Legal
Data Processing Addendum (DPA)
This DPA applies when XeoNote processes personal data on behalf of customers under UK GDPR.
Roles of the parties
Customer is the controller (or processor, where relevant) and XeoNote is the processor for customer personal data in service content.
Processing details
- Subject matter: provision of note-taking and collaboration services
- Duration: term of the customer agreement plus lawful retention periods
- Nature: collection, storage, retrieval, organisation, and deletion of customer content
- Data subjects: customer users, collaborators, and end users represented in customer content
- Categories of data: identity, contact, content, collaboration, and usage metadata
Processor obligations
- Process data only on documented customer instructions
- Ensure confidentiality obligations for authorised personnel
- Apply appropriate technical and organisational security controls
- Assist with data subject rights and regulatory obligations
- Notify customer of personal data breaches without undue delay
Subprocessing
XeoNote uses approved subprocessors for infrastructure, billing, and communications. Current subprocessors are listed on the Subprocessors page.
For material subprocessor changes, XeoNote provides advance notice where practicable (target: 30 days).
International transfers
Where data is transferred outside the UK, XeoNote applies recognised safeguards, including contractual controls and supplementary measures where required.
Audit and assurance
XeoNote provides reasonable information necessary to demonstrate compliance obligations under applicable data protection law.
Security evidence in product
Execution
This DPA forms part of the customer agreement and applies automatically to processing activities covered by that agreement unless separate enterprise terms are executed.
Contact
For DPA and procurement requests, email privacy@xeonote.com.