Goodnotes Classroom License Agreement and Data Processing Agreement for Schools

Last Updated: Aug 2024

PLEASE READ THE TERMS OF THIS LICENCE AGREEMENT CAREFULLY

This is a legally binding agreement (the 'Agreement') between you (the 'Licensee', ‘Institution’) and us Goodnotes Limited and its affiliates (the 'Company', 'we', 'our' or 'us'). We are a company with our registered office at 1 Bartholomew Lane, London, United Kingdom, EC2N 2AX (Owner); (and, 'Licensor', 'we' or 'us'), granting you a licence (the 'Licence') for Goodnotes Classroom, including any free Updates, Upgrades, patches, fixes or workarounds made available by Licensor under this Licence, and any data, media or documents associated with it (together, the 'Software').

For the avoidance of doubt, this Licence shall not be deemed to amount to a sale of the Software. We remain the sole and beneficial owners of the Software at all times.

BY CLICKING ‘ACCEPT’ AT THE END OF THIS AGREEMENT, YOU AGREE TO AND ACCEPT THE FOLLOWING TERMS WHICH WILL BE BINDING ON YOU AND ANY OF AUTHORISED LICENSEES WHEN ACCESSING, DOWNLOADING, OR USING THE SOFTWARE. PLEASE NOTE, IN PARTICULAR, THE LIMITATIONS ON LIABILITY IMPOSED AT CLAUSE 10. THIS IS A BUSINESS-TO-INSTITUTION  LICENCE AND IS NOT TO BE ENTERED INTO BY CONSUMERS OR AN INDIVIDUAL. YOU SHOULD ONLY CHOOSE ‘ACCEPT’ IF YOU ARE AN INSTITUTION. TO THE MAXIMUM EXTENT PERMITTED BY LAW, YOU HEREBY ACKNOWLEDGE AND AGREE THAT CONSUMER LAWS DO NOT APPLY. NOTHING IN THIS AGREEMENT WILL RESTRICT, EXCLUDE OR MODIFY ANY STATUTORY WARRANTIES, GUARANTEES, RIGHTS OR REMEDIES THAT YOU HAVE UNDER CONSUMER LAW THAT CANNOT BE LAWFULLY EXCLUDED. OUR LIABILITY IS LIMITED TO THE REPLACEMENT OR PRO-RATA REFUND OF ANY PREPAID FEES FOR YOUR SUBSCRIPTION COVERING THE REMAINDER OF THE TERM.

WHERE YOU DO NOT AGREE TO ANY OF THE TERMS OF THIS LICENCE, YOU SHALL CLICK ‘REJECT’. DOING SO MEANS THAT YOU ARE NOT ALLOWED TO ACCESS, INSTALL OR USE THE SOFTWARE AND WILL PREVENT YOU FROM ACCESSING THE SOFTWARE BY ANY MEANS.

Table of contents

  1. 1. Definitions and Interpretation

    1. In this Agreement:
      Admin Console
      means the portal to which the Licensee is granted access in order to configure the Subscription Services and allocate the Permitted Usage Rights to the Authorised Licensees.
      Applicable Laws
      means any laws, regulations, regulatory constraints, obligations or rules (including binding codes of conduct and binding statements of principle incorporated and contained in such rules) applicable to the existence or operation of this Agreement or the provision of the Subscription Services in the Territory from time to time;
      Authorised Licensees
      means users being students, teachers, employees, personnel or contractors of Licensee and/or Licensee group companies authorised by you to use the Subscription Services and the Documentation;
      Authorised Resellers
      means third parties which have entered into an agreement with the Licensor to market, promote, and accept orders for the Software on the Licensor’s behalf;
      Business Day
      means a day other than a Saturday, Sunday or bank or public holiday in England;
      Commencement Date
      means the date on which you accept this Agreement;
      Confidential Information
      means all information relating to a party's business which may reasonably be considered to be confidential in nature including information relating to that party's technology, know-how, Intellectual Property Rights, products and customers. All information relating to the Software including any technical or operational specifications or data shall be part of Licensor's Confidential Information;
      Documentation
      means the document made available to Licensee by Licensor online via email or via a licence key or such other web address notified by Licensor to Licensee from time to time which sets out a description of the Subscription Services and the user instructions for the Subscription Services;
      Feedback
      has the meaning given to it at clause ‎9.4;
      Goodnotes Cloud
      means the cloud service developed by Licensor;
      Intellectual Property Rights

      means any and all copyright, rights in inventions, patents, know-how, trade secrets, trademarks and trade names, service marks, design rights, rights in get-up, database rights and rights in data, semiconductor chip topography rights, utility models, domain names and all similar rights and, in each case:

      (a) whether registered or not;

      (b) including any applications to protect or register such rights;

      (c) including all renewals and extensions of such rights or applications;

      (d) whether vested, contingent or future; and

      (e) wherever existing;

      IPR Claim
      has the meaning given to it at clause ‎9.2;
      Licensee Data
      means all data (in any form) that is uploaded to any part of any Subscription Services by Licensee or by any Authorised Licensees or any data that is generated as a result of Licensee or any Authorised Licensees' use of its own data in the Subscription Services (but excluding Feedback);
      Order Form
      means (i) an invoice or other ordering documents or other ordering document agreed to in writing or electronically by the Licensee and the Licensor, or issued by one of the Licensor’s Authorised Reseller(s) and/or Third Party Platform; (ii) a purchase order issued by the Licensee and accepted by Licensor in writing or electronically; or (iii) a quote issued by Licensor (or one of Licensor’s Authorised Reseller(s) and accepted by the Licensee, in each case which references this Licence and sets forth the applicable Subscription Services to be provided by Licensor;
      Permitted Purpose
      means the purpose of facilitating classroom teaching at Licensee and such internal purpose only;
      Permitted Usage Rights
      means the permitted number of concurrent users across the permitted number of simultaneous devices for the licensed instance of the Subscription Services allocated by the Licensee via the Admin Console, under this Agreement as set out in the Order Form;
      Personal Data
      means any information which are related to an identified or identifiable natural person;
      Renewal Term
      has the meaning given in clause ‎12.1;
      Subscription Fees
      means the fees payable in advance by Licensee to Licensor in consideration of the licence of the Software under this Agreement as set out in the Order Form in ‎‎Schedule 1;
      Subscription Services
      means the online software applications provided by Licensor as part of the Subscription Services, as more particularly described in the Documentation;
      Subscription Term
      is as set out in the Order Form;
      Third Party Software
      means any third party software in the Software;
      Territory
      means the territory as specified in the Order Form;
      Update
      means a software maintenance update, patch or bug-fix which does not constitute an Upgrade;
      Upgrade
      means a version or release of software intended to have new or improved functionality or designated by Licensor as an upgrade;
      VAT
      means United Kingdom value added tax, any other tax imposed in substitution for it and any equivalent or similar tax imposed outside the United Kingdom;
      Virus
      any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices;
      Warranty Period
      has the meaning given in clause ‎8.1.
    2. In this Agreement:
      1. headings are included for convenience only and shall have no effect on interpretation;
      2. a reference to a 'party' includes that party's successors and permitted assigns;
      3. a reference to a 'person' includes a natural person, corporate or unincorporated body (in each case whether or not having separate legal personality) and that person's personal representatives, successors and permitted assigns;
      4. words in the singular include the plural and vice versa;
      5. any words that follow 'include', 'includes', 'including', 'in particular' or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition or description preceding those words; a reference to any legislation or legislative provision is a reference to it as in force at the date of this Agreement OR as amended, extended, re-enacted or consolidated from time to time except to the extent that any such amendment, extension or re-enactment would increase or alter the liability of a party under this Agreement;
      6. a reference to the Order Form includes this Agreement, the Schedules and their respective schedules, appendices and annexes (if any).

  2. 2. System Requirements

    1. The Software requires the following technical specifications to operate correctly:
      1. Minimum Operating system requirements: iOS 16+.
      2. Storage space: Users will use Goodnotes Account (also known as Goodnotes Cloud) to share or synchronise their documents with other users or with their other devices. They need to have enough Goodnotes Cloud storage to share the document.

  3. 3. Licence

    1. Subject to the terms of this Agreement and payment of Subscription Fees we grant to you a limited, revokable, non-exclusive, non-transferable, non-sublicensable (other than as permitted under clause ‎3.2) licence to permit Authorised Licensees to use the Subscription Services and the Documentation during the Subscription Term solely for the Permitted Purpose only in the Territory and for the duration of the Subscription Term.
    2. The Licence granted under this Agreement includes a right for you to grant sub-licences to Authorised Licensees provided always that you shall:
      1. be liable for the acts and omissions of Authorised Licensees as if they were your own;
      2. procure that each Authorised Licensee is aware of, and complies with, the obligations and restrictions imposed on you under this Agreement, including all obligations and restrictions relating to record keeping, audits and download, installation or use of the Software and Licensor's Confidential Information;
      3. ensure that the maximum number of Authorised Licensees that you authorise to access and use the Subscription Services and the Documentation shall not exceed the number of Permitted Usage Rights from time to time; and
      4. ensure each Authorised Licensee shall keep a secure password for his use of the Subscription Services and Documentation, that such password shall be changed no less frequently than QUARTERLY and that each Authorised Licensee shall keep his password confidential.
    3. Without prejudice to any other rights or obligations of either party, if you at any time have or Authorised Licensees exceeding the number of Permitted Usage Rights under this Agreement, you shall promptly disable the Subscription Services of those Authorised Licensees which have exceeded the number of Permitted Usage Rights. Licensee shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Subscription Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify Licensor.
    4. Additional Permitted Usage Rights
      1. Subject to clause ‎3.4.2 and clause ‎3.4.3, Licensee may, from time to time during any Subscription Term, purchase additional Permitted Usage Rights in excess of the number set out in the Order Form and Licensor shall grant access to the Subscription Services and the Documentation to such additional Authorised Licensees in accordance with the provisions of this Agreement.
      2. If Licensee wishes to purchase additional Permitted Usage Rights, Licensee shall notify Licensor in writing. Licensor shall evaluate such a request for additional Permitted Usage Rights and respond to Licensee with approval or rejection of the request and such approval not to be unreasonably withheld.
      3. If Licensor approves Licensee's request to obtain additional Permitted Usage Rights, Licensee shall, within 30 (thirty) days of the date of Licensor's invoice, pay to Licensor the relevant fees for such additional Permitted Usage Rights and, if such additional Permitted Usage Rights are purchased by Licensor part way through the Subscription Term (or the Renewal Term, where appliable), such fees shall be pro-rated for the remainder of the Subscription Term (or the Renewal Term, where applicable).
    5. Admin Console. You undertake and agree that it will be your duty to allocate your Permitted Usage Rights to the Authorised Licensees under your Licence. The Admin console will give you the right to allocate licences as described in the help centre.

  4. 4. Limitations on Use

    1. Except as expressly permitted under this Agreement or by law, you shall not:
      1. use, copy, modify, adapt, correct errors, or create derivative works from, the Software;
      2. decode, reverse engineer, disassemble, decompile or otherwise translate, make alterations to, the Software, create any derivative works based on the whole or any part of the Software, convert the Software, or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats or non-public APIs to the Software;
      3. assign, rent, loan, transfer, provide access, sub-licence, lease, resell, distribute or otherwise deal in or encumber the Software;
      4. remove or modify any copyright or similar notices, or any of Licensor's or any other person's branding, that the Software causes to be displayed when used;
      5. install or use the Software, or permit it to be installed or used, by or on behalf of any third party, otherwise than for Permitted Purpose;
      6. interfere with any licence key mechanism in the Software or otherwise attempt to circumvent or interfere with any security features of the Software or mechanisms intended to limit your use;
      7. make the Software or copies of the Software available over a network or any other method of remote access, or facilitate the same;
      8. access all or any part of the Subscription Services and Documentation in order to build a product or service which competes with the Subscription Services and/or the Documentation;
      9. use the Subscription Services and/or Documentation to provide services to third parties;
      10. subject to clause ‎18, licence, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Subscription Services and/or Documentation available to any third party except Authorised Licensees; or
      11. attempt to obtain, or assist third parties in obtaining, access to the Subscription Services and/or Documentation, other than as provided under this clause ‎4.
    2. You may make such backup copies of the Software for operational security or as otherwise reasonably necessary to support the normal use of the Software in accordance with this Agreement.
    3. You shall not exceed the Permitted Usage Rights and you acknowledge that you shall be required, without prejudice to any other rights or remedies to which we may be entitled, to pay us at Licensor's then-current rates for any additional usage of the Subscription Services exceeding the Permitted Usage Rights.
    4. You shall use the Subscription Services at all times in accordance with any instructions or Documentation and all other terms of this Agreement.
    5. You shall notify us in writing as soon as you become aware of any actual or suspected unauthorised use of the Subscription Services and Documentation (including any use in excess of the Permitted Usage Rights).
    6. Licensee shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Subscription Services that:
      1. is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;
      2. facilitates illegal activity;
      3. depicts sexually explicit images;
      4. promotes unlawful violence;
      5. is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or
      6. in a manner that is otherwise illegal or causes damage or injury to any person or property;
      7. and Licensor reserves the right, without liability or prejudice to its other rights to Licensee, to disable Licensee's access to any material that breaches the provisions of this clause.
    7. You shall not: (i) use the Subscription Services in violation of Applicable Laws; (ii) in connection with the Subscription Services, send or store infringing, obscene, threatening, or otherwise unlawful or tortious material, including material that violates privacy rights; (iii) knowingly interfere with or disrupt performance of the Subscription Services or the data contained therein.
    8. You acknowledge that Licensor is entitled to disable any artificial intelligence (AI) enabled features in the Subscription Services immediately if any of these features violates Applicable Laws and any such change in the Subscription Services shall not be regarded as a breach of this Agreement on the part of Licensor.

  5. 5. Download and Installation

    1. We shall provide Documentation and all reasonable instructions, including any necessary activation codes or licence keys, once the Subscription Services has been paid for and downloaded. It is your responsibility to ensure that your computer system and network connection is capable of accessing, using and/or downloading the Subscription Services.
    2. You shall be responsible for accessing, using and/or downloading the Subscription Services in accordance with the Documentation and instructions that we provide.
    3. We shall not be responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of the Subscription Services and Documentation over communications networks and facilities that we do not own, control or operate, including the internet.
    4. You shall ensure that you have a robust data backup and accessibility of all vital information systems in place. This includes regularly backing up data to secure off-site locations, implementing redundant storage systems, and periodically testing the backup and restore processes to guarantee their effectiveness.

  6. 6. Subscription Fees

    1. You will pay us the Subscription Fees annually in advance as set out in the Order Form.
    2. The Subscription Fees and any other charges payable under this Agreement are exclusive of VAT which shall be payable by Licensee at the rate and in the manner prescribed by law.
    3. Licensor may increase the Subscription Fees at any time by giving Licensee not less than 15 Business Days' notice in writing provided that the increase does not exceed 20% of the Subscription Fees in effect immediately prior to the increase.

  7. 7. Records and Audit

    1. You shall maintain accurate and complete records of Licensee's and its Authorised Licensees' installation and usage of the Subscription Services, including:
      1. number of Permitted Usage Rights that you have purchased under this Agreement;
      2. number of any Authorised Licensees; and
      3. location of sites and equipment or devices on which it is installed.
    2. You shall allow and procure for Licensor (and any authorised representatives of Licensor) access to remotely inspect the equipment or device(s) on which the Subscription Services is accessed, used and/or installed and to audit the relevant records of Licensee and Authorised Licensees, to the extent necessary to verify that the access, use and/or installation and use of the Subscription Services is in accordance with this Agreement.
    3. Unless otherwise agreed in writing, the inspections and audits referred to in clause ‎7.2 shall be undertaken:
      1. during your normal business hours on Business Days;
      2. subject to the provision by us of a minimum of 5 (five) Business Days' notice; and
      3. not more than twice in any calendar year during the Subscription Term.
    4. You shall, at your own cost, provide all reasonable assistance and co-operation to us in conducting any inspection or audit undertaken under this clause ‎7. We will comply with your reasonable directions to minimise disruption to your business and to safeguard the confidentiality of your Confidential Information.
    5. The provisions of this clause ‎7 shall survive termination or expiry of this Agreement for a period of 12 (twelve) months.

  8. 8. Warranty

    1. Licensor undertakes that the Subscription Services shall operate materially in accordance with the Documentation maintained and published by Licensor for 30 (thirty) calendar days from the date the Subscription Services is purchased and with reasonable skill and care (the 'Warranty Period').
    2. If you receive any Update or Upgrade of the Software under this Agreement during the Warranty Period, such Update or Upgrade will be covered under the warranty at clause ‎8.1 for the remainder of that original Warranty Period, but that Warranty Period will not be restarted or extended and no new Warranty Period shall apply as a result of any Update or Upgrade to the Software.
    3. If there is a breach of the warranty in clause ‎8.1, provided that you notify us in writing within the Warranty Period and provide sufficient information to enable us to reproduce any errors, we will, at our option:
      1. use reasonable endeavours to correct the errors in the Software within a reasonable time; or
      2. terminate this Agreement and refund any prepaid Subscription Fees, pro rata, as at the date of termination.
    4. The warranty in clause ‎8.1 is subject to Licensee complying with its obligations under, and using the Subscription Services and/or Software in accordance with this Agreement and is also subject to the limitations and exclusions set out in clause ‎10. In addition, the warranty shall not apply to the extent that any error in the Subscription Services and/or Software arises as a result of:
      1. incorrect download, installation, operation or use of the Subscription Services and/or Software (including any failure to follow any instructions set out on Licensor's website);
      2. access, download, installation or use of the Subscription Services and/or Software other than for the purposes for which it is intended;
      3. modification or alteration of the Subscription Services and/or Software without our written consent;
      4. access, download, installation or use of the Subscription Services and/or Software with other software or on equipment with which it is incompatible;
      5. attempted repair, rectification or maintenance by any person other than Licensor or a third party authorised by Licensor;
      6. failure to notify us of any error within a reasonable period of time of it first occurring; or
      7. failure to install any Update or Upgrade recommended and made available by us.
    5. You acknowledge that we do not give any warranty or representation and do not accept any liability (howsoever arising whether under contract, tort, in negligence or otherwise) in relation to:
      1. any Third Party Software;
      2. Subscription Services and/or Software meeting Licensee's individual needs or business requirements, whether or not such needs or requirements have been communicated to us;
      3. the Subscription Services and/or Software operating in a manner which is uninterrupted or free from minor errors or defects; or
      4. the Subscription Services and/or Software being compatible with any software other than the Third Party Software or with any particular hardware.
    6. Subject to clause ‎10.5, the provisions of clauses ‎8.3 and ‎9 set out Licensee's sole and exclusive remedy (howsoever arising, whether in contract, tort, negligence or otherwise) for any breach of clause ‎8.1 or for any other error or defect in, defective performance or inability to use the Subscription Services and/or Software or any part of it.
    7. Other than as set out in this clause ‎8, and subject to clause ‎10.5, all warranties, conditions, terms, undertakings or obligations whether express or implied and including any implied terms relating to quality, fitness for any particular purpose, reasonable care and skill or ability to achieve a particular result are excluded to the fullest extent allowed by Applicable Law.

  9. 9. Intellectual Property Rights and Licensee Data

    1. Licensee acknowledges that all Intellectual Property Rights in the Subscription Services, Documentation and Software are owned by or licensed to Licensor, that the right to use the Subscription Services, Documentation and Software is licensed (not sold) to Licensee and that Licensee shall have no other rights other than those granted under the terms of this Agreement. For the avoidance of doubt, Licensee shall have no right to access the Subscription Services, Documentation and Software in source code form.
    2. If Licensor has reason to believe that a third party claim may be brought by any third party alleging that the Software infringes any Intellectual Property Rights of a third party (an 'IPR Claim'), Licensor may at its sole option and expense, and Licensee shall permit Licensor to:
      1. modify or replace the Subscription Services, Documentation and/or Software to avoid infringement or alleged infringement; or
      2. terminate this Agreement and refund, pro-rata, any prepaid Subscription Fees paid by Licensee and unused at the date of such termination.
    3. Subject to clause ‎10.5, the provisions of this clause ‎9 set out Licensee's sole and exclusive remedy (however arising, including in contract, tort, negligence or otherwise) for any IPR Claim.
    4. Licensor may use any feedback, testing and suggestions for improvement relating to the Subscription Services and the related data provided by Licensee or any Authorised Licensees without charge or limitation (the 'Feedback'). In consideration of the sum of USD 1 now paid by Licensor to Licensee (receipt of which Licensee hereby acknowledges), Licensee hereby assigns (or shall procure the assignment of) all Intellectual Property Rights in the Feedback with full title guarantee (including by way of present assignment of future Intellectual Property Rights) to Licensor at the time such Feedback is first provided to Licensor. Licensor may use any Feedback for improvement relating to the Subscription Services without charge or limitation.
    5. Licensor does not collect Licensee Data. Licensee and/or Authorised Licensees own all Intellectual Property Rights in Licensee Data.
    6. The rights and obligations of Licensor and Licensee in relation to Personal Data processed in connection with the Subscription Services (if any) and Goodnotes Cloud (where applicable) are set out in the Data Protection Addendum in ‎Schedule 1.

  10. 10. Limitation of Liability

    1. The extent of Licensor's liability under or in connection with this Agreement (regardless of whether such liability arises in tort, contract or in any other way and whether or not caused by negligence or misrepresentation) shall be as set out in this clause ‎10.
    2. Subject to clause ‎10.5, Licensor's total aggregate liability however arising under or in connection with this Agreement shall not exceed an amount equal to 100 % of Subscription Fees.
    3. Subject to clause ‎10.5, Licensor shall not be liable for consequential, indirect or special losses.
    4. Subject to clause ‎10.5, Licensor shall not be liable for any of the following (whether direct or indirect):
      1. loss of profit;
      2. loss of revenue;
      3. loss or corruption of data;
      4. loss or corruption of software or systems;
      5. loss or damage to equipment;
      6. loss of use;
      7. loss of production;
      8. loss of contract;
      9. loss of commercial opportunity;
      10. loss of savings, discount or rebate (whether actual or anticipated);
      11. harm to reputation or loss of goodwill;
      12. loss of business; and
      13. wasted expenditure.
    5. Notwithstanding any other provision of this Agreement, Licensor's liability shall not be limited in any way in respect of the following:
      1. death or personal injury caused by negligence;
      2. fraud or fraudulent misrepresentation; or
      3. any other losses which cannot be excluded or limited by applicable law.

  11. 11. Indemnity

    YOU SHALL INDEMNIFY, KEEP INDEMNIFIED AND HOLD HARMLESS US (ON OUR OWN BEHALF ON BEHALF OF EACH OF OUR AFFILIATES) FROM AND AGAINST ANY LOSSES, CLAIMS, DAMAGES, LIABILITY, DATA PROTECTION LOSSES (AS DEFINED IN THE DATA PROTECTION ADDENDUM IN ‎SCHEDULE 1, COSTS (INCLUDING LEGAL AND OTHER PROFESSIONAL FEES) AND EXPENSES INCURRED BY US (OR ANY OF OUR AFFILIATES) AS A RESULT OF YOUR BREACH OF THIS AGREEMENT. THIS CLAUSE ‎11 SHALL SURVIVE TERMINATION OR EXPIRY OF THIS LICENCE.

  12. 12. Term and Termination

    1. This Agreement shall enter into force on the Commencement Date and, unless terminated earlier by Licensor in accordance with the terms of this Agreement, shall continue in force until the last day of the Subscription Term after which it shall automatically renew for a further year (the 'Renewal Term') unless Licensor or Licensee gives the other party written notice of non-renewal within 30 (thirty) Business Days. We may terminate this Agreement at any time by giving you notice in writing if:
      1. you commit a material breach of this Agreement and such breach is not remediable;
      2. you commit a material breach of this Agreement which is not remedied within 10 (ten) Business Days of receiving written notice of such breach; or
      3. you fail to pay any amount due under this Agreement on the due date and such amount remains unpaid within 10 (ten) Business Days after you have received notification that the payment is overdue.
    2. Any breach by Licensee of clause ‎4 shall be deemed a material breach of this Agreement which is not remediable.

  13. 13. Consequences of Termination

    1. Immediately on termination or expiry of this Agreement (for any reason), the licences and rights granted by us shall terminate and you shall (and, if applicable, shall procure that each Authorised Licensee shall):
      1. stop using, uninstall, delete or otherwise remove the Subscription Services, Documentation and Software from all computers or devices in your possession or control (or in the possession or control of any Authorised Licensee); and
      2. immediately and permanently destroy and delete or, if requested by us, return any copies of the Documentation [and Software] in its possession, custody or control and, in case of destruction, issue a certification to us that you (and any Authorised Licensees) have done so.
    2. You shall be responsible for backing up your data regularly and extracting it from the Subscription Services [and the Software] prior to the termination or expiry of this Agreement. We shall not be obliged to provide you with any assistance extracting or recovering data whether during or after the Subscription Term.
    3. Termination or expiry of this Agreement shall not affect any accrued rights and liabilities of either party at any time up to the date of termination or expiry and shall not affect any provision of this Agreement that is expressly or by implication intended to continue beyond termination.

  14. 14. Confidentiality

    1. Any Confidential Information obtained by either party in connection with the provision of the licence under this Agreement shall be treated by the receiving party as confidential, maintaining at least the same degree of care used to protect its own Confidential Information but not less than a reasonable degree of care, and the receiving party shall not, without the disclosing party's prior written consent disclose, copy or modify any such Confidential Information (or permit others to do so) other than as necessary for the exercise of its rights and performance of its obligations under this Agreement.
    2. The obligations under this clause ‎14 shall survive the termination or expiry of this Agreement for a period of 2 (two) years.

  15. 15. Entire Agreement

    1. This Agreement and any descriptions of the Software made available by Licensor, constitute the entire agreement between the parties and supersede all previous agreements, understandings and arrangements between them in respect of its subject matter, whether in writing or oral.
    2. No variation of these terms or to an order or to this Agreement, shall be binding unless expressly agreed in writing and executed by a duly authorised signatory on behalf of each of Licensee and Licensor respectively.
    3. Each party acknowledges that it has not entered into this Agreement in reliance on, and shall have no remedies in respect of, any representation or warranty that is not expressly set out in this Agreement.
    4. Nothing in this Agreement shall limit or exclude any liability for fraud.

  16. 16. Notices

    1. Any notice or other communication given by a party under this Agreement shall be:
      1. in writing and in English;
      2. signed by, or on behalf of, the party giving it (except for notices sent by email); and
      3. where sent to Licensor, sent to the address set out in 'contact us' details on Licensor's website at https://www.goodnotes.com;
      4. where sent to Licensee, the address provided to us by you when you registered to download and install the Software.
    2. Notices may be given, and are deemed received:
      1. by hand: on receipt of a signature at the time of delivery;
      2. by Royal Mail Recorded Signed For post: at 9.00 am on the second Business Day after posting;
      3. by Royal Mail International Tracked & Signed OR Royal Mail International Signed post: at 9.00 am on the fourth Business Day after posting; and
      4. by email: on receipt of a delivery email from the correct address.
    3. Notices and other communications sent to Licensor shall be sent to:
      Nebahat Arslan, Group General Counsel, at legal@goodnotesapp.com.
    4. This clause does not apply to notices given in legal proceedings or arbitration.

  17. 17. Variation

    No variation of this Agreement shall be valid or effective unless it is in writing, refers to this Agreement and is duly signed or executed by, or on behalf of, each party.

  18. 18. Assignment and Subcontracting

    1. We may at any time assign, sub-contract, transfer, mortgage, charge, declare a trust of or deal in any other manner with any or all of Licensor's rights or obligations under this Agreement, provided that we give you prior written notice.
    2. Except as expressly permitted by this Agreement, you shall not assign, transfer, sub-license, mortgage, charge, declare a trust of or deal in any other manner with any or all of your rights or obligations under this Agreement (including the licence rights granted), in whole or in part, without Licensor's prior written consent.

  19. 19. No Partnership or Agency

    The parties are independent and are not partners or principals or agents and this Agreement does not establish any joint venture, trust, fiduciary or other relationship between them, other than the contractual relationship expressly provided for in it. Neither party shall have, nor shall represent that it has, any authority to make any commitments on the other party's behalf.

  20. 20. Severance

    1. If any provision of this Agreement (or part of any provision) is or becomes illegal, invalid or unenforceable, the legality, validity and enforceability of any other provision of this Agreement shall not be affected.
    2. If any provision of this Agreement (or part of any provision) is or becomes illegal, invalid or unenforceable but would be legal, valid and enforceable if some part of it were deleted or modified, the provision or part-provision in question shall apply with such deletions or modifications as may be necessary to make the provision legal, valid and enforceable. In the event of such deletion or modification, the parties shall negotiate in good faith in order to agree the terms of a mutually acceptable alternative provision.

  21. 21. Waiver

    No failure, delay or omission by either party in exercising any right, power or remedy provided by law or under this Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right, power or remedy.

  22. 22. Compliance with Law

    1. Licensee shall comply with all Applicable Laws and shall maintain such authorisations and approvals as required from time to time to perform its obligations under or in connection with this Agreement.
    2. Without prejudice to the generality of clause ‎22.1, Licensee shall comply with all Applicable Laws, rules, and regulations governing export of goods and information that apply to the Software, and shall not export or re-export, directly or indirectly, separately or as a part of a system, the Software to any country for which an export licence or other approval is required, without first obtaining such licence or other approval. Licensee shall be solely responsible for ensuring its access, importation or use of the Software in or into any part of the Territory complies with all export laws.

  23. 23. Third Party Rights

    A person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its provisions.

  24. 24. Arbitration

    Except as provided in clause ‎25, the parties agree that any dispute or controversy arising out of, relating to or in connection with the interpretation, validity, construction, performance, breach or termination of this Agreement finally resolved by arbitration under the London Court of International Arbitration Rules (LCIA Rules). The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be London. The decision of the arbitrator shall be final, conclusive and binding on the parties to the arbitration. Judgement may be entered on the arbitrator's decision in any court of competent jurisdiction. The parties may apply to any court of competent jurisdiction for a temporary restraining order, preliminary injunction, or other interim or conservatory relief, as necessary, without breach of this Agreement and without abridgement of the powers of the arbitrator.

  25. 25. Governing Law and Jurisdiction

    1. This Agreement and any dispute or claim arising out of, or in connection with, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales.
    2. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, this Agreement, its subject matter or formation (including non-contractual disputes or claims).
  26. The parties agree that all other terms and conditions are expressly excluded. LICENSEE HEREBY CONFIRMS FULL ACCEPTANCE OF THE SaaS SUBSCRIPTION LICENCE TERMS AND CONDITIONS

Schedule 1

Data Protection Addendum

This Data Protection Addendum (the 'Addendum') forms part of the Agreement between Licensor and Licensee.

  1. 1. Definitions

    1. In this Addendum, unless otherwise defined herein, capitalised terms used in this Addendum shall have the same meanings as those defined in the Agreement.
    2. Data Protection Legislation means the legal standards set out in the General Data Protection Regulation 2016/679, and any supplementary national data protection legislation if the Licensee is based outside the EU and this law provides for stricter and mandatory data protection requirements, as well as regulations, implementation rules, guidance notes and code of practice issued by the legislator and privacy regulator in the Territory, as amended from time to time.
    3. Where applicable, the terms 'Commissioner', 'Controller', 'Data Subject', 'Personal Data', 'process' / 'processing', 'Processor', 'profiling' and 'Personal Data Breach' have the meanings given to those terms in the Data Protection Legislation, where applicable.

  2. 2. Licensee is Controller of Personal Data collected from Authorised Licensees

    1. Licensee is Controller of Personal Data collected from Authorised Licensees. Licensee shall sub-license the Subscription Services to Authorised Licensees.
    2. Licensee shall comply with the Data Protection Legislation applicable to a Controller including but not limited to collection, processing, use, retention, disclosure and transfer of Personal Data, and shall obtain all necessary consents (including consents of the parents or guardians of minors), and provide all necessary notifications, to Authorised Licensees.
    3. Licensor does not process any Personal Data on Licensee's behalf when performing its obligations under this Agreement. There is no controller-to-processor outsourcing relationship between the parties.

  3. 3. Collection of Personal Data from minors

    1. If the Data Subject is a minor (i.e. under the age of 16) and prescribed consent is required from the minor if the Personal Data will be used for a new purpose, the holder of parental responsibility over the minor may give the prescribed consent on behalf of the minor.
    2. Licensee is solely responsible for obtaining consent as Controller of the Personal Data from Authorised Licensees.
    3. Data Protection Legislation specifies the following additional requirements for the processing of Personal Data of minors under the age of 16: (i) communicating in an easily understandable form and using clear and plain language when notifying minors of matters relating to the processing of Personal Data; and (ii) obtaining the legal representative's consent if Controller wish to collect, use, or provide the Personal Data of a minor under the age of 16 and confirming whether the legal representative has granted consent to process the minor's Personal Data in a statutorily-prescribed manner.

  4. 4. Use of Feedback by Licensor

    1. Licensor will not use any Feedback to train the machine learning models that Licensor rely upon to develop and improve the Subscription Services unless Licensee and/or Authorised Licensees voluntarily provide the Feedback to Licensor.
    2. Feedback does not contain Personal Data.

  5. 5. Licensor does not collect Personal Data from Authorised Licensees

    Licensor does not collect Personal Data from Authorised Licensees, either via the Subscription Services or otherwise

  6. 6. Handwriting Data

    Licensor will not use Authorised Licensees' handwriting data to create an individual digital template or profile for the purpose of identifying Authorised Licensees. Licensor can only recognise that the handwriting is from the same Authorised Licensee without information on who that Authorised Licensee is. Only Licensee can identify Authorised Licensees. Therefore, Licensee does not process any genetic data or biometric data about Authorised Licensees.

  7. 7. Warranty and undertaking given by Licensees and Audit

    1. To the extent that Licensee provides Personal Data to Licensor, Licensee warrants and undertakes to Licensor that, in accordance with Data Protection Legislation, it (i) has provided all necessary information to all relevant Data Subjects regarding the processing of their Personal Data and obtained their consent; and (ii) has taken appropriate steps to legitimise the disclosure of such Personal Data to Licensor.
    2. Licensee shall indemnify and hold harmless Licensor against all losses, fines and sanctions arising from any claim by a third party or Commissioner arising from any breach of this Addendum (the 'Data Protection Losses').

  8. 8. Data processing clauses in relation to Goodnotes Cloud

    1. In the event that Licensee and Authorised Licensees are users of the Goodnotes Cloud, Licensor is a Processor of the Personal Data stored in the Goodnotes Cloud (the 'Licensee Personal Data').
    2. Licensor shall process Licensee and Authorised Licensees Personal Data in compliance with the Data Protection Legislation, with the Goodnotes Cloud terms and conditions, which contain data processing clauses in accordance with Data Protection Legislation, and in accordance with a data processing agreement based on ‎Schedule 2.

Schedule 2

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the SaaS Subscription Agreement ("Master Agreement") between

Licensee, as stated in the Order Form(the "Institution" or "Data Controller") and

Goodnotes Limited
1 Bartholomew Lane, London, United Kingdom

(the "Data Processor")

(together as the "Parties")

WHEREAS
The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR").

IT IS AGREED AS FOLLOWS:

  1. 1. Definitions

    1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with another entity.
    2. "Applicable Law" means: (i) all applicable European Union ("EU") or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the GDPR, and EU Member State laws supplementing the GDPR; (ii) the United Kingdom ("UK") version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018, as amended and supplemented from time to time ("UK GDPR"); (iii) the EU Directive 2002/58/EC ("e-Privacy Directive"), as replaced from time to time, and EU Member State and UK laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications; and (iv) any other legislation in force from time to time in the UK relating to privacy and/or the collection or processing of Personal Data, including the Data Protection Act 2018.
    3. "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processed", "Processing", "Special Category Data", "Sub-Processor", and "Supervisory Authority" shall have the meaning ascribed to them in the GDPR.
    4. "EU Restricted Transfer" means a transfer of Personal Data from Data Controller to Data Processor (or vice versa) or an onward transfer of Personal Data made by the Data Processor where such transfer would at the time of the transfer be prohibited by the GDPR (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Law) in the absence of the EU Standard Contractual Clauses to be established under clause ‎5 of this ‎Schedule 2.
    5. "EU Standard Contractual Clauses" means the Standard Contractual Clauses forming part of Decision 2021/914/EC (as amended or replaced from time to time), including their appendices and with the relevant Modules and Options set out under Part A of ‎Annex 2 to this ‎Schedule 2 incorporated.
    6. "UK Addendum" means the Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office in accordance with S119A of the UK Data Protection Act 2018.
    7. "UK Restricted Transfer" means a transfer of Personal Data from Data Controller to Data Processor (or vice versa) or an onward transfer of Personal Data made by the Data Processor where such transfer would at the time of the transfer be prohibited by the UK GDPR (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Law) in the absence of the relevant UK Addendum established under clause ‎5 of this ‎Schedule 2.

  2. 2. Roles and Responsibilities of the Parties

    1. The Parties acknowledge and agree that the purpose of Processing the Personal Data by Data Processor is the performance of its obligation under, and the provision of services pursuant to, the Master Agreement for the duration of the term of the Master Agreement and that Data Controller is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data processed under this ‎Schedule 2 (and as detailed at ‎Annex 1 to this ‎Schedule 2), and Data Processor is acting as a Data Processor on behalf and under the instructions of Data Controller.
    2. Each reference to Data Controller and Data Processor in this ‎Schedule 2 shall include their respective Affiliates, unless the context requires otherwise.

  3. 3. Obligation of the Data Processor

    Data Processor agrees and warrants to:
    1. Process Personal Data disclosed to it by Data Controller only on behalf of and in accordance with the written instructions of the Data Controller, unless Data Processor is otherwise required by Applicable Law, in which case Data Processor shall inform Data Controller of that legal requirement before Processing the Personal Data, unless informing Data Controller is prohibited by law on important grounds of public interest.
    2. Ensure that any person authorized by Data Processor to Process Personal Data (who shall only be so authorized where it is necessary for the performance of their job function in relation to the services provided by Data Processor to Data Controller) is informed of the confidential nature of the Personal Data and is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the instructions of the Data Controller.
    3. Taking into account the nature and risk of the Processing of Personal Data, Data Processor shall assist Data Controller by providing appropriate technical and organizational assistance, insofar as possible, in assisting Data Controller to fulfill its obligations to respond to Data Subject requests to exercise their rights with respect to their Personal Data and any request or communication with any Supervisory Authority in relation to Personal Data.
    4. Assist Data Controller in complying with its obligations under Applicable Law, in particular Data Controller's obligation to implement appropriate technical and organizational security measures in accordance with clause ‎6 to carry out a data protection impact assessment and to consult the competent Supervisory Authority.
    5. Comply with all Applicable Laws which applies to Data Processor as a Data Processor of the Personal Data.

  4. 4. Sub-Processing

    1. Data Controller gives a general authorization to Data Processor to engage the third parties listed in ‎Annex 1 to this ‎Schedule 2 to Processing Personal Data on Data Controller's behalf as necessary for the purposes of its engagement in connection with the provision of services under the Master Agreement ("Sub-processors") provided Data Processor shall:
      1. Enter into a written agreement with each Sub-processor that imposes obligations on Sub-processor that are the same as those imposed on Data Processor under this ‎Schedule 2;
      2. Only retain Sub-processors that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data;
      3. Inform Data Controller of any addition or replacement of a Sub-processor so as to give Data Controller an opportunity to object to the change before Personal Data is communicated to the new Sub-processor ‎14 (fourteen) days prior to making any such addition or replacement. If Data Controller objects, Data Processor will use reasonable efforts to find an alternative Sub-processor to provide the services. If a suitable alternative Sub-processor or other solution cannot be found to Data Controller's satisfaction, then Data Controller may terminate the DPA without fault; and
      4. Data Processor will be liable for the acts and omissions of its Sub-processors in relation to its processing obligations to the same extent that the Data Processor would be liable if performing the services of each Sub-processor directly under the terms of the Master Agreement.

  5. 5. Data Transfers

    EU Restricted Transfers
    1. With respect to any EU Restricted Transfers, Data Controller and Data Processor hereby enter into the EU Standard Contractual Clauses incorporating: (i) the general clauses (Clauses 1-6); (ii) Modules Two (Transfer Data Controller to Data Processor) and Four (Transfer Data Processor to Data Controller) as applicable in accordance with ‎Part A of ‎Annex 3; (iii) the relevant options set out in ‎Part A of ‎Annex 3; and (iv) with the Annexes populated as set out below:
      1. Annex I of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Part B of ‎Annex 2 to this ‎Schedule 2;
      2. Annex II of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Annex 3 (Technical and Organizational Measures) to this ‎Schedule 2; and
      3. Annex III of the EU Standard Contractual Clauses shall be pre-populated with the details set out in ‎Part C of ‎Annex 2 to this ‎Schedule 2.
    2. For the purposes of clause ‎5.1, the EU Standard Contractual Clauses shall come into effect upon commencement of an EU Restricted Transfer.
    3. Prior to the commencement of any EU Restricted Transfer to or from a Sub-processor, Data Processor will enter into the EU Standard Contractual Clauses with such Sub-processor, incorporating the general Clauses (Clauses 1-6) and Module 3 (Transfer Data Processor to Data Processor).

      UK Restricted Transfers
    4. With respect to any UK Restricted Transfers, Data Controller and Data Processor hereby enter into the EU Standard Contractual Clauses in accordance with clause ‎5.1 and the UK Addendum in respect of any such UK Restricted Transfer.
    5. With respect to any EU Restricted Transfers, Data Controller and Data Processor hereby enter into the EU Standard Contractual Clauses incorporating: (i) the general clauses (Clauses 1-6); (ii) Modules Two (Transfer Data Controller to Data Processor) and Four (Transfer Data Processor to Data Controller) as applicable in accordance with ‎Part A of ‎Annex 3; (iii) the relevant options set out in ‎Part A of ‎Annex 3; and (iv) with the Annexes populated as set out below:
      1. the first option in Table 2 to clarify that the UK Addendum incorporates the Approved EU SCCs as incorporated into this DPA;
      2. the first option in Table 2 to clarify that the UK Addendum incorporates the Approved EU SCCs as incorporated into this DPA;
      3. the list of parties and the description of the transfer of Personal Data, each as set out in ‎Part B of ‎Annex 2 to this ‎Schedule 2, inserted in Table 3 (Appendix Information) of such UK Addendum;
      4. the description of the technical and organizational security measures as set out in ‎Annex 3 (Technical and Organizational Measures) to this ‎Schedule 2, inserted in Table 3 (Appendix Information) of such UK Addendum;
      5. the list of Sub-processors as set out in ‎Annex 1 to this ‎Schedule 2, inserted in Table 3 (Appendix Information) of such UK Addendum; and
      6. the option exporter set out in Table 4 of such UK Addendum;
    6. Data Controller and Data Processor agree that:
      1. the UK Addendum shall be deemed incorporated into the EU Standard Contractual Clauses entered into in accordance with clause ‎5.1 above;
      2. they shall be bound by the UK Addendum as incorporated into the EU Standard Contractual Clauses; and
      3. such UK Addendum and the EU Standard Contractual Clauses into which it is incorporated shall come into effect upon commencement of any UK Restricted Transfer.
    7. Prior to the commencement of any UK Restricted Transfer to or from a sub-processor, Data Processor will enter into the EU Standard Contractual Clauses with such sub-processor, incorporating the general Clauses (Clauses 1-6), Module 3 (Transfer Processor to Processor) and the UK Addendum.

  6. 6. Data Security

    1. Data Processor shall develop, maintain and implement a comprehensive written information security program that shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures which are appropriate to the nature and risk of the Processing of Personal Data and are designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, and which include the Technical and Organizational Measures set out in ‎Annex 3 and all measures pursuant to Article 32(1) GDPR all measures pursuant to Article 32(1) GDPR which shall not be amended where such amendments would reduce the security, confidentiality, or protection of Personal Data, without Data Controller's prior written approval.
    2. Promptly upon the expiration or earlier termination of the DPA, Data Processor shall, aside from where required by Applicable Law, return to Data Controller, or at Data Controller's request, securely destroy or render unreadable or undecipherable (which decision shall be based solely on Data Controller's written statement), all Personal Data in Data Processor's, its affiliates' or their respective subcontractors' possession, custody or control, and confirm to Data Controller that such destruction or other action required by Data Controller has taken place.

  7. 7. Data Breach Notification

    1. Data Processor shall immediately inform Data Controller in writing of any Personal Data Breach of which Data Processor becomes aware. The notification to Data Controller shall include all available information regarding such Personal Data Breach, including information on:
      1. The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
      2. The likely consequences of the Personal Data Breach; and
      3. The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    2. Data Processor shall provide such assistance as required to enable Data Controller to satisfy Data Controller's obligation to notify the relevant Supervisory Authority and Data Subjects of a Personal Data Breach under Articles 33 and 34 GDPR.

  8. 8. Audit

    Data Processor shall make available to Data Controller all information necessary to demonstrate compliance with the obligations set forth in this ‎Schedule 2 and allow for and contribute to audits, including inspections, conducted by Data Controller or another auditor mandated by Data Controller.

Annex 1

SCOPE OF DATA PROCESSING

The Processing of Personal Data concerns the following categories of Data Subjects:

Please see the Licence, only limited Personal Data will be processed of the users and not minors.

The Processing concerns the following categories of Personal Data:

We automatically gather certain information, such as data pertaining to the utilization of the Subscription Services and the devices employed to access it. This is achieved through the utilization of cookies, web beacons, and comparable technologies, as delineated in our Cookie Policy.

The gathered information encompasses the following:

  • Registration particulars, full name, (including username and email)
  • Details regarding the browser, IP address or device and general location
  • Content chosen for inclusion in the profile or postings within the public domains of the Subscription Services
  • Information rendered in association with specific features within the Subscription Services
  • Non-personally identifiable data that may be correlated with personal information, encompassing specifics about Subscription Services.

When establishing an account, engaging in communication with us, or participating in activities or surveys, we gather information directly from you. Additionally, we may obtain information from other parties, including teachers, educational institutions, or third-party applications.

The Processing concerns the following categories of Sensitive Data:

Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.

None

The Processing concerns the following categories of data Processing activities (i.e., purposes of Processing):

To deliver the services under the Licence 

Service Provider uses the following Sub-processors:

AWS Cloud, Amplitude, HubSpot, Zendesk, Sprig, Userinterviews, Braze, Google Cloud and other third party suppliers as listed on our Privacy Policy This will be updated from time to time.

Annex 2

CONTENT OF EU STANDARD CONTRACTUAL CLAUSES

PART A

SELECTED MODULES AND OPTIONS OF THE EU STANDARD CONTRACTUAL CLAUSES

For the purposes of clause ‎5‎ of ‎Schedule 2, Data Controller and Data Processor agree that the following Modules and Options of the EU Standard Contractual Clauses shall be deemed to be incorporated:
Clause 7 (Docking clause)
Clause 7 shall not be incorporated;
Clause 8 (Data protection safeguards)
Modules Two and Four;
Clause ‎9 (Use of sub-processors)
Module Two, Option 2 and the specific time period referred to shall be [fourteen (14)] days;
Clause ‎10 (Data subject rights)
Modules Two and Four;
Clause ‎11 (Redress)
Module Two, and the Option in Clause 11(a) shall not be incorporated;
Clause ‎12 (Liability)
Modules Two and Four;
Clause ‎13 (Supervision)
Module Two, incorporating all paragraphs of Clause 13(a) as applicable;
Clause ‎14 (Local laws and practices affecting compliance with the Clauses)
Modules Two and Four;
Clause ‎15 (Obligations of the data importer in case of access by public authorities)
Modules Two and Four;
Clause ‎16 (Non-compliance with the Clauses and termination)
For Clause 16(d) the relevant parts for Modules Two and Four;
Clause ‎17 (Governing law)

Module Two, Options 1 and 2 as applicable and the law inserted shall be the laws of the EU Member State in which the data exporter is established, save that: (i) where such laws do not allow for third-party beneficiary rights; or (ii) the data exporter is not established in an EU Member State, the law inserted shall be the laws of [England and Wales];

Module Four and the law inserted shall be the laws of the country stated in the governing law clause of the Agreement, save that where such law does not allow for third-party beneficiary rights, the law inserted shall be the laws of [England and Wales];

Clause ‎18 (Choice of forum and jurisdiction)

Module Two and the courts inserted shall be the courts in the Member State referred to in Clause ‎17 (Governing law); and

Module Four and the country inserted shall be the country stated to have jurisdiction in the Agreement, save that where the laws of that country do not allow for third-party beneficiary rights, the country inserted shall be [England].

PART B

CONTENT OF ANNEX I TO THE EU STANDARD CONTRACTUAL CLAUSES

List of Parties

Data Exporter

Name: as set out in the Master Agreement

Address: as set out in the Master Agreement

Contact person's name, position and contact details: Nebahat Arslan (Group General Counsel) legal@goodnotesapp.com 

Activities relevant to the data transferred under these Clauses: as set out in ‎Annex 1 to the ‎Schedule 2

Role (controller/processor): Processor

Data Importer(s)

Name: as set out in the Master Agreement

Address: as set out in the Master Agreement

Contact person's name, position and contact details: DPO of the Licensee

Activities relevant to the data transferred under these Clauses: as set out in ‎Annex 1 to the ‎Schedule 2

Role (controller/processor): Controller

Description of Transfer

Categories of Data Subjects whose Personal Data is transferred: as per the categories of Data Subject to whom the Personal Data relates set out in ‎Annex 1 of the ‎Schedule 2.

Categories of Personal Data transferred: as per the types of Personal Data to be processed set out in ‎Annex 1 of the ‎Schedule 2.

Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: as per the special categories of Personal Data set out in ‎Annex 1 of the ‎Schedule 2 and as per the DPA including without limitation and where relevant ‎Annex 3 (Technical and Organizational Measures) to the ‎Schedule 2.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous unless otherwise specified in the ‎Schedule 2.

Nature of the Processing: as per the nature of the Processing set out in ‎Annex 1 of the ‎Schedule 2.

Purpose(s) of the data transfer and further Processing: as per the purpose(s) set out in ‎Annex 1 of the ‎Schedule 2.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: as per clause ‎‎6.2 of the ‎Schedule 2.

For transfers to (Sub-)Processors, also specify the subject matter, nature and duration of the Processing: as per the subject matter, nature and duration set out in ‎Annex 1 of the ‎Schedule 2.

Competent Supervisory Authority

Identify the competent Supervisory Authority/ies in accordance with Clause ‎13: The competent supervisory authority in the EU Member State in which the data exporter is established and, in the event that the data exporter is not established in an EU Member State, the data protection authority of [England and Wales].

PART C

CONTENT OF ANNEX III TO THE EU STANDARD CONTRACTUAL CLAUSES

The Data Controller has authorised the use of the following Sub-processors:
The entities set out in the ‎Annex 1 of the ‎Schedule 2

Annex 3

Technical and Organizational Measures

The following security measures are in place:

  • Data stored on AWS is encrypted at rest.
  • Access to the network is heavily restricted and logged using Teleport.
  • Data is protected against DDoS attacks using AWS Shield.
  • Intrusion detection is performed using AWS GuardDuty.
  • Database servers are in a private network, and access is restricted.
  • Access is logged using a zero-trust solution called Teleport, authenticated through Okta.
  • The data is encrypted in transit via TLS v1.2.