See the steps we ensure your privacy and protection with Ideanote
The terms and conditions below (“DPA”) supplement and amend the Terms of Service (“ToS”), to the extent that Ideanote processes any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“EU Data”) for You as a Customer.
Capitalized expressions not defined in the DPA have the meaning set out in the ToS. Words and expressions used in this DPA but not defined in the DPA or in the ToS have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Data to Ideanote ApS (“Applicable Data Protection Law”).
Ideanote should be considered only as a Processor on behalf of its Customer and Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this DPA, Ideanote does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party Sub-Contractors who may process such data on behalf of Ideanote in connection with Ideanote’s provision of Service to Customers.
Such actions are performed or authorized only by the applicable Customer. The Customer is the data controller under the Regulation for any Customer Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.
Ideanote is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its Sub-Contractors’ servers) at the discretion of the Customer nor is Ideanote responsible for the manner in which the Customer or User collects, handles disclosure, distributes or otherwise processes such information.
In the course of providing the Services to Customer pursuant to the ToS, Ideanote may process Personal Data on behalf of Customer. Ideanote agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Service or collected and processed by or for Customer through the Service.
1. Ideanote, taking into account the nature of the processing, shall reasonably assist Customer with appropriate technical and organisational measures, in the fulfilment of Customer obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that Ideanote should reasonably assist Customer in Customer compliance with:
For the avoidance of doubt, Ideanote shall promptly notify Customer and shall subsequently supply Customer with all information pertinent thereto, in case of: (i) any third party (including organisations or associations) requests or complaints regarding the processing of personal data by Ideanote on behalf of Customer; or (ii) any supervisory authority or government requests for access to, information about, audit concerning, or any other regulatory action (including only notice of intent) concerning the processing of personal data undertaken by Ideanote in the context of the Services Agreement. In the event Ideanote directly receives such a request or complaint, Ideanote shall immediately notify Customer and shall in no event respond directly, unless with Customer's prior written instruction.
2. Ideanote shall assist Customer in ensuring compliance with Customer obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to Ideanote, cf. Article 28, sub-section 3, para f.
This entails that Ideanote should, taking into account the nature of the processing reasonably assist Customer in Customer compliance with:
This may mean that Ideanote is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in Customer report to the supervisory authority:
On termination of the processing services, Ideanote shall be under obligation, at Customer discretion, to erase or return all the personal data to Customer and to erase existing copies unless EU law or Member State law requires storage of the personal data.
Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
The data controller is a Customer of Ideanote’s communication and productivity software, services, systems and / or technologies.
The data processor is Ideanote ApS, as a provider of communication and productivity software, services, systems and / or technologies.
The personal data processed for the purposes of the Services Agreement concern the following categories of data subjects:
Users of the Service
The personal data transferred concern the following categories of data:
We may collect the following personal data for end-users of Customers
all data and information submitted by End-users to the Services and includes message text, files, comments and links, but does not include third-party products or the Service.
We may collect the following personal data from Customers.
The personal data transferred concern the following special categories of data:
Data Exporter may submit personal data to the Data Importer through the Services, the extent of which is determined and controlled by the Data Exporter in compliance with Applicable Data Protection Law and which may concern the following special categories of data, if any:
The personal data transferred will be subject to the following basic processing activities:
In more detail, Ideanote makes available its Service to Customer and hereby stores and processes Personal Data about Customer on our Service infrastructure to facilitate speedy authentication, communication and a measure of security to Users of the Service.
Ideanote will send mails to people invited to the platform, allow people to become Members of the Space at the discretion of the Customer and allow Members to share Content on the Space with the goal to further innovation and idea sharing for Customer.
Customer is able to use Our Service, owned, developed and managed by Ideanote to facilitate idea sharing, collecting, commenting, rating, prioritizing, assigning and tracking. In this, Customer and any personal data and Content submitted by Customer is processed by Ideanote on behalf of the Customer.
The Personal Data transferred will be processed in accordance with the ToS and may be subject to the following processing activities:
You consent that Ideanote employees can use aggregate findings about activities and Content on the Service to continuously optimize the performance and presentation of the Service. We reserve the right to publish our findings on an anonymized aggregate level. An example of an anonymized finding would be study of how many people, in general, comment on an idea they have also liked. We also retain the right, but not the obligation, to directly access Your account data or a Workspace on invitation by a Member of a Workspace for purposes of technical maintenance, content oversight or investigation as well as general Customer support. Any feedback or circumstantial analytical evidence knowingly given or unknowingly resulting from usage of using our Service can freely be exploited and shared by Us to improve Our Service or technology without this resulting in You having or receiving any rights or ownership of them.
Ideanote has Customer’s general consent for the engagement of the already engaged Sub-Processors, as at the date of this Addendum and as listed in this Appendix B.
As Data Processor Ideanote ensures that the Sub-Processors are subject to data protection obligations not less protective as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.
Customer acknowledges and agrees that (i) Ideanote’s Affiliates may be retained as Sub-Processors; and (ii) Ideanote and Ideanote’s Affiliates respectively may engage thirdparty Sub-Processors in connection with the provision of the Services. Ideanote or an Ideanote Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Agreement and applicable law with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Subprocessor. If, in the performance of this DPA, Ideanote transfers any Personal Data to a sub-Processor located outside of the EEA, Ideanote shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
Ideanote shall make available to Customer the current list of Sub-Processors for the Services. Such Sub-Processor lists shall include a specification of the legal entity of those Sub-Processors and the location of Customer Data. This list is available online at https://ideanote.io/legal/sub-processors.
Ideanote shall inform Customer in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
Ideanote will give the Customer the opportunity to object to the engagement of the new Sub-Processors within 30 days after being notified. The objection must be based on reasonable grounds. If Ideanote and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.
Where Ideanote engages a sub-processor for carrying out specific processing activities on behalf of Customer, Ideanote shall ensure that the same data protection obligations as set out in this Addendum are imposed on that sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Addendum and the Applicable Data Protection Law.
Upon request, a copy of such a sub-processor agreement and subsequent amendments shall be made available to Customer, with the exception of clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement.
Ideanote shall at all times keep an up-to-date list of all sub-processors used, including in each case the details required under this Appendix B, and shall make this list available to Customer upon request.
Ideanote shall be liable for the acts and omissions of any such sub-processor to the same extent as if the acts or omissions were performed by Ideanote. This does not affect the rights of the data subjects under the Applicable Data Protection Law.
Ideanote may transfer and process Customer Data anywhere in the world where Ideanote, its Affiliates or its Subprocessors maintain data processing operations, after having previously informed and obtained Customer's consent. Ideanote shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws. Specifically, Ideanote shall ensure a valid legal basis for any such transfer, as outlined in Chapter 5 GDPR and Articles 4549 thereof.
Without prejudice to the afore mentioned notification and approval process, Ideanote may introduce transfer the data to third countries which are located outside of the European Economic Area ("EEA"), if Ideanote has implemented a transfer solution compliant with the Applicable Data Protection Law.
Where such transfer solution is based on the EU Commission Model Clauses, Ideanote shall provide Customer with a transfer impact assessment, including details as to locations of processing, the processing activities that will be carried out, the types of data, any additional safeguards and measures (technical, organisational and contractual) to be implemented, as well as Ideanote's risk assessment on the intended sub-processor and/or transfer. Such notification shall be performed prior to implementation of the transfer, and Customer shall be given at least 90 days to review it. Customer may reject the transfer, partially or entirely, in which case Ideanote shall not engage nor perform the envisaged transfer. If the contracted services cannot be performed without the said transfer, Customer shall have the option to terminate the Services Agreement and the Addendum, entirely or partially as required, without any penalty.
Appendix C of the Data Processing Agreement contains instructions on the processing that Ideanote is to perform on behalf of Customer (the subject of the processing), the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) how inspection with Ideanote and any Sub-Processors is to be performed.
Ideanote has implemented an internal Information Security Program that covers Data and Network Security, Access and Site Controls, Personnel and Sub-Processor Security.
Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.
Personal data are stored with Ideanote until Customer or a Member requests that their data are erased or returned. Ideanote allows Customers to export their raw data at any time in the industry standard JSON format. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with Ideanote’s internal data retention policies.
Ideanote shall provide written responses (on a confidential basis) to requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Ideanote's compliance with this DPA, provided that Customer shall not exercise this right more than once per year, unless Ideanote had a security incident, in which case Customer is entitled to perform an audit without undue delay.
Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Ideanote shall make available to Customer that is not a competitor of Ideanote (or Customer’s independent, thirdparty auditor that is not a competitor of Ideanote) information regarding Ideanote’s compliance with the obligations set forth in the DPA.
Customer is entitled to contact Ideanote to request a remote or onsite audit of the architecture, facilities, data and records (including tools), systems and procedures relevant to the processing activities carried out by Ideanote on behalf of Customer’s Personal Data. Customer shall be responsible for the costs associated with carrying out such an audit.
Before the commencement of any such onsite audit, Customer and Ideanote shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Ideanote with information regarding any noncompliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of thirty (30) days notice to Ideanote, unless Ideanote had a security incident, in which case Customer is entitled to perform an audit without undue delay.
When a User uses the Ideanote Service, the details of their interactions are captured and sent to Ideanote through API calls over HTTPS. All of our other APIs and websites also use HTTPS exclusively. Everything Customer and User send to Ideanote, and everything Ideanote sends to Customer and User is sent through fully encrypted channels. Ideanote employs the Transport Layer Security (TLS 1.2) protocol with RSA-2048 encryption to keep our communication private.
The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption.
Access is granted through sending along an authentication token in requests. This token then holds a set of allowances based on the User's rank and the Space(s), Missions, and all other Content the User has access to.
This provides logical separation between data belonging to multiple Users. Ideanote is the sole tenant on our infrastructure. A Customer's data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one User from another User's data.
Ideanote supports SAML single sign-on. Depending on what single sign-on provider Customer has, multi-factor authentication is an option Customer can enable with their single sign-on provider. Details on how to enable single sign-on can be found in access settings.
GDPR does not require that Personal Data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the EU Standard Contractual Clauses.
Ideanote’s application and database servers are located within the European Union, specifically in Frankfurt, Germany on Google Inc. servers. This means, at rest, your Content will never leave the EU.
The Service itself may be provided using equipment or facilities located in the European Union or the United States. The US Sub-Processors have executed Standard Contractual Clauses (as approved by the European Commission) that provide legal grounds for assuring that, when processed in the United States, the personal data of EU citizens that are processed when using the Service will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General Data Protection Regulation). Personal Data is partly stored and processed by these Sub-Processors.
Google is our production hosting provider. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.
Ideanote runs regular security scans via a third-party service, and our source code is automatically checked as it is committed. Every time Ideanote updates any of the external code dependencies, Ideanote performs a full security audit to verify that no vulnerabilities have entered the Ideanote code base. Ideanote also subscribes to various security mailing lists for the software Ideanote uses. The latter ensures Ideanote is always aware of recently discovered vulnerabilities and can either put workarounds or available patches in place.
Access to the datastore is restricted to a very small number of people, and there is no way for Ideanote to “impersonate” or view Content via an account switcher interface or see it through the admin user interface.
In cases where Ideanote needs to troubleshoot errors, Ideanote will either test it in a development environment or get explicit Customer permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time) or by requesting screen sharing. Access and access requests to Ideanote databases and server infrastructure and all code change commits are logged for security purposes.
As outlined in our Terms of Service, support personnel have access to certain contact information and activity logs by default to be able to service Customer as best as possible. Access to this kind of data is restricted with two-factor authentication at all times and Personal Data is not sold to third parties.
Ideanote creates back-ups of Customer Data three times a day and retains these back-ups for up to a month. In case of a security, technical, physical or data-loss incident, roll-backs of Customer Data can be initiated in a timely manner.