This Data Processing Agreement, including its exhibits, (the “Agreement”) governs the Processing of Personal Data by NotionAddon (the “Processor”). The Processor owns and operates the website https://notionaddon.io;, the related domain names, and software (collectively, “NotionAddon”). This Agreement governs the Processing of Personal Data submitted by an individual user or an entity accessing and using NotionAddon (the “Client”). The Processor and the Client are hereby collectively referred to as the “Parties” and each individually a “Party”.
The Agreement sets out rights and obligations of the Parties regarding the Processing of Personal Data, where the Processor acts in the capacity of the Data Processor and the Client acts in the capacity of the Data Controller. The Agreement is drafted in accordance with EU Standard Contractual Clauses (MODULE TWO: Transfer controller to processor) attached as Exhibit I of the Agreement.
By concluding the Agreement, the Client enters into this Agreement on behalf of itself and, to the extent required under applicable Data Protection Law, in the name and on behalf of its authorised affiliates, if and to the extent the Processor processes the Personal Data for which such authorised affiliates qualify as the Data Controller.
1.1.In this Agreement, the following definitions shall apply:
“Client’s Data“ shall mean the Personal Data processed through NotionAddon of which the Client is the Data Controller.
“Contract” shall mean a service agreement concluded between the Parties governing the services provided through NotionAddon.
“Data Controller” shall mean a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Law” means the statutory data privacy and protection regulations applicable to the Client and the Processor protecting the fundamental rights and freedoms of persons with regard to data privacy and the Processing of the Client’s Data by the Processor.
“Data Subject” shall mean an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“EU” shall mean European Union.
“GDPR” shall mean the Regulation (EU) 2016/679 (General Data Protection Regulation).
“Instruction” shall mean an instruction issued by the Client to the Processor and directing the Processor to perform a specific action with regard to the Processing of the Client’s Data in order to achieve compliance with the Data Protection Law.
“Personal Data” shall mean any information relating to an identified or identifiable natural person.
“Data Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
“Processing” shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processor” shall mean an entity that Processes Personal Data as a subcontractor of the Data Processor.
1.2.All capitalised terms not defined herein shall have the meaning set forth in the Contract.
2.1.The Client engages the Processor to provide services through NotionAddon to the Client by means of the Contract and agrees that the Processor shall carry the Processing of the Client’s Data, the categories of which are described in section 4 of this Agreement, pursuant to the terms stated herein.
2.2.This Agreement applies to all activities within the scope of NotionAddon and the Contract in the context of which the Processor or any Sub-processor may come into contact with the Client’s Data.
2.3.To ensure the transparency of the Processing, the Parties shall keep records of all Processing activities regarding Personal Data, as required by Art. 30 of the GDPR.
3.1.The Processor shall Process the Client’s Data on behalf of the Client as Client’s Data Processor. The scope, extent, and nature of the Processing are the sole purpose of facilitation of the provision of services through NotionAddon by the Processor to the Client.
3.2.The Processor shall ensure that any of its officers, directors, employees, consultants, representatives and other natural persons that participate in the Processing of the Client’s Data agree to the same restrictions and conditions as those listed in this Agreement.
3.3.The Client as the Data Controller shall be responsible for complying with the applicable Data Protection Law, including, but not limited to, the lawfulness of the Processing and the lawfulness of the transmission (if any) of the Client’s Data to the Processor.
3.4.The Processor shall Process the Client’s Data only to the extent required and with the purpose of fulfilling the Processor’s obligations under the Contract, to the extent necessary for the provision of NotionAddon, and in accordance with the Instructions.
3.5.Should the Processor wish to use the Client’s Data for the purposes that are not specified in this section 3, the Processor shall request the Client to provide prior consent in writing.
4.1.The Processor shall Process all Client’s Data submitted by the Client through NotionAddon. To the extent the Client’s Data contains Personal Data, it may consist of Data Subjects’:
(i) Email address;
(ii) Name;
(iii) Title;
(iv) Company;
(v) Social profile link;
(vi) Address;
(vii) Video material featuring the Data Subject;
(viii) Any other data submitted by the Client to the Processor for Processing.
4.2.No special categories of Personal Data as defined in Art. 9(1) of the GDPR are processed according to this Agreement.
5.1.The affected Data Subjects shall include natural persons, Client’s customers, whose personal data is supplied by the Client to the Processor through NotionAddon.
5.2.The Processor does not interact with the Data Subjects directly in any manner without Client’s prior approval.
6.1.Except where this Agreement expressly stipulates any surviving obligation, this Agreement shall follow the term of the Contract.
6.2.The Processor shall Process the Client’s Data for as long as the Client’s Data is necessary for the purpose described in section 3 of this Agreement.
6.3.The Processor shall return to the Client or securely erase Client’s Data from its storage systems as soon as the Client’s Data is no longer necessary for the purpose described in section 3 of this Agreement or the Client requests the Processor to do so. Upon request of the Client, the Processor shall provide the Client with a proof of erasure of the Client’s Data.
7.1.The Processor shall exercise a reasonable degree of care to protect the Client’s Data from misuse, unauthorised access, disclosure, and transfer to any third parties unauthorised by the Client. Such measures shall include, without limitation:
(a) Maintaining adequate access control mechanisms (e.g., two-factor authentication, password protection, and limited access) covering any systems, servers, or files in which the Client’s Data is stored;
(b) DDOS mitigation;
(c) Using encryption for any transmission of the Client’s Data electronically;
(d) Limiting access to the Client’s Data by Processor’s officers, directors, employees, consultants, and representatives only to the purpose stated in section 3 of this Agreement; and
(e) Conducting regular information security audits.
7.2.The Processor hereby declares that it has taken appropriate technical and organisational measures in accordance with Art. 32 GDPR to keep the Client’s Data secure and protected against unauthorised or unlawful processing and accidental loss, destruction or damage, and undertakes to continue doing so during the term of this Agreement.
7.3.If, under applicable laws, the Processor is compelled to disclose the Client’s Data, the Processor shall inform the Client before any such mandatory disclosure within 24 hours after such a disclosure is requested.
7.4.Any significant changes to the security measures listed in section 7.1 of the Agreement shall be documented by the Processor and reported to the Client.
7.5.The Processor shall appropriately document the technical and organisational measures actually implemented (including each update) for the Processing of the Client’s Data and will hand out the then current version of such documentation to the Client, upon Client’s request (e.g., for audit purposes).
7.6.For the purpose of documentation, the Processor shall be entitled to provide evidence for the implementation of the security measures by providing up-to-date attestations, reports or extracts from independent bodies that scrutinise and confirm the Processing of the Client’s Data is in accordance with the agreed to measures herein.
8.1.The Processor may be required to correct, erase and/or block the Client’s Data if and to the extent the functionality of NotionAddon does not allow the Client to do so. However, the Processor shall not correct, erase or block the Client’s Data, unless instructed by the Client.
8.2.Unless the Data Protection Law provides otherwise, there shall not be any direct communication between the Data Subjects and the Processor. In the event that a Data Subject does apply directly to the Processor in writing with a request to exercise Data Subject’s legitimate rights, e.g., to request the correction or deletion of his/her Personal Data, the Processor shall forward this request to the Client without undue delay and shall not respond directly to the Data Subject.
9.1.In addition to any other obligations set out in this Agreement, the Processor shall:
(a) Comply with all laws and regulations applicable to the Processor’s business activities;
(b) Ensure that persons authorised to Process the Client’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall regularly train those persons to whom it grants access to the Client’s Data on IT security and privacy law compliance. The undertaking to data secrecy shall continue after the termination of this Agreement;
(c) Ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not process them except on instructions from the Client;
(d) Assist the Client in compliance with Client’s obligations under the applicable Data Protection Law;
(e) Make available to the Client all information necessary to demonstrate compliance with Processor’s obligations under the Agreement, the Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client;
(f) Appoint a data protection officer if it is legally obliged to do so or, if it is not obliged to do so, a contact person for data protection issues;
(g) Provide the Client, upon request in writing, with the name and contact details of its data protection officer or the contact person for data protection issues;
(h) Monitor the Processing by way of regular reviews concerning the performance of and compliance with this Agreement, the Contract, and the applicable Data Protection Law;
(i) At Client’s written request, reasonably support the Client in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the Processing of the Personal Data hereunder;
(j) Assist the Client with the implementation of appropriate technical and organisational measures in order to respond to applications by the Data Subjects for the exercise of their rights (in particular, Art. 13 to 23 of the GDPR);
(k) Provide at minimum the information in accordance with Art. 33(3) of the GDPR in the case of a Personal Data breach;
(l) Communicate the necessary information to the Data Subjects after a Personal Data breach pursuant to Art. 34 of the GDPR; and
(m) Conduct prior (i.e. before the start of the processing) data protection impact assessments (if applicable, pursuant to Art. 35 of the GDPR) and, if necessary, consult with a supervisory authority (if applicable, pursuant to Art. 36 of the GDPR).
9.2.The Processor commits to observe any and all other duties that are imposed to the Processor by the Data Protection Law (if applicable, Art. 28 of the GDPR).
9.3.The Processor shall collaborate with Client’s data protection officer to generate the records of processing activities, (if applicable, pursuant to Art. 30 of the GDPR), and provide all the necessary details to the Client.
10.1.The Client hereby authorises the Processor to engage Sub-processors as specified in Processor’s privacy policy, provided that the Processor remains responsible for any acts or omissions of its Sub-processors in the same manner as for its own acts and omissions hereunder.
10.2.The Processor may remove or appoint suitable and reliable other Sub-processor(s) at its own discretion in accordance with the following conditions:
(a) The Processor shall inform the Client fourteen (14) days in advance of any envisaged changes to the list of Sub-processors;
(b) If the Client has legitimate data protection related reason to object to Processor’s use of Sub-processor(s), the Client shall notify the Processor within fourteen (14) days after receipt of the Processor’s notice;
(c) If the Client does not object during this time period, the new Sub-processor(s) shall be deemed accepted;
(d) If the Client objects to the use of the Sub-processor(s) concerned, the Processor shall have the right to cure the objection through one of the following options (to be selected at Processor’s sole discretion):
(i) The Processor will abort its plans to use the Sub-processor(s) with regard to the Client’s Data; or
(ii) The Processor will take corrective steps and proceed to use the Sub-processor(s) with regard to the Client’s Data.
(e) If the Processor decides not to implement option 10.2.d.i or 10.2.d.ii above, the Processor shall notify the Client without undue delay. In this case, the Client shall be entitled within further fourteen (14) days to notify in writing the Processor about its termination of the Agreement and any such termination would become effective upon the expiry of the second (2nd) calendar month after Processor’s receipt of the termination notice.
10.3.The Processor shall pass on to its subcontractors acting as the Sub-processors Processor’s obligations under this Agreement.
10.4.The Processor shall ensure that, where the Client’s Data is transferred from the territory where the Client is located, appropriate safeguards, including the transfer mechanisms listed in section 14, are applied by the Processor to ensure that the Client’s Data is further processed in a secure manner compliant with this Agreement and the Data Protection Law.
11.1.Within 24 hours after the Processor becomes aware of any unauthorised use or disclosure of the Client’s Data, the Processor shall promptly report the unauthorised use or disclosure of the Client’s Data to the Client.
11.2.The Processor shall cooperate with any remediation that the Client, in its discretion, determines is necessary to (i) address any applicable reporting requirements and (ii) mitigate any effects of unauthorised use or disclosure of the Client’s Data.
11.3.In consultation with the Client, the Processor must take appropriate measures to secure the Client’s Data and limit any possible detrimental effect on the Data Subjects. Where obligations are placed on the Client under the Data Protection Law, the Processor shall provide commercially reasonable assistance in meeting them.
12.1.If the Processor receives a request, subpoena or court order (including through an obligation due to legal provisions or official injunctions from state authorities) requesting to provide any Client’s Data to an authority, the Processor shall attempt to redirect the relevant authority to request that data directly from the Data Controller, and notify the Client without undue delay.
12.2.Where the Client’s Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, the Processor shall notify the Client of such action without undue delay.
13.1.The Instructions to the Processor are initially laid out in this Agreement. However, the Client shall be entitled to issuing modifications to Instructions and to issue new Instructions, subject to feasibility.
13.2.The Client shall designate a person competent to issue the Instructions. Modifications or new Instructions shall be issued in writing and shall need to be agreed between the Parties as a contract modification/change request under this Agreement.
13.3.The Processor shall not be obligated to perform a comprehensive legal examination and shall in no event render any legal services to the Client.
13.4.The Processor shall not be responsible for any consequences of the Instructions issued by the Client and the Client shall indemnify and hold the Processor harmless against any damages and third-party claims resulting from the Instruction.
13.5.Unless otherwise agreed, the Processor shall be entitled to charge any efforts incurred in connection with the Instructions on time and material basis.
14.1. The Processor makes available the transfer mechanisms, namely, concluding data processing agreements based on the EU Standard Contractual Clauses, which shall apply to any transfers of the Personal Data under this Agreement from the EU, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the GDPR.
14.2.For any other cross-body transfers of Personal Data, the Processor shall take steps necessary to ensure the compliance with the applicable data protection rules and regulations.
15.1.No modification of this Agreement shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this Agreement. The foregoing shall also apply to any waiver or modification of this mandatory written form.
15.2.This Agreement shall take precedence over any conflicting provisions of the Contract.
15.3.This Agreement will commence on the date when both Parties sign the Agreement and continue until terminated earlier by either Party.
15.4.Either Party may terminate this Agreement for any reason upon thirty (30) calendar days’ notice to the other Party.
15.5.Each Party may terminate this Agreement with immediate effect by delivering a notice of the termination to the other Party if:
(a) The other Party fails to perform, has made or makes any inaccuracy in, or otherwise materially breaches, any of its obligations, covenants, or representations; and
(b) The failure, inaccuracy, or breach continues for a period of thirty (30) calendar days’ after the injured Party delivers notice to the breaching Party reasonably detailing the breach.
15.6.If either Party becomes insolvent, bankrupt, or enters receivership, dissolution, or liquidation, the other Party may terminate this Agreement with immediate effect.
15.7.Upon expiration or termination of this Agreement or on Client’s request, the Processor shall:
(a) Promptly securely delete or return any Client’s Data available to the Processor and any other information and documents, provided by the Client; and
(b) Deliver to the Client a certificate confirming Processor’s compliance with the destruction obligation under this section 15.7.
15.8.Neither Party may assign this Agreement or any of their rights or obligations under this Agreement without the other Party’s prior consent.
15.9.The Parties shall attempt to resolve any dispute arising out of or relating to this Agreement in a good faith through negotiations between senior executives of the Parties, who have authority to settle the same. If the matter is not resolved by negotiation within thirty (30) days of receipt of a written invitation to negotiate, the dispute shall be resolved by using binding arbitration services.
15.10.The headings used in this Agreement and its division into sections, schedules, exhibits, appendices, and other subdivisions do not affect its interpretation.
15.11.If there is any inconsistency between the terms of this Agreement and those in any document entered into under this Agreement, the terms of this Agreement shall prevail. The Parties shall take all necessary steps to conform the inconsistent terms to the terms of this Agreement.
The Processor The Client
Name: ______________ Name: ______________
Title: ______________ Title: ______________
Date: ______________ Date: ______________
Signature: ______________ Signature: ______________