Evernote Logo
Evernote
Get the app

Evernote Teams Data Processing Addendum

This Evernote Teams Data Processing Addendum (“Addendum”) is between Bending Spoons S.p.A. (“Processor”) and Customer and is incorporated into the Evernote Teams Agreement (“Agreement”). This Addendum applies to the extent that Processor processes Customer Personal Data (defined below) in connection with the Agreement. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.

1. Definitions.

  1. Applicable Data Protection Law means any applicable law or regulation concerning privacy and data protection that governs the processing of Personal Data, including the following laws, as may be amended, modified, supplemented, or restated: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) the Brazilian General Data Protection Law (Law No. 13,709/18 or “LGPD”); and (iii) the California Consumer Privacy Act at Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”). 
  2. Customer Personal Data” means Personal Data provided by Customer to Processor for Processor to process on behalf of Customer in connection with the Evernote Teams Service.
  3. EEA” means the European Economic Area.
  4. Personal Data” means any information relating to an identified or identifiable natural person that Customer provides to Processor pursuant to the Agreement in connection with the Evernote Teams Service.
  5. Personal Data Breach” means a breach of Processor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  6. process/processing”, “controller”, “processor”, “business”, “consumer”, and “service provider” shall have the same meaning as in Applicable Data Protection Law. 
  7. Subprocessor means any processor or service provider engaged by Processor to assist in fulfilling its obligations with respect to providing the Evernote Teams Service pursuant to the Agreement where such processor or service provider processes Customer Personal Data. 

2. Processor’s Role and Obligations.

  1. Processor shall process Customer Personal Data on Customer’s behalf and in accordance with Customer’s lawful written instructions, unless required to do so by applicable laws to which Processor is subject. Processor acts as a processor or service provider under Applicable Data Protection Law; a description of the processing of Customer Personal Data in connection with the Evernote Teams Service is set out in Exhibit A. 
  2. To the extent the CCPA applies to Customer Personal Data: Processor shall not “sell” or “share” Customer Personal Data within the meaning of the CCPA. Processor shall notify Customer if Processor determines that it can no longer meet its obligations under the CCPA. Processor shall not collect, retain, use, disclose, or otherwise process Customer Personal Data for any purpose other than: (i) to perform the Evernote Teams Service; (ii) to retain and employ another processor or service provider as a Subprocessor pursuant to Applicable Data Protection Law; (iii) for internal use by Processor to build or improve the quality of its services; (iv) to detect data security incidents, or protect against fraudulent or illegal activity; (v) for the following purposes: (1) to comply with federal, state, or local laws; (2) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; or (3) to exercise or defend legal claims; or (vi) as otherwise permitted by Applicable Data Protection Law. 
  3. In accordance with Applicable Data Protection Law, Processor will implement and maintain technical and organizational measures to protect Customer Personal Data from Personal Data Breaches. Processor shall ensure that each person authorized to process Customer Personal Data has agreed to appropriate confidentiality obligations. 
  4. To the extent required under Applicable Data Protection Law, Processor shall process and retain Customer Personal Data within the EEA and, in the event of transfers of Customer Personal Data to countries outside the EEA, to adopt the guarantees required by the GDPR, including the Standard Contractual Clauses of the European Commission Implementing Decision (EU) 2021/914.

3. Customer’s Role and Obligations.

Customer is solely liable for compliance with its obligations under Applicable Data Protection Law in its use of the Evernote Teams Service and any processing instructions it provides to Processor. Customer acts as the controller or business under Applicable Data Protection Law. Customer shall comply with Applicable Data Protection Law, including without limitation, and to the extent required: (a) providing notice; (b) obtaining consent; (c) honoring access, deletion, correction, restriction, opt-out, and opt-in rights and requests; and (d) otherwise ensuring that it and Processor (and Processor’s subsidiaries, affiliates, and Subprocessors) have any and all rights required in order for Processor to collect, retain, use, disclose, and otherwise process Customer Personal Data under the Agreement. Customer represents and warrants that it has an appropriate legal basis under Applicable Data Protection Law to process and disclose Customer Personal Data to Processor.

4. Subprocessing.

Customer agrees that Processor may engage Subprocessors, which may include Processor subsidiaries, affiliates, or other third parties, to process Customer Personal Data on Customer’s behalf. A list of Subprocessors engaged by Processor and authorized by Customer is available at https://evernote.com/privacy/vendors. Processor shall enter into a written agreement with each Subprocessor requiring the Subprocessor to guarantee a similar level of data protection to that provided herein. Processor will provide reasonable notice to Customer before engaging a new Subprocessor of Customer Personal Data. Customer must subscribe to receive such notice of updates to the list of Subprocessors using the link above in this Section 4. Customer may object in writing to Processor’s engagement of a new Subprocessor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Processor and Customer will discuss such concerns in good faith.

5. Cooperation.

  1. Processor Responsibilities. To the extent required under Applicable Data Protection Law, Processor shall assist Customer in complying with an individual rights request. If Processor receives an individual rights request and Processor determines that the individual is an end-user under Customer’s account, Processor will make commercially reasonable efforts, to the extent allowed by law, to: (i) promptly notify Customer of Processor’s receipt of a request; and (ii) provide Customer with information required for Customer to respond to the request, if Customer is otherwise unable to respond to the request. If Processor is prohibited from notifying Customer of a request or if Customer fails to promptly respond to any request, then Processor may respond to the individual, but will not be obligated to do so, unless otherwise required by Applicable Data Protection Law. At Customer’s request and expense, and to the extent required under Applicable Data Protection Law, Processor shall provide reasonably requested information to assist Customer in carrying out data protection impact assessments or prior consultations. 
  2. Customer Responsibilities. Customer understands and agrees that it is solely responsible for responding to requests to exercise individual rights and that Processor shall have no responsibility to respond directly to an individual on Customer’s behalf. Customer will seek to obtain information required to respond to the requests and will contact Processor only if it cannot comply with the request despite diligent efforts. Where Applicable Data Protection Law applies, Customer shall only submit inquiries and requests to Processor where related to a request to exercise individual rights under Applicable Data Protection Law. For example, where the CCPA applies, Customer shall only submit CCPA-related inquiries and requests to Processor where related to a request from a California consumer, and will not submit CCPA-related inquiries or requests for individuals who would not be considered consumers under the CCPA. Pursuant to Applicable Data Protection Law, Customer shall provide Processor with the information necessary for Processor to assist Customer in complying with a rights request.

6. Audits.

  1. To the extent required by Applicable Data Protection Law and upon Customer’s request (not to exceed one request per calendar year), provided that Customer has entered into an applicable non-disclosure agreement with Processor, Processor shall provide written responses (on a confidential basis) to all reasonable requests for information related to Processor’s processing of Customer Personal Data that are necessary to confirm Processor’s compliance with this Addendum. 
  2. Only to the extent Customer cannot reasonably confirm Processor’s compliance with this Addendum through the exercise of its right under Section 6.1, where required by Applicable Data Protection Law, Customer or an accredited third-party auditing firm agreed to by Customer and Processor may audit Processor’s compliance with this Addendum during the term of the Agreement, provided that: (i) Customer and, if applicable, the accredited third-party firm have entered into an applicable non-disclosure agreement with Processor; (ii) the audit is conducted during Processor’s regular business hours in a manner that is not disruptive to Processor’s business, upon reasonable advance notice to Processor of no less than sixty (60) days and subject to reasonable confidentiality procedures; and (iii) before the commencement of the audit, Customer and Processor will mutually agree upon the timing, duration, and scope of the audit. Customer may not audit Processor more than once in any twelve-month period. Customer is responsible for all costs and fees related to any such audit, including all reasonable costs and fees for any and all time Processor expends on the audit. Customer will promptly notify Processor of information regarding any non-compliance discovered during the course of the audit.

7. Personal Data Breaches.

  1. To the extent required by Applicable Data Protection Law, Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach. Processor’s notification of or response to a Personal Data Breach will not constitute or otherwise be construed as an acknowledgment of fault or liability with respect to the Personal Data Breach.
  2. Processor will provide Customer with information as required under Applicable Data Protection Law, taking into account the information available to Processor. Processor will take reasonable measures to mitigate the effects of a Personal Data Breach.

8. Deletion or Return of Data.

At the end of the provision of the Evernote Teams Service, upon Customer’s written request, Processor will delete or return all Customer Personal Data. Any Customer Personal Data that is not immediately deleted will continue to be protected as set forth in this Addendum and will be deleted per Processor’s data retention policy. Notwithstanding the foregoing, to the extent Processor is required by applicable laws to retain some or all of the Customer Personal Data, Processor will not be obligated to delete the retained Customer Personal Data, which will continue to be protected as set forth in this Addendum.

9. Miscellaneous.

  1. The Processor and Customer agree that this Addendum shall replace and supersedes any existing Data Processing Addendum, Data Processing Amendment, or other agreement, addendum, attachment, or exhibit the Customer has previously entered into in connection with the processing of Customer Personal Data for the Evernote Service. 
  2. Where Customer makes any revisions to this Addendum, the Addendum is not valid and has no legal effect.  
  3. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this Addendum and any provision in the Agreement, this Addendum controls and takes precedence to the extent of such conflict. 
  4. The relationship between Processor and Customer remains subject to the terms and conditions, including the exclusions and limitations of liability set out in the Agreement. Each party’s liability is limited in accordance with the Agreement. 
  5. This Addendum remains in effect until the later of (i) the expiration or termination of the Agreement, and (ii) the return or deletion of Customer Personal Data in accordance with this Addendum.

EXHIBIT A

Description of Processing

1. Categories of data subjects. Personal Data which may be processed is related to the following categories of data subjects: 

  • Customer and Customer’s end users (including Administrators and End Users).

2. Categories of Personal Data. Personal Data which may be processed includes, without limitation, the data described below. Processor maintains an up-to-date list of personal data processed in the Privacy Policy, available at https://evernote.com/privacy:

  • End user identifiers such as name, email address, contact preferences, telephone numbers, images and other personal information, location and calendar information, Content stored by or shared with end users, logs of actions performed by end users in relation to their use of the Evernote Teams Service, and information about how end users access the Evernote Teams Service. 
  • Customer information, including the name and email address of the Customer, email address of any account administrator, and professional or employment-related information relating to Account Holders and account administrators. 
  • Electronic identifiers and related data such as IP address, mobile number, and pixel or cookie data relating to End Users. 
  • Geo-location and user preference data indicating the geographic area where End Users interact with the Evernote Teams Service; language(s) selected by the End User.

3. Special categories of Personal Data.  Processor does not intentionally collect or process any special categories of Personal Data (as defined under the GDPR) in the provision of the Evernote Teams Service. 

4. Processing operations. Personal Data processed will be subject only to the processing activities necessary to provide, support, and improve the Evernote Teams Service under the Agreement.