.

Why would a security team research a vendor's general counsel?

Usually for vendor due diligence. The strength and focus of a vendor's legal function is a practical signal of how carefully it handles customer data, contracts, and disclosure, all of which affect your own risk.

What legal documents should I request from a security vendor?

At minimum, the Data Processing Agreement, the subprocessor list, the security and vulnerability disclosure policy, and clear terms on data retention, model training, and deletion on termination.

Does a general counsel handle product security?

Not directly, but the legal function sets the terms under which the product processes your data, including breach notification, data residency, and what the vendor may do with your code and scan results.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.