Security and Compliance

At Ideanote, we prioritize the protection of your personal data and ensure compliance with data protection regulations. Our commitment to security and compliance is reflected in our rigorous policies and the measures we take to safeguard your information.

Sub-Processors Overview

Ideanote engages certain sub-processors to assist in delivering our services. Sub-processors are third-party data processors who handle personal data on our behalf. They process data in accordance with our customers' instructions, contractual obligations, and data protection laws.

Data Processing Agreements

We have comprehensive Data Processing Agreements (DPA) with all our sub-processors. These agreements include Standard Contractual Clauses (SCC) as per GDPR requirements, ensuring appropriate data protection safeguards for data transfers outside the EU.

List of Sub-Processors

Below is a summary of key sub-processors that Ideanote uses, their functions, and the types of data they handle:

• Google Cloud: Server infrastructure (EU-based), handles end-user data such as IP, URL, browser details, and events.
• SendGrid: Email infrastructure (US-based), handles end-user email addresses and names.
• Stripe: Payment processing (US-based), handles customer payment details and contact information.
• G-Suite: Business suite (US-based), used for communication and support with minimal personal data.
• Slack: Internal communication (US-based), used for support and communication without storing customer data long-term.
• Intercom, Zapier, Pipedrive, Dock: Customer onboarding, support, and outreach (US/EU-based), handle contact and company information.

Security Measures

Ideanote implements robust security measures to protect your data:

• Encryption: Data is encrypted both in transit and at rest using industry-standard methods (AES-256).
• DDoS Protection: Utilizes Google Cloud Armor WAF for protection against DDoS attacks.
• Secure Development: Follows secure development practices and conducts annual vulnerability assessments.
• Compliance Certifications: Our data centers and sub-processors maintain certifications like ISO27001, SOC2, and PCI DSS.

Data Retention and Deletion

• Retention Policies: Data is retained for the duration of customer use and specified retention periods. Customers can delete their data as required by GDPR compliance.
• Deletion Practices: Sensitive data from customer support is deleted within 72 hours post request completion. Sub-processors have varying retention policies, often deleting inactive data after a set period (e.g., 3 years for Intercom).

Compliance and Certifications

Ideanote is SOC2 Type II certified, ensuring our information security management aligns with global standards. We host our services on Google Cloud, which also maintains several compliance certifications such as ISO27001 and SOC2.

Customer Responsibilities

We emphasize that security is a shared responsibility. Customers should manage user accounts, maintain strong passwords, designate points of contact for sensitive requests, and ensure the quality of their data pipelines.