See the steps we ensure your privacy and protection with Ideanote
The terms and conditions below (“DPA”) supplement and amend the Terms of Service (“ToS”), to the extent that Ideanote processes any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“EU Data”) for You as a Customer.
Capitalized expressions not defined in the DPA have the meaning set out in the ToS. Words and expressions used in this DPA but not defined in the DPA or in the ToS have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Data to Ideanote ApS, the Commission implementing Decision 2016/1250 (“Privacy Shield”) (“Applicable Data Protection Law”).
Ideanote should be considered only as a Processor on behalf of its Customer and Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this DPA, Ideanote does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party Sub-Contractors who may process such data on behalf of Ideanote in connection with Ideanote’s provision of Service to Customers.
Such actions are performed or authorized only by the applicable Customer. The Customer is the data controller under the Regulation for any Customer Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.
Ideanote is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its Sub-Contractors’ servers) at the discretion of the Customer nor is Ideanote responsible for the manner in which the Customer or User collects, handles disclosure, distributes or otherwise processes such information.
In the course of providing the Services to Customer pursuant to the ToS, Ideanote may process Personal Data on behalf of Customer. Ideanote agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Service or collected and processed by or for Customer through the Service.
1. Ideanote, taking into account the nature of the processing, shall reasonably assist Customer with appropriate technical and organisational measures, in the fulfilment of Customer obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that Ideanote should reasonably assist Customer in Customer compliance with:
2. Ideanote shall assist Customer in ensuring compliance with Customer obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to Ideanote, cf. Article 28, sub-section 3, para f.
This entails that Ideanote should, taking into account the nature of the processing shall reasonably assist Customer in Customer compliance with:
This may mean that Ideanote is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in Customer report to the supervisory authority:
On termination of the processing services, Ideanote shall be under obligation, at Customer discretion, to erase or return all the personal data to Customer and to erase existing copies unless EU law or Member State law requires storage of the personal data.
The data exporter is a Customer of data importer’s communication and productivity software, services, systems and / or technologies.
The data importer is Ideanote ApS, as a provider of communication and productivity software, services, systems and / or technologies.
The personal data transferred concern the following categories of data subjects:
Users of the Service
CATEGORIES OF DATA
The personal data transferred concern the following categories of data:
Personal Data subject to Data Protection Laws.Any personal data comprised in Customer Data. “Customer Data” means all data and information submitted by Users to the Services and includes message text, files, comments and links, but does not include third-party products or the Service.
SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)
The personal data transferred concern the following special categories of data:
Data Exporter may submit personal data to the Data Importer through the Services, the extent of which is determined and controlled by the Data Exporter in compliance with Applicable Data Protection Law and which may concern the following special categories of data, if any:
The personal data transferred will be subject to the following basic processing activities:
In more detail, Ideanote makes available its Service to Customer and hereby stores and processes Personal Data about Customer on our Service infrastructure to facilitate speedy authentication, communication and a measure of security to Users of the Service.
Ideanote will send mails to people invited to the platform, allow people to become Members of the Space at the discretion of the Customer and allow Members to share Content on the Space with the goal to further innovation and idea sharing for Customer.
Customer is able to use Our Service, owned, developed and managed by Ideanote to facilitate idea sharing, collecting, commenting, rating, prioritizing, assigning and tracking. In this, Customer and any personal data and Content submitted by Customer is processed by Ideanote.
The Personal Data transferred will be processed in accordance with the ToS and may be subject to the following processing activities:
For membership purposes:
For analytics and customer support purposes:
For billing purposes:
As Data Processor Ideanote ensures that the Sub-Processors are subject to data protection obligations not less protective as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.
Customer acknowledges and agrees that (i) Ideanote’s Affiliates may be retained as Sub-Processors; and (ii) Ideanote and Ideanote’s Affiliates respectively may engage thirdparty Sub-Processors in connection with the provision of the Services. Ideanote or an Ideanote Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Agreement and applicable law with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Subprocessor. If, in the performance of this DPA, Ideanote transfers any Personal Data to a sub-Processor located outside of the EEA, Ideanote shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the Sub-Processing by Ideanote for purposes of Clause 11 of the Standard Contractual Clauses.
Ideanote shall make available to Customer the current list of Sub-Processors for the Services. Such Sub-Processor lists shall include a specification of the legal entity of those Sub-Processors and the location of Customer Data. This list is available online at https://ideanote.io/legal/sub-processors.
If Customer would like to be informed of changes in Subprocessors they can reach out to firstname.lastname@example.org to subscribe. Ideanote shall then provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to process personal data in connection with the provision of the Service.
Ideanote will give the Customer the opportunity to object to the engagement of the new Sub-Processors within 7 days after being notified. The objection must be based on reasonable grounds. If Ideanote and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.
Ideanote may transfer and process Customer Data anywhere in the world where Ideanote, its Affiliates or its Subprocessors maintain data processing operations. Ideanote shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws. Specifically, Ideanote shall ensure a valid legal basis for any such transfer, as outlined in Chapter 5 GDPR and Articles 4549 thereof.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c): Firewalls, SSL certificates, web application firewalls, secure development lifecycle management, secure coding practices, 2FA access, SOC 2 Type II audit, internal vulnerability assessments, continuous employee education, virus/malware scanning, and more.
Storage Limits and Erasure
Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.
Personal data are stored with Ideanote until Customer or a Member requests that their data are erased or returned. Ideanote allows Customers to export their raw data at any time in the industry standard JSON format. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with Ideanote’s internal data retention policies.
Inspection and Audit Reports
Ideanote shall provide written responses (on a confidential basis) to reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Ideanote's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Ideanote shall make available to Customer that is not a competitor of Ideanote (or Customer’s independent, thirdparty auditor that is not a competitor of Ideanote) information regarding Ideanote’s compliance with the obligations set forth in the DPA.
Customer is entitled to contact Ideanote to request an a remote or onsite audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Ideanote for any time expended by Ideanote or its third party Subprocessors for any such onsite audit at Ideanote’s then current professional services rates, which shall be made available to Customer upon request.
Before the commencement of any such onsite audit, Customer and Ideanote shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All costs will be documented, and reimbursement rates shall be reasonable, taking into account the resources expended by Ideanote, or its thirdparty Subprocessors. Customer shall promptly notify Ideanote with information regarding any noncompliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (60) days notice to Ideanote
Encryption of Customer Content
In the database, We encrypt non-searchable content such as passwords, but do not encrypt your content otherwise so you can search across members and content whenever you need to find that one specific idea.
When a User uses the Ideanote Service, the details of their interactions are captured and sent to Ideanote through API calls over HTTPS. All of our other APIs and websites also use HTTPS exclusively. Everything Customer and User send to Ideanote, and everything Ideanote sends to Customer and User is sent through fully encrypted channels. Ideanote employs the Transport Layer Security protocol with RSA-2048 encryption to keep our communication private.
The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption.
Customer Data separation
Access is granted through sending along an authentication token in requests. This token then holds a set of allowances based on the User's rank and the Space(s), Missions, and all other Content the User has access to.
This provides logical separation between data belonging to multiple Users. Ideanote is the sole tenant on our infrastructure. A Customer's data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one User from another User's data.
Single-sign on and multifactor authentication
Ideanote supports SAML single sign-on. Depending on what single sign-on provider Customer has, multi-factor authentication is an option Customer can enable with their single sign-on provider. Details on how to enable single sign-on can be found in access settings.
Location and Storage of Customer Data
GDPR does not require that Personal Data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield and DPAs.
Ideanote’s application and database servers are located within the European Union, specifically in Frankfurt, Germany on Google Inc. servers. This means, at rest, your Content will never leave the EU. As a company, Google Inc. has certified with the US Department of Commerce that it adheres to the Privacy Shield Principles under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.
The Service itself may be provided using equipment or facilities located in the European Union or the United States. The US Sub-Processors are either Privacy Shield compliant or have executed Standard Contractual Clauses (as approved by the European Commission) that provide legal grounds for assuring that, when processed in the United States, the personal data of EU citizens that are processed when using the Service will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General Data Protection Regulation). Personal Data is partly stored and processed by these Sub-Processors.
Google is our production hosting provider. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.
Security checks and Scans
Ideanote runs regular security scans via a third-party service, and our source code is automatically checked as it is committed. Every time Ideanote update any of the external code dependencies, Ideanote performs a full security audit to verify that no vulnerabilities have entered the Ideanote code base. Ideanote also subscribe to various security mailing lists for the software Ideanote uses. The latter ensures Ideanote is always aware of recently discovered vulnerabilities and can either put workarounds or available patches in place.
Handling of Customer Data by Personnel
Access to the datastore is restricted to a very small number of people, and there is no way for Ideanote to “impersonate” or view Content via an account switcher interface or see it through the admin user interface.
In cases where Ideanote needs to troubleshoot errors, Ideanote will either test it in a development environment or get explicit Customer permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time) or by requesting screen sharing. Access and access requests to Ideanote databases and server infrastructure and all code change commits are logged for security purposes.
As outlined in our Terms of Service, support personnel have access to certain contact information and activity logs by default to be able to service Customer as best as possible. Access to this kind of data is restricted with two-factor authentication at all times and Personal Data is not sold to third parties.
Replication of Customer Data
Ideanote creates back-ups of Customer Data three times a day and retains these back-ups for up to a month. In case of a security, technical, physical or data-loss incident, roll-backs of Customer Data can be initiated in a timely manner.