logo

DATA PROCESSING ADDENDUM (DPA)

Last Updated: August 12, 2025

DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service, Privacy Policy or other written or electronic agreement or policies available at https://notessa.ai/privacy (“Principal Agreement”) between Processor and Controller for the provision of Services that involve the Processing of Personal Data.

1. Definitions

For purposes of this Addendum, the following terms have the meanings set out below. All other capitalized terms not otherwise defined herein have the meaning given to them in Applicable Law and Principal Agreement.

  • “Applicable Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this Addendum, including, where applicable, the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act of 2018 (“CCPA”), as amended, and any other laws implementing or supplementing the foregoing.
  • “Controller” means the entity that determines the purposes and means of Processing Personal Data.
  • “Processor” means the entity that Processes Personal Data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is Processed under this Addendum.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.
  • “Sub-processor” means any third party engaged by the Processor to Process Personal Data on its behalf.
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Purpose and Scope

2.1 Purpose
The Processor will Process Personal Data solely as necessary to provide the services described in the Principal Agreement, including AI-powered data analysis, note generation, and related customer support.

2.2 Scope
This Addendum governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services, and applies to all activities in which Personal Data is handled.

3. Duration of Processing

This Addendum remains in effect for as long as the Processor Processes Personal Data on behalf of the Controller, and shall terminate automatically upon deletion or return of all such data.

4. Obligations of the Controller

The Controller shall:

a. Provide lawful, documented instructions to the Processor for the Processing of Personal Data.
b. Ensure that its Processing instructions comply with Applicable Law.
c. Maintain a lawful basis for the collection, use, and disclosure of Personal Data provided to the Processor.
d. Respond to Data Subject requests in compliance with Applicable Law, with reasonable cooperation from the Processor.

5. Obligations of the Processor

The Processor shall:

a. Process Personal Data only on documented instructions from the Controller.
b. Not retain, use, or disclose Personal Data for any purpose other than those permitted under the Principal Agreement or Applicable Law.
c. Maintain confidentiality of Personal Data, ensuring personnel are bound by appropriate confidentiality obligations.
d. Implement and maintain appropriate technical and organizational measures (“TOMs”) to ensure a level of security appropriate to the risk, including but not limited to:

  • Encryption of Personal Data in transit and at rest.
  • Role-based access controls.
  • Regular vulnerability scanning and security patching.
  • Logging and monitoring of access and data changes.
  • Incident response and breach notification protocols.
    e. Assist the Controller in ensuring compliance with its obligations under Applicable Law, including with respect to security, breach notifications, impact assessments, and consultations with authorities.

6. Security Measures

The Processor shall at a minimum implement industry-standard security measures, including:

  1. Physical Security – Data centers and systems hosting Personal Data shall have controlled access, environmental protections, and security personnel as appropriate.
  2. Logical Security – User authentication, password policies, multi-factor authentication for administrative access.
  3. Data Protection – TLS/SSL encryption in transit, AES-256 encryption at rest.
  4. Monitoring – Logging, monitoring, and intrusion detection systems to identify and respond to potential threats.
  5. Training – Regular staff training on data protection and security best practices.
  6. Incident Response – Documented and tested incident response plan.

7. Use of Sub-processors

  • List of current Sub-processors:
Sub-processor Name Purpose Location
Amazon Web Services AI provider, cloud infrastructure and Authentication USA
OpenAI AI provider USA
  • The Processor may engage additional Sub-processors only with prior notice to the Controller, ensuring the same data protection obligations apply to the Sub-processor as set forth in this Addendum.
  • The Processor remains fully liable for the performance of each Sub-processor.

8. Data Subject Rights

The Processor shall, to the extent permitted by law and practicable:

a. Promptly notify the Controller of any Data Subject request received.
b. Assist the Controller in fulfilling Data Subject requests (including access, rectification, erasure, restriction, portability, and objection).

9. Data Breach Notification

In the event of a Data Breach, the Processor shall:

a. Notify the Controller without undue delay and in no case later than 24 hours after becoming aware.
b. Provide all information reasonably necessary for the Controller to meet its breach reporting obligations.
c. Take immediate steps to mitigate the impact of the breach.

10. Audit and Compliance

a. Upon reasonable notice, the Controller may conduct audits or receive documentation (e.g., SOC 2 Type II, ISO 27001 certifications) demonstrating Processor’s compliance.
b. Audits must not unreasonably disrupt Processor’s operations and may be subject to confidentiality requirements.

11. International Transfers

Where the Processing involves the transfer of Personal Data outside the jurisdiction in which it was collected, the Processor shall ensure appropriate safeguards are in place, including execution of Standard Contractual Clauses or other lawful transfer mechanisms.

12. Return or Deletion of Data

Upon termination or expiration of the Principal Agreement, the Processor shall, at the choice of the Controller:

a. Return all Personal Data; or
b. Securely delete all Personal Data, unless retention is required by law.

Such return or deletion shall occur within 30 days of termination.

13. Liability

The Processor shall be liable for breaches of this Addendum, including acts or omissions of Sub-processors. Liability caps and exclusions shall be as set forth in the Principal Agreement unless otherwise agreed.

14. Governing Law

This Addendum shall be governed by and construed in accordance with the laws specified in the Principal Agreement, without regard to conflict of law principles.

15. Miscellaneous

a. In the event of a conflict between this Addendum and the Principal Agreement, this Addendum shall prevail with respect to data protection obligations.
b. Any amendment to this Addendum must be in writing and signed by both parties.
c. If any provision of this Addendum is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.