Data Processing Addendum (DPA)

1. Scope

This DPA summary applies where customer data is processed by Noteroom as a processor on behalf of a controller customer organization.

2. Processing Instructions

Noteroom processes personal data only on documented instructions from the customer and to provide contracted services.

3. Security Measures

We apply access controls, encryption in transit, role-restricted infrastructure access, and operational safeguards aligned to service risk.

4. Confidentiality

Personnel with access to personal data are bound by confidentiality obligations and receive role-appropriate data protection expectations.

5. Subprocessors

Approved subprocessors are listed at Subprocessors. Customer objections and notifications are handled per enterprise contract terms.

6. International Transfers

Where required, Noteroom relies on lawful transfer mechanisms and contractual safeguards.

7. Data Subject And Regulatory Assistance

Noteroom provides reasonable assistance for customer responses to verified data subject requests, DPIAs, and regulator inquiries where required and technically feasible.

8. Security Incident Notification

Where required by applicable law and contract, Noteroom notifies the customer without undue delay after confirming a personal data breach impacting customer personal data.

9. Return Or Deletion

At contract end and on documented instruction, customer personal data is returned or deleted in accordance with product capabilities, backup windows, and legal retention obligations.

10. Audits And Information Requests

Noteroom provides reasonable documentation and responses to customer due-diligence requests, subject to confidentiality, security, and proportionality limits.

11. Enterprise Contracting

This page is a summary. Final DPA obligations are governed by the executed enterprise agreement between parties.

Request formal DPA paperwork via support@noteroom.app.