Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer", acting as controller) and SKAJ Ventures GmbH, Sonnenlandstraße 4, 14471 Potsdam, Germany ("Processor", "we"), the operator of CoNote. It governs the processing of personal data we carry out on the Customer's behalf under Article 28 of the GDPR. Where this DPA conflicts with the Terms, this DPA prevails for matters of data protection.

The subject matter is the processing of personal data contained in the Customer's logbook content in order to provide the Service. Processing lasts for the term of the Customer's use of the Service and ends with deletion as described in section 10.

Nature and purpose: hosting, storing, organizing, and displaying the events and metadata the Customer logs manually, imports via CSV, or sends through integrations and inbound webhooks, solely to operate the Service.

Categories of data subjects: the Customer's team members and any individuals referenced in the content the Customer submits.

Categories of personal data: names and email addresses of team members, and any personal data the Customer chooses to include in note titles, descriptions, metadata, or imported and integration-sourced events. The Customer must not submit special categories of data (Art. 9 GDPR) through the Service.

• process personal data only on the Customer's documented instructions, including the configuration of the Service and this DPA, unless required otherwise by law;
• ensure persons authorized to process the data are bound by confidentiality;
• implement the technical and organizational measures described in section 11;
• inform the Customer if, in our opinion, an instruction infringes data protection law.

The Customer grants general authorization for us to engage sub-processors. We impose data protection obligations on each sub-processor equivalent to those in this DPA and remain responsible for their performance. Our current sub-processors are:

• Vercel Inc. (hosting)
• Neon Inc. (PostgreSQL database)
• Stripe, Inc. (payment processing)
• Resend (transactional email)
• Upstash, Inc. (rate limiting), where configured

We will give at least 30 days' notice before adding or replacing a sub-processor. The Customer may object on reasonable data protection grounds; if the objection cannot be resolved, the Customer may terminate the affected Service.

Taking into account the nature of the processing, we assist the Customer with appropriate measures in responding to data subject requests (Art. 15 to 22 GDPR) and in meeting the Customer's obligations under Art. 32 to 36 GDPR, including security, breach notification, and data protection impact assessments. Where a data subject contacts us directly, we forward the request to the Customer without undue delay.

We notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provide the information the Customer reasonably needs to meet its own notification obligations.

Where a sub-processor processes personal data outside the European Economic Area, such transfers are safeguarded by the European Commission's Standard Contractual Clauses or an adequacy decision. Copies of the relevant safeguards are available on request.

We make available the information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits take place during normal business hours, on reasonable prior notice, and in a manner that does not disrupt our operations or compromise other customers' data.

On termination of the Service, or on the Customer's request, we delete the Customer's personal data within a commercially reasonable period, except where storage is required by law. The Customer can export its content before deletion using the in-product export.

We maintain technical and organizational measures appropriate to the risk, including:

• encryption of data in transit (TLS) and encryption of integration and webhook credentials at rest (AES-256-GCM);
• passwords stored only as hashes;
• strict tenant isolation: all data is scoped to the Customer's team and access is authenticated and authorized per request;
• access controls, rate limiting, and security logging;
• regular backups and use of reputable infrastructure providers.

Data protection enquiries: hello@conote.io.