The terms and conditions below (“DPA”) supplement and amend the Terms of Service (“ToS”), to the extent that Ideanote processes any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“EU Data”) for You as a Customer.

Capitalized expressions not defined in the DPA have the meaning set out in the ToS. Words and expressions used in this DPA but not defined in the DPA or in the ToS have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Data to Ideanote ApS, the Commission implementing Decision 2016/1250 (“Privacy Shield”) (“Applicable Data Protection Law”).

Ideanote as Data Processor

Ideanote should be considered only as a Processor on behalf of its Customer and Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this DPA, Ideanote does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party Sub-Contractors who may process such data on behalf of Ideanote in connection with Ideanote’s provision of Service to Customers.

Such actions are performed or authorized only by the applicable Customer. The Customer is the data controller under the Regulation for any Customer Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

Ideanote is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its Sub-Contractors’ servers) at the discretion of the Customer nor is Ideanote responsible for the manner in which the Customer or User collects, handles disclosure, distributes or otherwise processes such information.

In the course of providing the Services to Customer pursuant to the ToS, Ideanote may process Personal Data on behalf of Customer. Ideanote agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Service or collected and processed by or for Customer through the Service.

2. General

1. You confirm that You are accepting this DPA in Your capacity as either a Personal Customer or Business Customer.
2. If You are accepting this DPA as a Business Customer, You confirm that You have the authority to bind the entity you represent as a Customer to this DPA.
3. This Data Processing Agreement sets out the rights and obligations that apply to Ideanote’s handling of personal data on behalf of Customer.
4. This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council (with, including but not limited to, Article 28) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
5. Ideanote’s processing of personal data shall take place for the purposes of fulfilment of the ToS, commencing on the date on which You, as a Customer, electronically accept or otherwise agree to Our ToS.
6. The duration of this Order or Contract corresponds to the duration of the ToS. This does not prejudice the right to termination of the contract for cause without notice. Such a cause exists in particular, if an obligation under this agreement or provisions of the GDPR are intentionally or grossly negligently violated.
7. This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ToS. EU Standard Contractual Clauses, if applicable, must prevail.
8. Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
9. Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
10. Appendix B of the Data Processing Agreement contains the terms and conditions that apply to Ideanote’s use of Sub-Processors and a list of approved Sub-Processors.
11. Appendix C of the Data Processing Agreement contains instructions on the processing that Ideanote is to perform on behalf of Customer (the subject of the processing), the minimum security measures and how inspection with Ideanote and any Sub-Processors is to be performed.
12. This Data Processing Agreement shall not exempt Ideanote from obligations to which Ideanote is subject pursuant to the General Data Protection Regulation or other legislation.

3. Customer Rights and Obligations as Data Controller

1. Customer shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and, further, the Danish Data Protection Act.
2. Customer shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
3. Customer shall be responsible for ensuring that the processing that Ideanote is instructed to perform is authorised in law. 

4. Ideanote acts according to instructions

1. Ideanote shall solely be permitted to process personal data on documented instructions from Customer unless processing is required under EU or Member State law to which Ideanote is subject; in this case, Ideanote shall inform Customer of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
2. Ideanote shall immediately inform Customer if instructions in the opinion of Ideanote contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law. 

5. Confidentiality

1. Ideanote shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of Customer. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.   
2. Only persons who require access to the personal data in order to fulfil the obligations of Ideanote to Customer shall be provided with authorisation. 
3. Ideanote shall ensure that persons authorised to process personal data on behalf of Customer have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality. 

6. Security of processing

1. Ideanote shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
2. Depending on their relevance, the measures may include the following:
3. Pseudonymisation and encryption of personal data
4. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
5. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
6. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7. Ideanote shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.

7. Assistance to Customer

1. Ideanote, taking into account the nature of the processing, shall reasonably assist Customer with appropriate technical and organisational measures, in the fulfilment of Customer obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.   

This entails that Ideanote should reasonably assist Customer in Customer compliance with:

1. notification obligation when collecting personal data from the data subject
2. notification obligation if personal data have not been obtained from the data subject
3. right of access by the data subject
4. the right to rectification
5. the right to erasure (‘the right to be forgotten’)
6. the right to restrict processing
7. notification obligation regarding rectification or erasure of personal data or restriction of processing
8. the right to data portability
9. the right to object 
10. the right to object to the result of automated individual decision-making, including profiling

2. Ideanote shall assist Customer in ensuring compliance with Customer obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to Ideanote, cf. Article 28, sub-section 3, para f.

This entails that Ideanote should, taking into account the nature of the processing shall reasonably assist Customer in Customer compliance with:

1. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
2. the obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of Customer discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
3. the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
5. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by Customer to limit risk 

8. Notification of personal data breach

1. On discovery of personal data breach at Ideanote’s facilities or a sub-processor’s facilities, Ideanote shall without undue delay notify Customer.  Ideanote’s notification to Customer shall, if possible, take place within 72 hours after Ideanote has discovered the breach to enable Customer to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours immediately and in any case.

This may mean that Ideanote is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in Customer report to the supervisory authority:

1. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
2. Probable consequences of a personal data breach
3. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage

9. Erasure and return of data

On termination of the processing services, Ideanote shall be under obligation, at Customer discretion, to erase or return all the personal data to Customer and to erase existing copies unless EU law or Member State law requires storage of the personal data.

10. Commencement and termination

1. This Data Processing Agreement shall become effective on the date on which Customer electronically accepts or otherwise agrees to Our ToS. 
2. This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ToS subject to Section 2.6 (see above).
3. This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ToS and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by Ideanote and any sub-processors.
   

Data Controller and Data Processor Contact

1. Customer may contact Ideanote at legal@ideanote.io 
2. Ideanote may contact Customer using the contact information stored on their Account.

Appendix A: Information about the processing 

DATA EXPORTER

The data exporter is a Customer of data importer’s communication and productivity software, services, systems and / or technologies.

DATA IMPORTER

The data importer is Ideanote ApS, as a provider of communication and productivity software, services, systems and / or technologies.

‍

DATA SUBJECTS

The personal data transferred concern the following categories of data subjects:

Users of the Service

CATEGORIES OF DATA

The personal data transferred concern the following categories of data:

Personal Data subject to Data Protection Laws.Any personal data comprised in Customer Data. “Customer Data” means all data and information submitted by Users to the Services and includes message text, files, comments and links, but does not include third-party products or the Service.

SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)

The personal data transferred concern the following special categories of data:

Data Exporter may submit personal data to the Data Importer through the Services, the extent of which is determined and controlled by the Data Exporter in compliance with Applicable Data Protection Law and which may concern the following special categories of data, if any:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade-union membership;
• genetic or biometric data;
• health; and
• sex life

PROCESSING OPERATIONS

The personal data transferred will be subject to the following basic processing activities:

• As necessary to complete a contract for the Service.
  

In more detail, Ideanote makes available its Service to Customer and hereby stores and processes Personal Data about Customer on our Service infrastructure to facilitate speedy authentication, communication and a measure of security to Users of the Service.

Ideanote will send mails to people invited to the platform, allow people to become Members of the Space at the discretion of the Customer and allow Members to share Content on the Space with the goal to further innovation and idea sharing for Customer.

The purpose of Ideanote’s processing of personal data on behalf of Customer is:

Customer is able to use Our Service, owned, developed and managed by Ideanote to facilitate idea sharing, collecting, commenting, rating, prioritizing, assigning and tracking. In this, Customer and any personal data and Content submitted by Customer is processed by Ideanote. 

The Personal Data transferred will be processed in accordance with the ToS and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain and update the Services provided to the Data Exporter;
• to provide customer and technical support to the Data Exporter; and
• disclosures in accordance with the Agreement, as compelled by law
  

The processing includes the following types of personal data about data subjects:

For membership purposes:

• Name
• Email address
• Telephone number (optional)
• Short biographical description (optional)
• Personal profile picture (optional)
• Member ID
• Submitted Content (optional)
• Customer subdomain
• Customer company name
• Type of subscription
  

For analytics and customer support purposes:

• IP address
• Time zone
• Browser
• Browser version
• Device
• Current URL
• Initial referrer
• Initial referring domain
• Operating system
• Referrer
• Referring domain
• Screen height and screen width
• Search engine and search keyword
• UTM parameters
• Time on site
• Last seen time
• Approximate geolocation
  

For billing purposes:

• Customer ID
• VAT ID (optional)
• Full address (optional)
• Payment details (optional)
• Credit card transaction data (optional)
• Credit card user credentials (optional)

Appendix B: Terms of Ideanote’s use of Sub-Processors

1. Terms of Ideanote’s use of Sub-Processors

Ideanote has Customer’s general consent for the engagement of Sub-Processors. Customer acknowledges that in connection with the performance of the Services, Ideanote employs the use of cookies, unique identifiers, web beacons and similar analytics and tracking technologies. Ideanote shall maintain appropriate notice, consent and opt­in mechanisms as are required by Data Protection Laws.

2. Sub-Processors

As Data Processor Ideanote ensures that the Sub-Processors are subject to data protection obligations not less protective as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation. 

Customer acknowledges and agrees that (i) Ideanote’s Affiliates may be retained as Sub­-Processors; and (ii) Ideanote and Ideanote’s Affiliates respectively may engage third­party Sub­-Processors in connection with the provision of the Services. Ideanote or an Ideanote Affiliate has entered into a written agreement with each Sub­processor containing data protection obligations not less protective than those in this Agreement and applicable law with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub­processor. If, in the performance of this DPA, Ideanote transfers any Personal Data to a sub-Processor located outside of the EEA, Ideanote shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the Sub-Processing by Ideanote for purposes of Clause 11 of the Standard Contractual Clauses.

3. List of Sub-Processors

Ideanote shall make available to Customer the current list of Sub­-Processors for the Services. Such Sub­-Processor lists shall include a specification of the legal entity of those Sub­-Processors and the location of Customer Data. This list is available online at https://ideanote.io/legal/sub-processors.

4. Changes in Sub-Processors

If Customer would like to be informed of changes in Subprocessors they can reach out to legal@ideanote.io to subscribe. Ideanote shall then provide notification of a new Sub­processor(s) before authorizing any new Sub­processor(s) to process personal data in connection with the provision of the Service.

5. Right to Object

Ideanote will give the Customer the opportunity to object to the engagement of the new Sub-Processors within 7 days after being notified. The objection must be based on reasonable grounds. If Ideanote and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination. 

6. International Transfers

Ideanote may transfer and process Customer Data anywhere in the world where Ideanote, its Affiliates or its Sub­processors maintain data processing operations. Ideanote shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws. Specifically, Ideanote shall ensure a valid legal basis for any such transfer, as outlined in Chapter 5 GDPR and Articles 45­49 thereof.

Instruction pertaining to the use of personal data 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c): Firewalls, SSL certificates, web application firewalls, secure development lifecycle management, secure coding practices, 2FA access, SOC 2 Type II audit, internal vulnerability assessments, continuous employee education, virus/malware scanning, and more.

Storage Limits and Erasure

Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.

Personal data are stored with Ideanote until Customer or a Member requests that their data are erased or returned. Ideanote allows Customers to export their raw data at any time in the industry standard JSON format. Additionally, customer data  can  be  deleted  upon  request  at  termination  or  will  be  deleted  in  accordance  with  Ideanote’s  internal  data retention policies.

Inspection and Audit Reports

Ideanote shall provide written responses (on a confidential basis) to reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Ideanote's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Ideanote shall make available to Customer that is not a competitor of Ideanote (or Customer’s independent, third­party auditor that is not a competitor of Ideanote) information regarding Ideanote’s compliance with the obligations set forth in the DPA. 

Customer is entitled to contact Ideanote to request an a remote or on­site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Ideanote for any time expended by Ideanote or its third party Sub­processors for any such on­site audit at Ideanote’s then­ current professional services rates, which shall be made available to Customer upon request. 

Before the commencement of any such on­site audit, Customer and Ideanote shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All costs will be documented, and reimbursement rates shall be reasonable, taking into account the resources expended by Ideanote, or its third­party Sub­processors. Customer shall promptly notify Ideanote with information regarding any non­compliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (60) days notice to Ideanote

Encryption of Customer Content

In the database, We encrypt non-searchable content such as passwords, but do not encrypt your content otherwise so you can search across members and content whenever you need to find that one specific idea.

When a User uses the Ideanote Service, the details of their interactions are captured and  sent  to  Ideanote  through  API  calls  over  HTTPS.  All  of  our other  APIs and  websites also  use  HTTPS  exclusively. Everything Customer and User send to Ideanote, and everything Ideanote sends to Customer and User is sent through fully encrypted channels. Ideanote employs the Transport Layer Security protocol with RSA-2048 encryption to keep our communication private.

The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs  are  encrypted  with  (or  “wrapped” by)  a  key  encryption  key  (KEK).  For  more  information, please  see https://cloud.google.com/security/#dataencryption.

Customer Data separation

Access is granted through sending along an authentication token in requests. This token then holds a set of allowances based on the User's rank and the Space(s), Missions, and all other Content the User has access to.

This  provides  logical separation  between  data  belonging  to  multiple  Users.  Ideanote  is  the  sole  tenant  on  our infrastructure. A Customer's data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one User from another User's data. 

Single-sign on and multifactor authentication

Ideanote supports SAML single sign-on. Depending on what single sign-on provider Customer has, multi-factor authentication is an option Customer can enable with their single sign-on provider.  Details  on  how  to  enable  single  sign-on  can be found in access settings.

Location and Storage of Customer Data

GDPR does not require that Personal Data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield and DPAs. 

Ideanote’s application and database servers are located within the European Union, specifically in Frankfurt, Germany on Google Inc. servers. This means, at rest, your Content will never leave the EU. As a company, Google Inc. has certified with the US Department of Commerce that it adheres to the Privacy Shield Principles under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

The Service itself may be provided using equipment or facilities located in the European Union or the United States. The US Sub-Processors are either Privacy Shield compliant or have executed Standard Contractual Clauses (as approved by the European Commission) that provide legal grounds for assuring that, when processed in the United States, the personal data of EU citizens that are processed when using the Service will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General Data Protection Regulation). Personal Data is partly stored and processed by these Sub-Processors.

Google is our production hosting provider. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.

Security checks and Scans

Ideanote runs regular security scans via a third-party service, and our source code is automatically checked as it is committed. Every time Ideanote update any of the external code dependencies, Ideanote performs a full security audit to verify that no vulnerabilities have entered the Ideanote code base. Ideanote also subscribe to various security mailing lists for the software Ideanote uses. The latter ensures Ideanote is always aware of recently discovered vulnerabilities and can either put workarounds or available patches in place.

Handling of Customer Data by Personnel

Access to the datastore is restricted to a very small number of people, and there is no way for Ideanote to “impersonate” or view Content via an account switcher interface or see it through the admin user interface. 

In cases where Ideanote needs to troubleshoot errors, Ideanote will either test it in a development environment or get explicit Customer permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time) or by requesting screen sharing. Access and access requests to Ideanote databases and server infrastructure and all code change commits are logged for security purposes.

As outlined in our Terms of Service, support personnel have access to certain contact information and activity logs by default to be able to service Customer as best as possible. Access to this kind of data is restricted with two-factor authentication at all times and Personal Data is not sold to third parties.

Replication of Customer Data

Ideanote creates back-ups of Customer Data three times a day and retains these back-ups for up to a month. In case of a security, technical, physical or data-loss incident, roll-backs of Customer Data can be initiated in a timely manner.