Data Processing Addendum For Goodnotes Education

Last Updated: March 2026

This data processing addendum ("DPA") shall govern the Processing of Licensee Personal Data in connection with the Software licensed under the Goodnotes Education Licence Agreement ("Licence Agreement") entered into between you (the "Licensee") and Goodnotes Limited, a company incorporated in England and Wales with a registered office at 1 Bartholomew Lane, London, United Kingdom, EC2N 2AX (the "Licensor").

In consideration of the mutual obligations set out in this DPA, the Parties agree that the provisions set out in this DPA are supplemental to the relevant Licence Agreement and shall form part of the Licence Agreement. In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Licence Agreement in connection with the Processing of Licensee Personal Data, the provisions of this DPA shall take precedence. 

Except where the context requires otherwise, references in this DPA to the Licence Agreement are to the Licence Agreement as amended by, and including, this DPA.

Table of contents

  1. 1. Definitions and Interpretation

    1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      Applicable Data Protection Laws
      means all applicable laws relating to the protection of Personal Data as amended, updated or replaced from time and time and which apply to the Licensor or Licensee  in the processing of Licensee Personal Data in the circumstances governed by this DPA, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"); (b) the UK version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2018, in each case together with all laws and regulations supplementing, amending or replacing the same in any EU Member State or the UK; and (d) the data protection or privacy laws of any other country;"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and "Special Categories of Personal Data" have the meanings described in the Applicable Data Protection Laws and cognate terms shall be construed accordingly;
      Authorised Licensees
      has the meaning given to that term in the Licence Agreement;
      EU Restricted Transfer
      means a transfer of Licensee Personal Data from the Licensee to the Licensor (or vice versa) or an onward transfer of Licensee Personal Data made by the Licensor, where such transfer would at the time of the transfer be prohibited by the GDPR (or by the terms of data transfer agreements put in place to address the data transfer restrictions of the GDPR) in the absence of the EU Standard Contractual Clauses to be established under clause 5 of this DPA (Data Transfers).
      EU Standard Contractual Clauses
      means the Standard Contractual Clauses forming part of Decision 2021/914/EC (as amended or replaced from time to time), including their appendices and with the relevant Modules and Options set out in clause 5 of this DPA (Data Transfers) incorporated;
      Goodnotes Cloud
      has the meaning given to that term in the Licence Agreement;
      Licensee Data
      has the meaning given to that term in the Licence Agreement;
      Licensee Personal Data
      means Personal Data contained in the Licensee Data and Processed by the Licensor under this DPA;
      Licensor Privacy Notice
      means the Licensor's privacy notice found at https://www.goodnotes.com/privacy-policy;
      Party
      means a party to this DPA;
      Software
      has the meaning given to that term in the Licence Agreement.
      Subscription Services
      has the meaning given to that term in the Licence Agreement;
      UK Addendum
      has the meaning set out in clause 5.5 of this DPA (Data Transfers); and
      UK Restricted Transfer
      means a transfer of personal data from the Licensee to the Licensor (or vice versa) or an onward transfer of Licensee Personal Data made by the Licensor, where such transfer would at the time of the transfer be prohibited by the UK GDPR (or by the terms of data transfer agreements put in place to address the data transfer restrictions of the UK GDPR) in the absence of the relevant UK Addendum established under clause 5 of this DPA (Data Transfers).

  2. 2. Compliance

    1. Each Party shall comply with Applicable Data Protection Laws when Processing Licensee Personal Data in connection with this DPA.
    2. The Licensee shall:
      1. ensure that all Licensee Personal Data has been collected and provided to the Licensor in compliance with Applicable Data Protection Laws and, where required by the Applicable Data Protection Laws, shall obtain Data Subjects’ consent (including consents of the parents or guardians of minors in accordance with paragraph 2.3 below) prior to providing their Personal Data to the Licensor;
      2. notify Data Subjects that their Personal Data may be provided to the Licensor; 
      3. ensure that all Licensee Personal Data is accurate, and where appropriate kept up to date; and 
      4. notify the Licensor if it becomes aware that any Licensee Personal Data is inaccurate.
    3. If a Data Subject is a minor (i.e. under the age of 16) and the Licensee is required to obtain the Data Subject's consent prior to providing their Personal Data to the Licensor, the Licensee shall obtain such consent from the holder of parental responsibility over the minor (i.e. their parent or guardian). The Licensee is solely responsible for obtaining such consent of the Personal Data from such Data Subjects.
    4. If during the term of this DPA, Applicable Data Protection Laws change in a way that this DPA is no longer adequate for the purpose of governing lawful sharing and Processing of Licensee Personal Data, the Parties agree that the Licensor may make such amendments to this DPA which it reasonably considers to be necessary to address the relevant change in Applicable Data Protection Laws and such amended DPA shall take effect between the Parties upon being published on this page https://goodnotes.com/data-processing-addendum
    5. This DPA shall terminate upon expiration or termination of the Licence Agreement.

  3. 3. Obligations when Processing Licensee Personal Data as a Controller

    1. The Parties acknowledge and agree that the Licensor shall in certain circumstances Process Licensee Personal Data as an independent Controller, and the circumstances under which it Processes Licensee Personal Data as an independent Controller are set out in the Licensor Privacy Notice.
    2. To the extent that the Licensor is acting as an independent Controller of Licensee Personal Data under this DPA: 
      1. the Licensee agrees to bring the Licensor Privacy Notice to the attention of Data Subjects whose Personal Data may be Processed by the Licensor in connection with this DPA;
      2. each Party shall, at the other Party's sole expense, provide the other Party with such co-operation as reasonably requested to assist the other Party’s compliance with its obligations under Applicable Data Protection Laws in relation to the Licensee Personal Data; and
      3. the Licensor shall notify the Licensee upon becoming aware of any Personal Data Breach affecting the Licensee Personal Data.

  4. 4. Obligations when Processing Licensee Personal Data as a Processor

    1. Except to the extent that the Licensor Processes Licensee Personal Data as an independent Controller pursuant to Clause 3, the Parties acknowledge and agree that the Licensor will Process Licensee Personal Data as a Processor on behalf of the Licensee, in the capacity of Controller. The details of this Processing activity are set out in Appendix 1 (Data Processing Details).
    2. To the extent that the Licensor is acting as a Processor of Licensee Personal Data under this DPA, the Licensor shall:
      1. process Licensee Personal Data on the documented instructions of the Licensee, in order to supply its services and the Software, and as otherwise necessary to perform its obligations under the Licence Agreement unless required to do otherwise by applicable law, in which case the Licensor, if permitted by such law, shall inform the Licensee of that legal requirement before such Processing;
      2. ensure that persons authorised to process the Licensee Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. implement and maintain appropriate technical and organisational measures including those set out inj Appendix 3, to protect against unauthorised or unlawful Processing of the Licensee Personal Data and against accidental loss or destruction of, or damage to, the Licensee Personal Data, appropriate to the harm that might result and the nature of the Licensee Personal Data to be protected, having regard to the state of technological development and the cost of implementing any measures;
      4. be generally authorised by the Licensee to engage another Processor to Process the Licensee Personal Data ("Subprocessor"), provided that the Licensor maintains a list of such Subprocessors (which can be found below in Appendix 2) and subject to (i) the Licensor ensuring that the Subprocessor enters into binding contractual obligations which are substantially similar to those set out in Clause 4.2 of this DPA and (ii) the Licensor remaining fully liable to the Licensee for the performance by such Subprocessor of such obligations. The Licensor will provide notice of the addition or replacement of Subprocessors at least fourteen (14) calendar days in advance of the change becoming effective upon which the Licensee may object to the change in Subprocessor. If such an objection is raised within this 30-day period, the Parties shall discuss in good faith a resolution to this objection;
      5. taking into account the nature of the Processing, assist the Licensee by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Licensee's obligation to respond to requests from Data Subjects to exercise their rights laid down in Applicable Data Protection Laws in relation to the Licensee Personal Data;
      6. notify the Licensee without undue delay of any Personal Data Breach in relation to the Licensee Personal Data upon becoming aware of the same, and provide all information reasonably required by the Licensee to comply with its obligations under Applicable Data Protection Laws in relation to such Personal Data Breach, and assist the Licensee with its obligations pursuant to Applicable Data Protection Laws in relation to data protection impact assessments and prior consultations with relevant data protection authorities (and with any similar obligations under other Applicable Data Protection Laws) taking into account the nature of the Processing and information available to the Licensor;
      7. not transfer the Licensee Personal Data outside of the EU, UK or a jurisdiction in respect of which there has been a finding of adequacy by the European Commission pursuant to Article 45 of the GDPR or by the Secretary of State pursuant to Article 45 of the UK GDPR (as applicable) (Relevant Jurisdictions) unless it ensures that any such transfer of Licensee Personal Data outside the Relevant Jurisdictions is subject to appropriate safeguards as recognised by Applicable Data Protection Laws;
      8. upon the termination or expiry of the relevant Licence Agreement and at the Licensee's option, either return or securely destroy all copies of the Licensee Personal Data Processed by the Licensor and in the Licensor's possession unless applicable law requires storage of such Licensee Personal Data; and
      9. make available to the Licensee on request all information necessary to demonstrate compliance with Article 28 of the UK GDPR and GDPR (and with any similar requirements under other Applicable Data Protection Laws) in relation to its Processing of Licensee Personal Data and shall, no more than once per calendar year, during the Licensor's normal business hours and subject to reasonable prior written notice and upon agreeing appropriate confidentiality provisions, allow for and contribute to audits, including inspections, by the Licensee or an auditor mandated by the Licensee.

  5. 5. Data Transfers


               EU Restricted Transfers
    1. With respect to any EU Restricted Transfers, Licensee and Licensor hereby enter into the EU Standard Contractual Clauses incorporating: (i) the general clauses (Clauses 1-6); (ii) Modules One (Transfer Controller to Controller), Two (Transfer Controller to Processor) and Four (Transfer Processor to Controller) as applicable in accordance with ‎Part A of ‎Appendix 4 to this DPA; (iii) the relevant options set out in ‎Part A of Appendix 4 to this DPA; and (iv) with the Annexes populated as set out below:
      1. Annex I of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Part B of ‎Appendix 4 to this DPA;
      2. Annex II of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Appendix 3 (Technical and Organizational Measures) to this ‎DPA; and
      3. Annex III of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Appendix 2 (Subprocessors) to this DPA.
    2. For the purposes of clause ‎5.1, the EU Standard Contractual Clauses shall come into effect upon commencement of an EU Restricted Transfer.
    3. Prior to the commencement of any EU Restricted Transfer to or from a Sub-processor, Licensor will enter into the EU Standard Contractual Clauses with such Sub-processor, incorporating the general Clauses (Clauses 1-6) and Module 3 (Transfer Processor to Processor).

      UK Restricted Transfers
    4. With respect to any UK Restricted Transfers, Licensee and Licensor hereby enter into the EU Standard Contractual Clauses in accordance with clause ‎5.1 and the UK Addendum in respect of any such UK Restricted Transfer.
    5. For the purposes of this DPA, “UK Addendum” means the Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office in accordance with S119A of the UK Data Protection Act 2018 and incorporating:
      1. the party details as set out in Part B of Appendix 4 to this DPA, inserted in Table 1 (Parties) of such UK Addendum;
      2. the first option in Table 2 to clarify that the UK Addendum incorporates the Approved EU SCCs as incorporated into this DPA;
      3. the list of parties and the description of the transfer of Personal Data, each as set out in ‎Part B of ‎Appendix 4 to this DPA, inserted in Table 3 (Appendix Information) of such UK Addendum;
      4. the description of the technical and organizational security measures as set out in ‎ Appendix 3 (Technical and Organizational Measures) to this ‎DPA, inserted in Table 3 (Appendix Information) of such UK Addendum;
      5. the list of Sub-processors as set out in ‎Appendix 2 (Subprocessors) to this DPA, inserted in Table 3 (Appendix Information) of such UK Addendum; and
      6. the option exporter set out in Table 4 of such UK Addendum;
    6. Licensee and Licensor agree that:
      1. the UK Addendum shall be deemed incorporated into the EU Standard Contractual Clauses entered into in accordance with clause ‎5.1 above;
      2. they shall be bound by the UK Addendum as incorporated into the EU Standard Contractual Clauses; and
      3. such UK Addendum and the EU Standard Contractual Clauses into which it is incorporated shall come into effect upon commencement of any UK Restricted Transfer.
    7. Prior to the commencement of any UK Restricted Transfer to or from a sub-processor, Licensor will enter into the EU Standard Contractual Clauses with such sub-processor, incorporating the general Clauses (Clauses 1-6), Module 3 (Transfer Processor to Processor) and the UK Addendum.

  6. 6. General Terms

    1. No variation of this DPA will be effective unless it is in writing and signed by the Parties.

APPENDIX 1 – DATA PROCESSING DETAILS

This Appendix 1 forms part of the DPA and describes the Processing of Licensee Personal Data that the Licensor will perform on behalf of Licensee.

  1. The subject matter of the Processing of the Licensee Personal Data is as follows:

    1. Licensor's provision of Goodnotes Cloud to the Licensee: in the event that Licensee and its Authorised Licensees are users of Goodnotes Cloud, Licensor hosts Licensee Personal Data stored in the Goodnotes Cloud in the capacity of a Processor on behalf of the Licensee
    2. Licensor's provision of the Subscription Services and the Software to the Licensee: Licensor processes Licensee Personal Data to set up, administer and otherwise provide the Subscription Services to the Licensee and its Authorised Licensees in the capacity of a Processor on behalf of the Licensee
    The duration of the Processing of the Licensee Personal Data is for the term of the Licence Agreement.

  2. B. The nature and purpose of the Processing of the Personal Data:

    1. The nature and purpose of the Processing of the Licensee Personal Data is to enable the Licensor to provide Goodnotes Cloud, the Subscription Services and the Software to the Licensee.

  3. C. The type of Personal Data:

    1. The Licensee Personal Data Processed may include some or all of the following attributes: (i) personal identifiers and contact information (including email address); (ii)education institution details; (iii) diagnostic data (which includes information necessary to diagnose and resolve issues which an Authorised Licensee might experience with the Software); (iv) information automatically collected or generated about an Authorised Licensee use of the Software; (v) any information/selections that an Authorised Licensee chooses to upload onto or share through Goodnotes Cloud, the Subscription Services and/or the Software or that an Authorised Licensee chooses to tell the Licensor.

  4. D. Special Categories of Personal Data:

    None.

  5. E. The categories of Data Subject to whom the Licensee Personal Data relates:

    The categories of Data Subject may include some or all of the following: the Licensee's users of the Subscription Services and Goodnotes Cloud (including the Authorised Licensees).

  6. F. The obligations and rights of the Licensee:

    The obligations and rights of the Licensee are set out in the Licence Agreement.

APPENDIX 2 – SUBPROCESSORS

The Licensor uses the following Subprocessors:

  • Amazon Web Services
  • Amplitude 
  • Braze 
  • Data Dog
  • Google 
  • Google Forms
  • HubSpot
  • Lyssna 
  • Mail Chimp
  • Markany
  • Mixpanel
  • Paddle (or other similar third party merchant of record)
  • Sprig
  • UserInterviews
  • UserTesting
  • UserVoice
  • Zendesk Inc
  • Summize
  • StreamNative
  • Snowflake
  • Statsig
  • Hex.Technologies

APPENDIX 3 – TECHNICAL AND ORGANISATIONAL MEASURES

  • Data stored on AWS servers is encrypted at rest;
  • Access to the network is heavily restricted and logged using Teleport;
  • Data is protected against DDoS attacks using AWS Shield; and
  • Intrusion detection is in place using AWS GuardDuty
  • Database servers are in a private network, and access is restricted.
  • Access is logged using a zero-trust solution called Teleport, authenticated through Okta.
  • The data is encrypted in transit via TLS v1.2.

APPENDIX 4 - CONTENT OF EU STANDARD CONTRACTUAL CLAUSES


PART 1: SELECTED MODULES AND OPTIONS OF THE EU STANDARD CONTRACTUAL CLAUSES

For the purposes of Clause 5 of the DPA, Licensee and Licensor agree that the following Modules and Options of the EU Standard Contractual Clauses shall be deemed to be incorporated:

Clause 7 (Docking clause)
Clause 7 shall not be incorporated;
Clause 8 (Data protection safeguards)
Modules One, Two and Four;
Clause 9 (Use of sub-processors)
Module Two, Option 1 and the specific time period referred to shall be 14 days;
Clause 10 (Data subject rights)
Modules One, Two and Four;
Clause 11 (Redress)
Modules One and Two and the Option in Clause 11(a) shall not be incorporated;
Clause 12 (Liability)
Modules One, Two and Four;
Clause 13 (Supervision)
Modules One and Two incorporating all paragraphs of Clause 13(a) as applicable;
Clause 14 (Local laws and practices affecting compliance with the Clauses)
Modules One, Two and Four;
Clause 15 (Obligations of the data importer in case of access by public authorities)
Modules One, Two and Four;
Clause 16 (Non-compliance with the Clauses and termination)
For Clause 16(d) the relevant parts for Modules One, Two and Four;
Clause 17 (Governing law)
Modules One and Two, Options 1 and 2 as applicable and the law inserted shall be the laws of the EU Member State in which the data exporter is established, save that: (i) where such laws do not allow for third-party beneficiary rights; or (ii) the data exporter is not established in an EU Member State, the law inserted shall be the laws of England and Wales;

Module Four and the law inserted shall be the laws of the country stated in the governing law clause of the License Agreement, save that where such law does not allow for third-party beneficiary rights, the law inserted shall be the laws of England and Wales;
Clause 18 (Choice of forum and jurisdiction)
Modules One and Two and the courts inserted shall be the courts in the Member State referred to in Clause 17 (Governing law); and

Module Four and the country inserted shall be the country stated to have jurisdiction in the Licence Agreement, save that where the laws of that country do not allow for third-party beneficiary rights, the country inserted shall be England.


PART 2: CONTENT OF ANNEX I TO THE EU STANDARD CONTRACTUAL CLAUSES

List of Parties

Data Exporter

Name: Licensee, as set out in the Licence Agreement.

Address: as set out in the Licence Agreement.

Contact person's name, position and contact details: as set out in the notice provisions in the Licence Agreement, unless the data importer notifies the data exporter otherwise.

Activities relevant to the data transferred under these Clauses: as set out in the Licence Agreement.

Role (controller/processor): controller (as applicable)

Data Importer(s)

Name: Licensor, as set out in the Licence Agreement.

Address: as set out in the Licence Agreement.

Contact person's name, position and contact details: as set out in the notice provisions in the Licence Agreement, unless the data importer notifies the data exporter otherwise.

Activities relevant to the data transferred under these Clauses: as set out in the Licence Agreement.

Role (controller/processor): controller/processor (as applicable)

Description of Transfer

Categories of data subjects whose personal data is transferred: as per the categories of data subject to whom the personal data relates set out in Appendix 1.

Categories of personal data transferred: as per the types of personal data to be processed set out in Appendix 1.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous unless otherwise specified in the Licence Agreement.

Nature of the processing: as per the nature of the processing set out in Appendix 1.

Purpose(s) of the data transfer and further processing: as per the purpose(s) set out Appendix 1

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: as per Clause 4.2.8 of the DPA

For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing: as per the subject matter, nature and duration set out in Appendix 1.

Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13: The competent supervisory authority in the EU Member State in which the data exporter is established and, in the event that the data exporter is not established in an EU Member State, the data protection authority of England and Wales.


PART 3: CONTENT OF ANNEX III TO THE EU STANDARD CONTRACTUAL CLAUSES

The controller has authorised the use of the following subprocessors:
The entities set out in Appendix 2

Legal

Terms and Conditions
Privacy Policy
California Privacy Policy
Virginia Privacy Notice
China Addendum Privacy Policy
Hong Kong Addendum Privacy Policy
Cookie Policy
Take Down Requests Notice
Terms of Use for Marketplace
Goodnotes Education License Agreement and Data Processing Agreement for Schools
Data Processing Addendum
Goodnotes for Business End User License Agreement (EULA)
Supplementary Terms and Conditions for AI Beta Features
Supplementary Privacy Notice for AI Beta Features