Terms of Service
Data Processing Addendum
Privacy Policy
Sub-processor List
Service Level Agreement
Support Policy
Acceptable Use Policy
Cookie Notice
CCPA Notice
PIPL Notice
Data Transfer Impact Assessment
Website Terms
Business Ethics Policy
Account Lockout Policy
Subject Access Request
Vulnerability Disclosure Agreement
Statement of Work
Self-Managed Terms

Sub-processor List

Ideanote uses certain sub-processors to assist in providing Ideanote’s services. A sub-processors is a third party data processor engaged by Ideanote who agrees to receive personal data from Ideanote intended for processing activities to be carried out (i) on behalf of Ideanote Customers; (ii) in accordance with Customer instructions as communicated by Ideanote; and (iii) in accordance with the terms of a written contract between Ideanote and the sub-processors.

Ideanote imposes data protection terms on each sub-processor regarding their security controls and applicable laws for the protection of personal data. Further information relating to sub-processor security measures can be found via the external links below.

Where the engagement of a sub-processor requires the cross-border transfer of personal data, Ideanote has performed Transfer Impact Assessments for such data transfer.

Ideanote maintains an up-to-date list of the names and locations of all sub-processors below.

Duration of processing: For each sub-processor below, processing of personal data will be for the duration that the Customer uses and continues to use Ideanote and for the retention periods as set out in customer’s agreement with Ideanote.

Data Processing Agreements

We have in place written Data Processing Agreements (“DPA”) with all of our sub-processors. The DPA is a contract between a data controller and a data processor, and covers the items required under Art. 28 of the GDPR. This includes the roles and responsibilities of the parties when personal data is processed.

According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses ("SCC") – that have been “pre-approved” by the European Commission. All of our sub-processors outside of the EU have SCC in place.

Third-Party Sub-processors

Ideanote works with other third parties to provide specific functions or features within the Service. These providers will have access to relevant personal information (in both an identifiable and anonymous manner) in order to provide their relevant functions. The use of information is limited to the specific purposes.

Relevant for End-users

The following sub-processors are used to provide the Ideanote Service and are part of the chain of processing of sensitive, personal and other data of end-users.

Google Cloud

Versions: Standard, Dedicated, Data Residency

Function: Server infrastructure

Personal data: End-user IP, End-user URL, End-user Referrer, End-user Browser, End-user Device, End-user Events, End-user Settings

Sensitive data: Customer Content

Pseudonymized data: End-user ID

Other Data: Customer Subdomain, Customer Company Email, Customer Name, Customer Email, Customer Settings, Events

Vendor measures: Secure Infrastructure, Encryption at Rest, Encryption in Transit, Compliance and Certifications, Privacy, Blog

Certifications: ISO27001/17/18, SOC1/2/3, PCI DSS, HIPAA

Additional measures: Ideanote exclusively hosts its Service on Google Cloud servers (in the EU or other locations, depending on Data Residency Settings), where it is encrypted at rest. Backups are also performed on Google Cloud servers in that same location, so you Data remains stored in that location.

Retention: Ideanote retains data on customer workspaces until prompted to delete it or if a workspaces is inactive for more than year. Customer has the option to delete Content and End-users individual and in bulk as well as delete all data on their Workspace (per GDPR compliance).

Entity: Google Inc.

Data location: Depends on Workspace Data Residency Settings (e.g. EU, US, CA, SA)

Legal basis: DPA (SCC)

SendGrid

Versions: Standard, Dedicated, Data Residency (EU, US, but not CA, AE)

Function: Email Infrastructure

Personal data: End-user Email Addresses, End-user Names

Sensitive data: None

Other Data: Email Content

Vendor measures: Security Measures, GDPR

Certifications: SOC2 Type II

Additional measures: Ideanote enforces full TLS 1.1. end-to-end encryption in transit for all emails.

Retention: SendGrid email providers retain email message activity (such as opens and clicks) for up to 90 days. Aggregated sending stats and suppression lists (bounces, unsubscribes) and spam reports are stored indefinitely.

Entity: Twilio Inc.

Data location: EU or United States (depending on workspace Data Residency Settings)

Legal basis: DPA (SCC)


Microsoft Azure OpenAI

Versions: Standard, Dedicated, Data Residency

Function: Generative AI

Personal data: None

Sensitive data: None

Other Data: Idea Content

Vendor measures: Security Measures

Certifications: SOC2 Type II

Additional measures: Ideanote enforces a no log flag and no human review. Content is not used to train their AI (source). You can choose to not make use of Ideanote's AI functionalities if you would like to avoid that any data is sent to OpenAI.

Retention: None. Flag is set to disable log retention.

Entity: Microsoft Inc.

Data location: Depends on Workspace Data Residency Settings (e.g. EU, US, CA, SA)

Legal basis: No Personal Data

Relevant for Customers

The following sub-processors are only used in connection with data related directly to the Customer that signed up for an Ideanote Workspace and Workspace Owners invited for billing purposes - and not with other End-users invited to collaborate on the platform.

Stripe

Function: Payment and credit card processing

Sensitive data: Customer Credit Card Details

Personal data: Customer Contact Email, Customer Contact Name, Customer Contact IP, Customer Address

Other Data: Customer Company Name, Customer Subdomain, Customer Subscription, Customer Company Name

Vendor measures: Security Hub

Certifications: PCI Service Provider Level 1, PCI DSS

Additional measures: Ideanote uses Stripe for services related to payment processing for our subscription and billing. The use of information is limited to that specific purpose. Stripe is PCI compliant and Ideanote does not handle or store credit card information.

Retention: Ideanote keeps records of billing data for up to 10 years for compliance reasons, this does not include personal data. Credit card data can be deleted by the Customer in the Ideanote interface.

Entity: Stripe Inc.

Data location: United States

Legal basis: DPA (SCC)

G-Suite

Function: Business suite for communication.

Sensitive data: None, unless shared with Ideanote by Customer in connection with a Customer Request (e.g. Data Export).

Personal data: None, unless shared with Ideanote by Customer in connection with a Customer Request (e.g. Data Export).

Other Data: Company Name, Customer Requests

Vendor measures: Secure Infrastructure, Encryption at Rest, Encryption in Transit, Compliance and Certifications, Privacy

Certifications: ISO27001/17/18, SOC1/2/3, PCI DSS, HIPAA

Additional measures: Internal communication does not contain personal data apart from support requested by Customer in relation to a support request. Traces of Customer Data are deleted as soon as possible. Access is secured via SSO and restricted on a need to know basis.

Retention: Sensitive and personal data pertaining to Customer support requests is deleted within 72 hours after completion of Customer requests.

Entity: Google Inc.

Data location: United States

Legal basis: DPA (SCC)

Slack

Function: Internal communication

Sensitive data: None, unless shared with Ideanote by Customer in connection with a Customer Request (e.g. Data Export)

Personal Data: None, unless shared with Ideanote by Customer in connection with a Customer Request (e.g. Data Export)

Other Data: Company Name, Customer Requests

Vendor measures: Secure Infrastructure, Encryption at Rest, Encryption in Transit, Compliance and Certifications, Privacy

Certifications: ISO27001/17/18, SOC2 Type II, SOC3, CSA, FedRamp, HIPAA

Additional measures: Internal communication does not contain personal data apart from support requested by Customer in relation to a support request. Traces of Customer Data are deleted as soon as possible. Access is secured via SSO and restricted on a need to know basis.

Retention: Sensitive and personal data pertaining to Customer support requests is deleted within 72 hours after completion of Customer requests.

Entity: Slack Inc.

Data location: United States

Legal basis: DPA (SCC)

Intercom

Function: Customer onboarding, support and outreach.

Sensitive data: None

Personal data: Customer Contact Email, Customer Contact Name

Pseudonymized data: Customer ID

Other Data: Customer Subdomain, Customer Company Name, Aggregated Activity Counts

Vendor measures: Privacy and Security

Certifications: SOC2 Certified

Additional measures: None

Retention: Data from inactive contacts is deleted after 3 years.

Entity: Intercom Inc.

Data location: EU, US

Legal basis: DPA (SCC)

Zapier

Function: Workflow Automation

Sensitive data: None

Personal data: Customer Contact Email, Customer Contact Name

Pseudonymized data: Customer ID

Other Data: Customer Subdomain, Customer Company Name, Aggregated Activity Counts

Vendor measures: Security, Privacy

Certifications: SOC2 Certified

Additional measures: None

Retention: Logs are deleted after 70 Days

Entity: Zapier Inc.

Data location: US

Legal basis: DPA (SCC)

Pipedrive

Function: Sales CRM and Outreach

Sensitive data: None

Personal data: Customer Contact Email, Customer Contact Name

Pseudonymized data: Customer ID

Other Data: Customer Subdomain, Customer Company Name, Aggregated Activity Counts

Vendor measures: Privacy and Security

Certifications: SOC2 Certified

Additional measures:  Only used for a select few leads and customers.

Retention: Data from inactive contacts is deleted after 3 years.

Entity: Pipedrive Inc.

Data location: EU, US

Legal basis: DPA (SCC)

Dock

Function: Customer Onboarding

Sensitive data: None

Personal data: Customer Contact Email, Customer Contact Name

Pseudonymized data: Customer ID

Other Data: Customer Subdomain, Customer Company Name, Aggregated Activity Counts

Vendor measures: Privacy and Security

Certifications: SOC2 Compliant

Additional measures: Only used for a select few leads and customers.

Retention: Data from inactive contacts is deleted after 3 years.

Entity: Dock Labs, Inc.

Data location: US

Legal basis: DPA (SCC)


Clearbit

Ideanote uses Clearbit for the purposes of legitimate business interest to guess company names based on their IP Addresses during the initial workspace creation process. The data handled is not personal information but business information.

Clearbit has developed a business intelligence API to aid businesses in acquiring more information about their clients in order to increase turnover and reduce fraud. Clearbit collects your IP address so that we may improve our website. For more information and to have yourself removed from the Clearbit database, please click here.

Changes in Sub-processors

Our business needs may change from time to time. For example, we may deprecate a sub-processor to consolidate and minimize our use of sub-processors. Similarly, we may add a sub-processor if we believe that doing so will enhance our ability to deliver our Services. Before engaging sub-processors, we perform due diligence, including a security and legal analysis. We do not engage a sub-processor unless our quality, security and the standard of the GDPR are met.

Changes in sub-processors are regulated by the DPA we have in place with you.