Data Processing Addendum

The terms and conditions below (“DPA”) supplement and amend the Terms of Service (“ToS”), to the extent that Ideanote processes any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“EU Data”) for You as a Customer.

Capitalized expressions not defined in the DPA have the meaning set out in the ToS. Words and expressions used in this DPA but not defined in the DPA or in the ToS have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Data to Ideanote ApS (“Applicable Data Protection Law”).

1. Ideanote as Data Processor

Ideanote should be considered only as a Processor on behalf of its Customer and Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this DPA, Ideanote does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party Sub-Contractors who may process such data on behalf of Ideanote in connection with Ideanote’s provision of Service to Customers.

Such actions are performed or authorized only by the applicable Customer. The Customer is the data controller under the Regulation for any Customer Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

Ideanote is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its Sub-Contractors’ servers) at the discretion of the Customer nor is Ideanote responsible for the manner in which the Customer or User collects, handles disclosure, distributes or otherwise processes such information.

In the course of providing the Services to Customer pursuant to the ToS, Ideanote may process Personal Data on behalf of Customer. Ideanote agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Service or collected and processed by or for Customer through the Service.

2. General

1. You confirm that You are accepting this DPA in Your capacity as either a Personal Customer or Business Customer.
2. If You are accepting this DPA as a Business Customer, You confirm that You have the authority to bind the entity you represent as a Customer to this DPA.
3. This Data Processing Agreement sets out the rights and obligations that apply to Ideanote’s handling of personal data on behalf of Customer.
4. This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council (with, including but not limited to, Article 28) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
5. Ideanote’s processing of personal data shall take place for the purposes of fulfilment of the ToS, commencing on the date on which You, as a Customer, electronically accept or otherwise agree to Our ToS.
6. The duration of this Order or Contract corresponds to the duration of the ToS. This does not prejudice the right to termination of the contract for cause without notice. Such a cause exists in particular, if an obligation under this agreement or provisions of the GDPR are intentionally or grossly negligently violated.
7. This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ToS. EU Standard Contractual Clauses, if applicable, must prevail.
8. Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
9. Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
10. Appendix B of the Data Processing Agreement contains the terms and conditions that apply to Ideanote’s use of Sub-Processors and a list of approved Sub-Processors.
11. Appendix C of the Data Processing Agreement contains instructions on the processing that Ideanote is to perform on behalf of Customer (the subject of the processing), the minimum security measures and how inspection with Ideanote and any Sub-Processors is to be performed.
12. This Data Processing Agreement shall not exempt Ideanote from obligations to which Ideanote is subject pursuant to the General Data Protection Regulation or other legislation.

3. Customer Rights and Obligations as Data Controller

1. Customer shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and, further, the Applicable Data Protection Law.
2. Customer shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
3. Customer shall be responsible for ensuring that the processing that Ideanote is instructed to perform is authorised in law. 
   

4. Ideanote acts according to instructions

1. Ideanote shall solely be permitted to process personal data on documented instructions from Customer unless processing is required under EU or Member State law to which Ideanote is subject; in this case, Ideanote shall inform Customer of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
2. Ideanote shall immediately inform Customer if instructions in the opinion of Ideanote contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law. 
3. Ideanote shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this Addendum and in Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in accordance with Appendix B, Section "Inspection and Audit Reports".

5. Confidentiality

1. Ideanote shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of Customer. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.   
2. Only persons who require access to the personal data in order to fulfil the obligations of Ideanote to Customer shall be provided with authorisation. For the avoidance of doubt, the access shall be based on the “need to know” and “least privileged access” principles, and that such persons have received appropriate training and instructions regarding processing of personal data. Ideanote shall provide Customer, upon request, with proof of execution of the confidentiality agreements with personnel that may have access to Customer Personal Data, as well as proof of periodic training in the field of personal data protection.
3. Ideanote shall ensure that persons authorised to process personal data on behalf of Customer have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality. 

6. Security of processing

1. Ideanote shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
2. Depending on their relevance, the measures may include the following:
3. Pseudonymisation and encryption of personal data
4. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
5. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
6. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7. Ideanote shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.

7. Assistance to Customer

1. Ideanote, taking into account the nature of the processing, shall reasonably assist Customer with appropriate technical and organisational measures, in the fulfilment of Customer obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.   

This entails that Ideanote should reasonably assist Customer in Customer compliance with:

1. notification obligation when collecting personal data from the data subject
2. notification obligation if personal data have not been obtained from the data subject
3. right of access by the data subject
4. the right to rectification
5. the right to erasure (‘the right to be forgotten’)
6. the right to restrict processing
7. notification obligation regarding rectification or erasure of personal data or restriction of processing
8. the right to data portability
9. the right to object 
10. the right to object to the result of automated individual decision-making, including profiling

For the avoidance of doubt, Ideanote shall promptly notify Customer and shall subsequently supply Customer with all information pertinent thereto, in case of: (i) any third party (including organisations or associations) requests or complaints regarding the processing of personal data by Ideanote on behalf of Customer; or (ii) any supervisory authority or government requests for access to, information about, audit concerning, or any other regulatory action (including only notice of intent) concerning the processing of personal data undertaken by Ideanote in the context of the Services Agreement. In the event Ideanote directly receives such a request or complaint, Ideanote shall immediately notify Customer and shall in no event respond directly, unless with Customer's prior written instruction.

2. Ideanote shall assist Customer in ensuring compliance with Customer obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to Ideanote, cf. Article 28, sub-section 3, para f.

This entails that Ideanote should, taking into account the nature of the processing reasonably assist Customer in Customer compliance with:

1. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
2. the obligation to report personal data breaches to the supervisory authority  without undue delay and, if possible, within 72 hours of Customer discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
3. the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
5. the obligation to consult with the supervisory authority  prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by Customer to limit risk 

8. Notification of personal data breach

1. On discovery of personal data breach at Ideanote’s facilities or a sub-processor’s facilities, Ideanote shall without undue delay notify Customer.  Ideanote’s notification to Customer shall, if possible, take place within 48 hours after Ideanote has discovered the breach to enable Customer to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours immediately and in any case.
   

This may mean that Ideanote is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in Customer report to the supervisory authority:

1. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
2. Probable consequences of a personal data breach
3. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage

9. Erasure and return of data

On termination of the processing services, Ideanote shall be under obligation, at Customer discretion, to erase or return all the personal data to Customer and to erase existing copies unless EU law or Member State law requires storage of the personal data.

10. Commencement and termination

1. This Data Processing Agreement shall become effective on the date on which Customer electronically accepts or otherwise agrees to Our ToS. 
2. This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ToS subject to Section 2.6 (see above).
3. This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ToS and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by Ideanote and any sub-processors.
4. Breaches of this Addendum shall be treated as breaches of the Services Agreement. Each Party shall be liable for its own breaches of applicable data protection law and shall indemnify the other accordingly in case the other party suffers a damage following such breach. 

Data Controller and Data Processor Contact

1. Customer may contact Ideanote at legal@ideanote.io 
2. Ideanote may contact Customer using the contact information stored on their Account.

Appendix A

Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

1. Data Controller

The data controller is a Customer of Ideanote’s communication and productivity software, services, systems and / or technologies.

2. Data Processor

The data processor is Ideanote ApS, as a provider of communication and productivity software, services, systems and / or technologies.

3. Data Subjects

The personal data processed for the purposes of the Services Agreement concern the following categories of data subjects:

Users of the Service

4. Categories of Data

The personal data transferred concern the following categories of data:

For End-users

We may collect the following personal data for end-users of Customers

End-user Registration and Contact Information

• End-user Name
• End-user Email

End-user Service Data

• End-user IP
• End-user URL
• End-user Referrer
• End-user Browser
• End-user Device
• End-user Events
• End-user Settings

End-user Content

all data and information submitted by End-users to the Services and includes message text, files, comments and links, but does not include third-party products or the Service.

For Customers

We may collect the following personal data from Customers.

Customer Personal Information

• Customer Contact Name
• Customer Contact Email

Customer Payment Information:

• Credit Card Details
• Customer Contact IP
• Customer Address
  

5. Special Categories of Data

The personal data transferred concern the following special categories of data:

• none

Data Exporter may submit personal data to the Data Importer through the Services, the extent of which is determined and controlled by the Data Exporter in compliance with Applicable Data Protection Law and which may concern the following special categories of data, if any:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade-union membership;
• genetic or biometric data;
• health; and
• sex life
  

6. Processing Operations

The personal data transferred will be subject to the following basic processing activities:

• As necessary to complete a contract for the Service

7. Nature and Purpose of the Processing

In more detail, Ideanote makes available its Service to Customer and hereby stores and processes Personal Data about Customer on our Service infrastructure to facilitate speedy authentication, communication and a measure of security to Users of the Service.

Ideanote will send mails to people invited to the platform, allow people to become Members of the Space at the discretion of the Customer and allow Members to share Content on the Space with the goal to further innovation and idea sharing for Customer.

Customer is able to use Our Service, owned, developed and managed by Ideanote to facilitate idea sharing, collecting, commenting, rating, prioritizing, assigning and tracking. In this, Customer and any personal data and Content submitted by Customer is processed by Ideanote on behalf of the Customer. 

The Personal Data transferred will be processed in accordance with the ToS and may be subject to the following processing activities:

• storage, encryption, decryption, backup, restoring and caching necessary to provide, improve and maintain and update the Services provided to the Data Exporter;
• to provide customer and technical support to the Data Exporter; and
• disclosures in accordance with the Agreement, as compelled by law
• the data processing will continue until Customer requests deletion

You consent that Ideanote employees can use aggregate findings about activities and Content on the Service to continuously optimize the performance and presentation of the Service. We reserve the right to publish our findings on an anonymized aggregate level. An example of an anonymized finding would be study of how many people, in general, comment on an idea they have also liked. We also retain the right, but not the obligation, to directly access Your account data or a Workspace on invitation by a Member of a Workspace for purposes of technical maintenance, content oversight or investigation as well as general Customer support. Any feedback or circumstantial analytical evidence knowingly given or unknowingly resulting from usage of using our Service can freely be exploited and shared by Us to improve Our Service or technology without this resulting in You having or receiving any rights or ownership of them.

Appendix B

1. Terms of Ideanote’s use of Sub-Processors

Ideanote has Customer’s general consent for the engagement of the already engaged Sub-Processors, as at the date of this Addendum and as listed in this Appendix B. 

2. Sub-Processors

As Data Processor Ideanote ensures that the Sub-Processors are subject to data protection obligations not less protective as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation. 

Customer acknowledges and agrees that (i) Ideanote’s Affiliates may be retained as Sub­-Processors; and (ii) Ideanote and Ideanote’s Affiliates respectively may engage third­party Sub­-Processors in connection with the provision of the Services. Ideanote or an Ideanote Affiliate has entered into a written agreement with each Sub­processor containing data protection obligations not less protective than those in this Agreement and applicable law with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub­processor. If, in the performance of this DPA, Ideanote transfers any Personal Data to a sub-Processor located outside of the EEA, Ideanote shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

3. List of Sub-Processors

Ideanote shall make available to Customer the current list of Sub­-Processors for the Services. Such Sub­-Processor lists shall include a specification of the legal entity of those Sub­-Processors and the location of Customer Data. This list is available online at https://ideanote.io/legal/sub-processors.

4. Changes in Sub-Processors

Ideanote shall inform Customer in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. 

5. Right to Object

Ideanote will give the Customer the opportunity to object to the engagement of the new Sub-Processors within 30 days after being notified. The objection must be based on reasonable grounds. If Ideanote and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination. 

Where Ideanote engages a sub-processor for carrying out specific processing  activities  on  behalf  of  Customer, Ideanote shall ensure that the same data  protection obligations as set out in this Addendum are imposed on that sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Addendum and the Applicable Data Protection Law. 

Upon request, a copy of such a sub-processor agreement and subsequent amendments shall be made available to Customer, with the exception of clauses on business related issues that  do  not  affect  the  legal  data  protection  content  of  the  sub-processor agreement. 

Ideanote shall at all times keep an up-to-date list of all sub-processors used, including in each case the details required under this Appendix B, and shall make this list available to Customer upon request. 

Ideanote shall be liable for the acts and omissions of any such sub-processor to the same extent as if the acts or omissions were performed by Ideanote. This does not affect the rights of the data subjects under the Applicable Data Protection Law. 

6. International Transfers

Ideanote may transfer and process Customer Data anywhere in the world where Ideanote, its Affiliates or its Sub­processors maintain data processing operations, after having previously informed and obtained Customer's consent. Ideanote shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws. Specifically, Ideanote shall ensure a valid legal basis for any such transfer, as outlined in Chapter 5 GDPR and Articles 45­49 thereof.

Without prejudice to the afore mentioned notification and approval process, Ideanote may introduce transfer the data to third countries which are located outside of the European Economic Area ("EEA"), if Ideanote has implemented a transfer solution compliant with the Applicable Data Protection Law.

Where such  transfer solution is based on the EU Commission Model Clauses, Ideanote shall provide Customer with a transfer impact assessment, including details as to locations of processing, the processing activities that will be carried out, the types of data, any additional safeguards and measures (technical, organisational and contractual) to be implemented, as well as Ideanote's risk assessment on the intended sub-processor and/or transfer. Such notification shall be performed prior to implementation of the transfer, and Customer shall be given at least 90 days to review it. Customer may reject the transfer, partially or entirely, in which case Ideanote shall not engage nor perform the envisaged transfer. If the contracted services cannot be performed without the said transfer, Customer shall have the option to terminate the Services Agreement and the Addendum, entirely or partially as required, without any penalty. 

Appendix C

Appendix C of the Data Processing Agreement contains instructions on the processing that Ideanote is to perform on behalf of Customer (the subject of the processing), the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) how inspection with Ideanote and any Sub-Processors is to be performed.

Ideanote has implemented an internal Information Security Program that covers Data and Network Security, Access and Site Controls, Personnel and Sub-Processor Security.

1. Ideanote Security Controls

• Physical Security -  Ideanote uses physically secure data centers. All data centers comply with or exceed the security requirements of SOC2. All data centers are equipped with CCTV, 24/7 on-site security personnel and key card access system. Ideanote uses geographically distributed data centers for backups.
• Redundancy - Ideanote’s infrastructure allows for maintenance and improvements with minimal downtime.
• Power Supply - Ideanote’s data centers are equipped with backup power and uninterrupted power supplies that can last for days.
• Patches - Ideanote has established a policy to keep systems up to date with necessary security updates.
• Business Continuity - data is replicated and backed up across multiple systems to help protect against unwanted destruction or loss of data. Backup restore procedures and business continuity plans are tested on an annual basis.
• Data in Transit - Ideanote uses industry standard encryption schemes and protocols to encrypt data transmissions between the data centers.
• Intrusion Detection - Ideanote employs an intrusion detection system to provide insights into ongoing attack activities and to help remediate the attack faster.
• Incident Response - Ideanote has established protocols for handling security incidents and breaches and will inform the involved parties.
• Encryption - Ideanote uses industry standard encryption methods to encrypt data in transit and at rest.
• Access Control - Ideanote personnel must authenticate themselves via a central authentication system or via a single sign-on system in order to administer the Services.
• Password Security - Ideanote requires the use of unique IDs, strong passwords and two factor authentication. 
• Access Review - Access is guided by an internal policy of least privilege and access reviews.
• Audit Trail - Ideanote logs access to its systems via an immutable audit trail.
• Data Separation - Ideanote separates customer’s data on a multi-tenant environment via separate encryption keys.
• Disk Erasure - Decommissioned disks are securely erased after their intended use or securely destroyed in the event of a malfunction.
• Personnel - Ideanote personnel adheres to company policies regarding privacy, security, ethics and a professional code of conduct. 
• Background Checks - Ideanote conducts background checks with new hires.
• Data Access - Ideanote personnel will not access or process Customer Content without explicit authorization by the Customer unless required by law.
• Sub-processor Security - Ideanote conducts reviews of security and privacy practices of Sub-processors prior to onboarding the Sub-processors in order to ensure adequate level of security and privacy to data and scope of services they are engaged to provide. Once the Sub-processor review is performed and associated risk is evaluated, the Subprocessor enters into appropriate privacy, confidentiality and security contract terms.

2. Storage Limits and Erasure

Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.

Personal data are stored with Ideanote until Customer or a Member requests that their data are erased or returned. Ideanote allows Customers to export their raw data at any time in the industry standard JSON format. Additionally, customer data  can  be  deleted  upon  request  at  termination  or  will  be  deleted  in  accordance  with  Ideanote’s  internal  data retention policies.

3. Inspection and Audit Reports

Ideanote shall provide written responses (on a confidential basis) to requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Ideanote's compliance with this DPA, provided that Customer shall not exercise this right more than once per year, unless Ideanote had a security incident, in which case Customer is entitled to perform an audit without undue delay.

Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Ideanote shall make available to Customer that is not a competitor of Ideanote (or Customer’s independent, third­party auditor that is not a competitor of Ideanote) information regarding Ideanote’s compliance with the obligations set forth in the DPA. 

Customer is entitled to contact Ideanote to request a remote or on­site audit of the architecture, facilities, data and records (including tools), systems and procedures relevant to the processing activities carried out by Ideanote on behalf of Customer’s Personal Data. Customer shall be responsible for the costs associated with carrying out such an audit.

Before the commencement of any such on­site audit, Customer and Ideanote shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Ideanote with information regarding any non­compliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of thirty (30) days notice to Ideanote, unless Ideanote had a security incident, in which case Customer is entitled to perform an audit without undue delay. 

4. Encryption of Customer Content

When a User uses the Ideanote Service, the details of their interactions are captured and sent to Ideanote through API calls over HTTPS.  All  of  our other APIs and websites also use HTTPS  exclusively. Everything Customer and User send to Ideanote, and everything Ideanote sends to Customer and User is sent through fully encrypted channels. Ideanote employs the Transport Layer Security (TLS 1.2) protocol with RSA-2048 encryption to keep our communication private.

The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs  are  encrypted  with  (or  “wrapped” by)  a  key  encryption  key  (KEK).  For  more  information, please  see https://cloud.google.com/security/#dataencryption.

5. Customer Data separation

Access is granted through sending along an authentication token in requests. This token then holds a set of allowances based on the User's rank and the Space(s), Missions, and all other Content the User has access to.

This  provides  logical separation  between  data  belonging  to  multiple  Users.  Ideanote  is  the  sole  tenant  on  our infrastructure. A Customer's data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one User from another User's data. 

6. Single-sign on and multifactor authentication

Ideanote supports SAML single sign-on. Depending on what single sign-on provider Customer has, multi-factor authentication is an option Customer can enable with their single sign-on provider.  Details  on  how  to  enable  single  sign-on  can be found in access settings.

7. Location and Storage of Customer Data

GDPR does not require that Personal Data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the EU Standard Contractual Clauses.  

Ideanote’s application and database servers are located within the European Union, specifically in Frankfurt, Germany on Google Inc. servers. This means, at rest, your Content will never leave the EU. 

The Service itself may be provided using equipment or facilities located in the European Union or the United States. The US Sub-Processors have executed Standard Contractual Clauses (as approved by the European Commission) that provide legal grounds for assuring that, when processed in the United States, the personal data of EU citizens that are processed when using the Service will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General Data Protection Regulation). Personal Data is partly stored and processed by these Sub-Processors.

Google is our production hosting provider. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.

8. Security Checks and Scans

Ideanote runs regular security scans via a third-party service, and our source code is automatically checked as it is committed. Every time Ideanote updates any of the external code dependencies, Ideanote performs a full security audit to verify that no vulnerabilities have entered the Ideanote code base. Ideanote also subscribes to various security mailing lists for the software Ideanote uses. The latter ensures Ideanote is always aware of recently discovered vulnerabilities and can either put workarounds or available patches in place.

9. Handling of Customer Data by Personnel

Access to the datastore is restricted to a very small number of people, and there is no way for Ideanote to “impersonate” or view Content via an account switcher interface or see it through the admin user interface. 

In cases where Ideanote needs to troubleshoot errors, Ideanote will either test it in a development environment or get explicit Customer permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time) or by requesting screen sharing. Access and access requests to Ideanote databases and server infrastructure and all code change commits are logged for security purposes.

As outlined in our Terms of Service, support personnel have access to certain contact information and activity logs by default to be able to service Customer as best as possible. Access to this kind of data is restricted with two-factor authentication at all times and Personal Data is not sold to third parties.

10. Replication of Customer Data

Ideanote creates back-ups of Customer Data three times a day and retains these back-ups for up to a month. In case of a security, technical, physical or data-loss incident, roll-backs of Customer Data can be initiated in a timely manner.