Goodnotes Limited Data Processing Addendum

This data processing addendum ("DPA") shall govern the Processing of Licensee Personal Data in connection with the Software licensed under the Enterprise Software Licence Agreement ("Licence Agreement") entered into between you (the "Licensee") and Goodnotes Limited, a company incorporated in England and Wales with a registered office at 1 Bartholomew Lane, London, United Kingdom, EC2N 2AX (the "Licensor"). 

In consideration of the mutual obligations set out in this DPA, the Parties agree that the provisions set out in this DPA are supplemental to the relevant Licence Agreement and shall form part of the Licence Agreement. In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Licence Agreement in connection with the Processing of Licensee Personal Data, the provisions of this DPA shall take precedence. 

Except where the context requires otherwise, references in this DPA to the Licence Agreement are to the Licence Agreement as amended by, and including, this DPA.

Table of contents
  1. 1. Definitions and Interpretation

    1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      Applicable Data Protection Laws
      means all applicable laws relating to the protection of Personal Data as amended, updated or replaced from time and time and which apply to the Licensor or Licensee  in the processing of Licensee Personal Data in the circumstances governed by this DPA, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"); (b) the UK version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2018, in each case together with all laws and regulations supplementing, amending or replacing the same in any EU Member State or the UK; and (d) the data protection or privacy laws of any other country;"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and "Special Categories of Personal Data" have the meanings described in the Applicable Data Protection Laws and cognate terms shall be construed accordingly;
      Authorised Licensees
      has the meaning given to that term in the Licence Agreement;
      Licensee Data
      has the meaning given to that term in the Licence Agreement;
      Licensee Personal Data
      means Personal Data contained in the Licensee Data and Processed by the Licensor under this DPA;
      Licensor Privacy Notice
      means the Licensor's privacy notice found at https://www.goodnotes.com/privacy-policy;
      Party
      means a party to this DPA; and
      Software
      has the meaning given to that term in the Licence Agreement.
  2. 2. Compliance

    1. Each Party shall comply with Applicable Data Protection Laws when Processing Licensee Personal Data in connection with this DPA.
    2. The Licensee shall:
      1. ensure that all Licensee Personal Data has been collected and provided to the Licensor in compliance with Applicable Data Protection Laws and, where required by the Applicable Data Protection Laws, shall obtain Data Subjects’ consent prior to providing their Personal Data to the Licensor; 
      2. notify Data Subjects that their Personal Data may be provided to the Licensor; 
      3. ensure that all Licensee Personal Data is accurate, and where appropriate kept up to date; and 
      4. notify the Licensor if it becomes aware that any Licensee Personal Data is inaccurate.
    3. If during the term of this DPA, Applicable Data Protection Laws change in a way that this DPA is no longer adequate for the purpose of governing lawful sharing and Processing of Licensee Personal Data, the Parties agree that the Licensor may make such amendments to this DPA which it reasonably considers to be necessary to address the relevant change in Applicable Data Protection Laws and such amended DPA shall take effect between the Parties upon being published on this page https://goodnotes.com/data-processing-addendum
    4. This DPA shall terminate upon expiration or termination of the Licence Agreement.
    5. Where the Licensee Personal Data is provided to the Licensor by an Authorised Licensee or generated as a result of an Authorised Licensee's use of the Software, the Licensee shall procure that the relevant Authorised Licensee shall agree to, and comply with, the provisions set out in this DPA and that:
      1. references in the provisions of this DPA to "Party" or "Parties" shall be deemed to include "the relevant Authorised Licensee" as appropriate; and
      2. references in the provisions of this DPA to "the Licensee" shall be replaced with "the relevant Authorised Licensee".
  3. 3. Obligations when Processing Licensee Personal Data as a Controller

    1. The Parties acknowledge and agree that the Licensor shall in certain circumstances Process Licensee Personal Data as an independent Controller, and the circumstances under which it Processes Licensee Personal Data as an independent Controller are set out in the Licensor Privacy Notice.
    2. To the extent that the Licensor is acting as an independent Controller of Licensee Personal Data under this DPA: 
      1. the Licensee agrees to bring the Licensor Privacy Notice to the attention of Data Subjects whose Personal Data may be Processed by the Licensor in connection with this DPA;
      2. each Party shall, at the other Party's sole expense, provide the other Party with such co-operation as reasonably requested to assist the other Party’s compliance with its obligations under Applicable Data Protection Laws in relation to the Licensee Personal Data; and
      3. the Licensor shall notify the Licensee upon becoming aware of any Personal Data Breach affecting the Licensee Personal Data.
  4. 4. Obligations when Processing Licensee Personal Data as a Processor

    1. Except to the extent that the Licensor Processes Licensee Personal Data as an independent Controller pursuant to Clause 3, the Parties acknowledge and agree that the Licensor will Process Licensee Personal Data as a Processor on behalf of the Licensee. The details of this Processing activity are set out in Appendix 1 (Data Processing Details).
    2. To the extent that the Licensor is acting as a Processor of Licensee Personal Data under this DPA, the Licensor shall:
      1. process Licensee Personal Data on the documented instructions of the Licensee, in order to supply its services and the Software, and as otherwise necessary to perform its obligations under the Licence Agreement unless required to do otherwise by applicable law, in which case the Licensor, if permitted by such law, shall inform the Licensee of that legal requirement before such Processing;
      2. ensure that persons authorised to process the Licensee Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. implement and maintain appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of the Licensee Personal Data and against accidental loss or destruction of, or damage to, the Licensee Personal Data, appropriate to the harm that might result and the nature of the Licensee Personal Data to be protected, having regard to the state of technological development and the cost of implementing any measures;
      4. be generally authorised by the Licensee to engage another Processor to Process the Licensee Personal Data ("Subprocessor"), provided that the Licensor maintains a list of such Subprocessors (which can be found below in Appendix 2) and subject to (i) the Licensor ensuring that the Subprocessor enters into binding contractual obligations which are substantially similar to those set out in Clause 4.2 of this DPA and (ii) the Licensor remaining fully liable to the Licensee for the performance by such Subprocessor of such obligations. The Licensor will provide notice of the addition or replacement of Subprocessors at least fourteen (14) calendar days in advance of the change becoming effective upon which the Licensee may object to the change in Subprocessor. If such an objection is raised within this 30-day period, the Parties shall discuss in good faith a resolution to this objection;
      5. taking into account the nature of the Processing, assist the Licensee by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Licensee's obligation to respond to requests from Data Subjects to exercise their rights laid down in Applicable Data Protection Laws in relation to the Licensee Personal Data;
      6. notify the Licensee without undue delay of any Personal Data Breach in relation to the Licensee Personal Data upon becoming aware of the same, and provide all information reasonably required by the Licensee to comply with its obligations under Applicable Data Protection Laws in relation to such Personal Data Breach, and assist the Licensee with its obligations pursuant to Applicable Data Protection Laws in relation to data protection impact assessments and prior consultations with relevant data protection authorities (and with any similar obligations under other Applicable Data Protection Laws) taking into account the nature of the Processing and information available to the Licensor;
      7. not transfer the Licensee Personal Data outside of the EU, UK or a jurisdiction in respect of which there has been a finding of adequacy by the European Commission pursuant to Article 45 of the GDPR or by the Secretary of State pursuant to Article 45 of the UK GDPR (as applicable) (Relevant Jurisdictions) unless it ensures that any such transfer of Licensee Personal Data outside the Relevant Jurisdictions is subject to appropriate safeguards as recognised by Applicable Data Protection Laws;
      8. upon the termination or expiry of the relevant Licence Agreement and at the Licensee's option, either return or delete all copies of the Licensee Personal Data Processed by the Licensor applicable law requires storage of such Licensee Personal Data; and
      9. make available to the Licensee on request all information necessary to demonstrate compliance with Article 28 of the UK GDPR and GDPR (and with any similar requirements under other Applicable Data Protection Laws) in relation to its Processing of Licensee Personal Data and shall, no more than once per calendar year, during the Licensor's normal business hours and subject to reasonable prior written notice and upon agreeing appropriate confidentiality provisions, allow for and contribute to audits, including inspections, by the Licensee or an auditor mandated by the Licensee.
  5. 5. General Terms

    1. No variation of this DPA will be effective unless it is in writing and signed by the Parties.

APPENDIX 1 – DATA PROCESSING DETAILS

This Appendix 1 forms part of the DPA and describes the Processing of Licensee Personal Data that the Licensor will perform on behalf of Licensee.
  1. A. Subject matter and duration of the Processing of the Personal Data:

    1. The subject matter of the Processing of the Licensee Personal Data is set out in the Licence Agreement.
    2. The duration of the Processing of the Licensee Personal Data is for the term of the Licence Agreement.
  2. B. The nature and purpose of the Processing of the Personal Data:

    1. The nature and purpose of the Processing of the Licensee Personal Data are set out in the Licence Agreement.
  3. C. The type of Personal Data:

    1. The Licensee Personal Data Processed may include some or all of the following attributes: (i) personal identifiers and contact information (including email address); (ii) organisation/education institution details; (iii) diagnostic data (which includes information necessary to diagnose and resolve issues which a user might experience with the Software); (iv) information automatically collected or generated about a user's use of the Software; (v) any information/selections that a user chooses to upload or share through the Software or that a user chooses to tell the Licensor.
  4. D. Special Categories of Personal Data:

    1. None
  5. E. The categories of Data Subject to whom the Licensee Personal Data relates:

    The categories of Data Subject may include some or all of the following: the Licensee's or Authorised Licensee's users of the Software.
  6. F. The obligations and rights of the Licensee:

    The obligations and rights of the Licensee are set out in the Licence Agreement.

APPENDIX 2 – SUBPROCESSORS

The Licensor uses the following Subprocessors:

  • Amazon Web Services
  • Amplitude 
  • Braze 
  • Data Dog
  • Google 
  • GoTeleport
  • HubSpot
  • Lyssna 
  • Mail Chimp
  • Markany
  • Paddle
  • Sprig
  • UserInterviews
  • UserTesting
  • UserVoice
  • Zendesk Inc