SCINOTE DATA PROCESSING ADDENDUM
Effective date: July 1st, 2025
I. Introductory Provisions
1. In the course of providing the Services to the Customer, SciNote may process Personal Data, which is included in the Research Data, on behalf of the Customer. It is the sole responsibility of the Customer to identify whether or not SciNote is considered a Processor of Personal Data, which Processes the Personal Data on Customer’s behalf.
2. This Data Processing Addendum (hereinafter: DPA) is incorporated into the Contract by reference. By entering into the Contract in accordance with the Terms of Service, the Customer enters into this DPA (including, where applicable, the Standard Contractual Clauses).
3. This DPA applies only if Research Data includes Personal Data and shall be valid and legally binding only if the Parties entered into a Contract by signing an Order Form or similar instrument, which presents the basis for provision of Services by SciNote to the Customer and subsequently presents the basis for Personal Data Processing by SciNote on behalf of the Customer when providing the Services.
4. The DPA is effective as of the Contract Effective Date and shall follow the Term of the Contract.
5. This DPA replaces any previously applicable data processing provisions. If there is a conflict between the provisions of the Order Form, Terms of Service and this DPA, the order of precedence shall be: i) this DPA, ii) Order Form, iii) Terms of Service.
II. Definitions
6. Capitalized terms defined in the Terms of Service apply to this DPA, if not defined otherwise herein. The terms used in this DPA shall have the following meaning:
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Subject” means an identified or identifiable natural person, whereas the later is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“EEA” means the European Economic Area and its member states.
“EU” means the European Union and its member states.
“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data.
“Personal Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by SciNote and/or SciNote’s Sub-Processors in connection with the provision of Services.
“Personal Data Protection Laws” means all applicable worldwide legislation relating to personal data protection and privacy, which applies to the respective Party in the role of Processing Personal Data in question under the Contract, including personal data protection laws applicable in i) Europe: a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (hereinafter: GDPR), b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, c) GDPR as it forms parts of the United Kingdom law (hereinafter: UK GDPR), and d) Swiss Federal Data Protection Act and its Ordinance (hereinafter: Swiss DPA); ii) the US: e) California Consumer Privacy Act of 2018 (hereinafter: CCPA), as amended by the California Privacy Rights Act of 2020 (hereinafter: CPRA) and f) other applicable U.S. federal and state privacy laws; and iii) the data protection and privacy laws of Australia, Brazil, Canada, Mexico, Singapore, and Japan.
“Personal Data” means any information relating to a Data Subject, which is contained within Research Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as as amended from time to time.
“Sub-Processor” means a third party authorized by SciNote as another Processor under this DPA to have access to and process Personal Data.
“Terms of Service” means SciNote Terms of Service, as available at: https://www.scinote.net/legal/terms-of-service/, as amended from time to time.
III. Customer’s Obligations
7. Customer shall, when using the Services, be responsible for its compliance with applicable Personal Data Protection Laws, for its Processing of Personal Data and for the Instructions issued to SciNote.
8. Customer ensures that it disposes with a lawful basis for the Processing of Personal Data, which is Processed by SciNote in performing its obligations under the Contract.
9. Customer is solely responsible for i) the accuracy and legality of Personal Data and the means by which the Customer acquired and Processes Personal Data, ii) complying with all necessary transparency and lawfulness requirements under applicable Personal Data Protection Laws for the Processing of the Personal Data, including obtaining any necessary consents and authorizations, iii) ensuring the Customer has the right to transfer, or provide access to, the Personal Data to SciNote for Processing in accordance with the terms of the Contract (including this DPA), and iv) ensuring that Customer’s Instructions to SciNote comply with applicable Personal Data Protection Laws.
10. Customer shall inform SciNote without undue delay if it is unable to comply with its obligations under this Section III. Customer’s Obligations or applicable Personal Data Protection Laws.
11. Customer is responsible for independently determining whether the data security of the Services adequately meets Customer’s obligations under applicable Personal Data Protection Laws.
12. The Customer is responsible for its secure use of the Services and its storage of any copies of Personal Data within or outside the Services, including securing the account authentication credentials, systems and devices Customer uses to access the Services as well for secure backups and encryption of Personal Data. The Customer is responsible for the security of Personal Data in transit to and from the Services.
IV. Customer’s Instructions
13. Parties agree that the Contract, including this DPA, and the Customer’s use of the Services in accordance with the Contract, constitute the Customer’s complete Instructions to SciNote in relation to the Processing of Personal Data.
14. During the Term, the Customer may provide additional written Instructions, which must be consistent with the Contract, and the nature and lawful use of the Services. Additional written Instructions given by Customer must be acknowledged by SciNote to constitute Instructions for purposes of this DPA.
V. SciNote’s Obligations
15. SciNote shall Process the Personal Data only for the purposes of defined in this DPA and within the scope of Customer’s lawful Instructions, unless otherwise required by applicable Personal Data Protection Laws or other applicable laws. SciNote is not responsible for compliance with any Personal Data Protection Laws, which are applicable to the Customer or its industry and which are not generally applicable to SciNote.
16. If SciNote cannot Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, SciNote will i) promptly notify the Customer of that legal requirement to the extent permitted by the applicable law; and ii) where necessary, cease all Processing of Personal Data (other than storing and maintaining the security of the Personal Data) until such time as the Customer issues new lawful Instructions, with which SciNote can comply. If this provision is invoked, SciNote shall not be liable to the Customer for any failure to perform the Services until such time as the Customer issues new lawful Instructions for the Processing of Personal Data.
VI. Deletion of Personal Data
17. During the Term and in a manner consistent with the functionality of SciNote ELN and Services SciNote will enable Customer and Users to delete Personal Data, which may be deleted without compromising SciNote ELN and Services and their normal performance.
18. Upon expiry of the Term or termination of the Contract, SciNote shall delete all Research Data, including Personal Data Processed in accordance with this DPA. SciNote recommends that the Customer retrieves its Research Data prior to the end of the Term.
19. Where SciNote is required by applicable law to retain some or all of the Research Data, or where SciNote has archived Research Data on back-up systems, whereas the Research Data will be securely isolated and protected from any further Processing and deleted in accordance with SciNote’s deletion practices, Sections 17 and 18 hereof shall not apply.
20. During the Term, SciNote shall enable the Customer, in accordance with the functionalities of SciNote ELN, to access, rectify and restrict Processing of Personal Data, as well as to delete and export Personal Data.
VII. Security Measures
21. SciNote will implement and maintain technical and organizational measures to protect the Personal Data against Personal Data Incidents, as described under Schedule B to this DPA (hereinafter: Security Measures). Notwithstanding any provision to the contrary, SciNote reserves the right to modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
22. SciNote shall take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-Processors to the extent applicable to their scope of performance of Personal Data Processing activities and shall ensure that all persons authorized to process Personal Data (including Sub-Processors) are subject to appropriate confidentiality obligations (contractual or statutory) with respect to that Personal Data.
VIII. Assistance with Data Subject Requests
23. SciNote shall, taking into account the nature of Processing of Personal Data, reasonably i) assist the Customer with appropriate technical and organizational measures for the purpose of fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights provided to them by Personal Data Protection Laws; ii) cooperate with the Customer to respond to any requests, complaints or other communications from Data Subjects relating to the Processing of Personal Data under the Contract and this DPA, including requests from Data Subjects seeking to exercise their rights under applicable Personal Data Protection Laws. Customer shall reimburse SciNote for the commercially reasonable costs arising from this assistance.
24. In the event that any such request, complaint or communication by Data Subject is made directly to SciNote, SciNote shall promptly inform the Customer. The Customer will be solely responsible for responding substantively to any such Data Subject requests or communications involving Personal Data.
IX. Assistance with Customer’s Compliance
25. SciNote shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down by this DPA and allow for and contribute to audits, requested by the Customer in accordance with with Section 26 hereof. SciNote shall provide written responses (on a confidential basis) to all reasonable requests for information made by the Customer necessary to confirm SciNote’s compliance with this DPA, provided that the Customer will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect SciNote’s non-compliance with the DPA.
26. Customer may, in the case there is reasonable doubt regarding the appropriateness of Security Measures and if SciNote does not provide appropriate evidence demonstrating compliance, demand that an audit of Security Measures is performed. In case an audit is demanded, the Customer and SciNote shall agree on the timing and scope of the audit. All costs of such audit shall be borne by the Customer. SciNote shall cooperate with the auditor. The auditor shall be obligated to present to SciNote a proper authorization given by the Customer, authorizing the auditor to perform the audit. Customer shall reimburse SciNote for the commercially reasonable costs arising from its cooperation hereunder.
27. The Customer agrees that it will, when reviewing SciNote’s compliance with this DPA, take all reasonable measures to limit any impact on SciNote and its Affiliates by combining several audit requests carried out on behalf of the Customer in one single audit.
X. Personal Data Incident
28. If a Personal Data Incident occurs, SciNote shall inform the Customer without undue delay after becoming aware of a Personal Data Incident and shall take reasonable steps to minimize harm to Personal Data. provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you
29. SciNote shall provide the Customer with a written description, to the extent possible, of the Personal Data Incident, including the nature of the Personal Data Incident, measures taken by SciNote to mitigate the risks associated with the Personal Data Incident and actions proposed to be taken by the Customer to mitigate the possible adverse effects of the Personal Data Incident, as soon as such information becomes known or available to SciNote.
30. At Customer’s request, SciNote will promptly provide the Customer with such reasonable assistance as necessary to enable the Customer to notify relevant Personal Data Incidents to competent authorities and/or affected Data Subjects, if the Customer is required to do so under Personal Data Protection Laws.
31. SciNote’s notification under this Section X. Personal Data Incident shall not be construed as an acknowledgement by SciNote of any fault or liability with respect to the Personal Data Incident.
XI. Sub-Processing of Personal Data
32. Customer specifically authorizes the engagement of Sub-Processors, i) which are listed in Schedule C (as may be updated by SciNote from time to time in accordance with this DPA) and ii) all other SciNote Affiliates. Customer authorizes the engagement of any other third parties as Sub-Processors.
33. When engaging a Sub-Processor, SciNote shall ensure that all Sub-Processors are bound to provide at least the same level of Personal Data protection as is provided with this DPA. SciNote shall remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor with regard to SciNote’s obligations under this DPA.
34. When a new Sub-Processor is engaged, SciNote shall update the the list of Sub-Processors, indicating intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity to object to such changes to Sub-Processors. Customer may, within 5 days after being notified of the engagement of a new Sub-Processor, object to the engagement of a new Sub-Processor. If the Customer objects to the engagement of a new Sub-Processor, the Parties will engage in discussions with the aim of achieving a commercially reasonable solution. If no such solution is reached, SciNote will, at its discretion, i) appoint a new Sub-Processor or ii) allow the Customer to terminate the Contract, without any liability to SciNote. If the Customer does not object to the new Sub-Processor within the determined deadline, it is considered that the Customer has no objections towards the new Sub-Processor. Updates to the list of Sub-Processors do not constitute a change or modification of this DPA.
XII. Personal Data Transfers
35. SciNote, as the Processor of Personal Data, is a company registered and operating in United States. The Customer hereby acknowledges and agrees that SciNote may Process Personal Data on a global basis as necessary to provide the Services in accordance with the Contract. The Customer further acknowledges and agrees that Personal Data may be transferred to and Processed by SciNote in the United States and to other jurisdictions where SciNote’s Affiliates and Sub-Processors are located. Wherever Personal Data is transferred outside its country of origin, each Party shall ensure such transfers are made in compliance with Personal Data Protection Laws.
XIII. Limitation of Liability
36. Any limitation of liability agreed between the Parties in the Contract and/or included in the Terms of Service, shall also apply to this DPA, meaning that the combined liability of either Party towards the other Party shall be limited as stipulated in the Terms of Service. This limitation of liability extends also to Standard Contractual Clauses, if entered into.
XIV. Miscellaneous
37. In the event any provision of the DPA is considered to be invalid, unlawful, non-enforceable or null and void, this will not result in the invalidity, unlawfulness, non-enforceability or nullity of the entire DPA. In this case, the Parties are released from all rights and responsibilities ensuing from such a provision, but only in as far as this provision is invalid, non-enforceable or null and void. In this event, SciNote will use its best efforts to replace such a provision by a valid clause that has the nearest possible economic and legal significance.
38. Provisions of the Terms of Service regarding governing law and jurisdiction shall be applicable to this DPA, unless required otherwise by Personal Data Protection Laws.
39. Notwithstanding anything else to the contrary in the Contract or this DPA, SciNote reserves the right to make any updates and changes to this DPA.
XV. Country Specific Provisions
40. EUROPE (EU, EEA, Switzerland, United Kingdom)
i) This Section 40 applies only to Personal Data, which is subject to the protection of GDPR, UK GDPR or Swiss DPA (hereinafter: European Personal Data).
ii) When Processing European Personal Data in accordance with Customer’s Instructions, the Parties acknowledge and agree that the Customer is acting as the Controller of European Personal Data (either as the Controller, or as a Processor on behalf of another Controller) and SciNote is acting as the Processor of Personal Data, Processing Personal Data on behalf of the Customer.
iii) SciNote shall without undue delay inform the Customer if, in its opinion, Customer’s Instructions infringe GDPR, UK GDPR or Swiss DPA.
iv) SciNote shall provide the Customer with reasonable assistance, if the required information is not available to the Customer otherwise, in ensuring compliance with the Customer’s obligations regarding the security of Personal Data, data protection impact assessment and prior consultation with the competent supervisory authority, if applicable, taking into account the nature of Processing of Personal Data and the information available to SciNote. Customer shall reimburse SciNote for the commercially reasonable costs arising from this assistance.
v) SciNote will not transfer European Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of GDPR, UK GDPR or Swiss DPA), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with GDPR, UK GDPR or Swiss DPA, as applicable. Such measures may include, without limitation: i) transferring such Personal Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, ii) to a recipient that has achieved binding corporate rules authorization in accordance with GDPR, UK GDPR or Swiss DPA; or iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable GDPR, UK GDPR or Swiss DPA.
vi) Customer acknowledges that in connection with the performance of the Services, SciNote is a recipient of European Personal Data in the United States. To the extent that SciNote receives European Personal Data in the United States, and if GDPR, UK GDPR or Swiss DPA require that appropriate safeguards are put in place, the Standard Contractual Clauses will be incorporated by reference and form part of the DPA as follows:
a) In relation to European Personal Data that is subject to the GDPR i. Customer is the “data exporter” and SciNote is the “data importer”; ii. the Module Two terms of the Standard Contractual Clauses apply to the extent the Customer is a Controller of European Personal Data and the Module Three terms of the Standard Contractual Clauses apply to the extent the Customer is a Processor of European Personal Data; iii. in Clause 7, the optional docking clause applies; iv. in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with Section 34 of this DPA; v. in Clause 11, the optional language is deleted; vi. in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be as defined in the Terms of Service or, if such section does not specify an EU Member State, the Republic of Slovenia (without reference to conflicts of law principles); vii. the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Schedules of this DPA; viii. the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and ix. if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail.
b) In relation to European Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section 40. vi) a) above with the following modifications: i. the Standard Contractual Clauses will be modified and interpreted in accordance with the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 (hereinafter: SCC UK Addendum), which will be incorporated by reference and form an integral part of the DPA; ii. Tables 1, 2 and 3 of the SCC UK Addendum will be deemed completed with the information set out in the Schedules of this DPA and Table 4 will be deemed completed by selecting “neither party”; and iii. any conflict between the terms of the Standard Contractual Clauses and the SCC UK Addendum will be resolved in accordance with Section 10 and Section 11 of the SCC UK Addendum.
b) In relation to European Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section 40. vi) a) and the following modifications: i. references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; ii. references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and iii. references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
c) Customer agrees that by complying with our obligations under the Section XI. Sub-Processing of Personal Data of this DPA, SciNote fulfills its obligations under Section 9 of the Standard Contractual Clauses. For the purposes of Clause 9(c) of the Standard Contractual Clauses, Customer acknowledges that SciNote may be restricted from disclosing Sub-Processor agreements but will use reasonable efforts to require any appointed Sub-Processor to permit the disclosure of the the Sub-Processor agreement to the Customer and will provide (on a confidential basis) all information it reasonably can. Customer also acknowledges and agrees that it will exercise its audit rights under Clause 8.9 of the Standard Contractual Clauses by instructing us to comply with the measures described in the Section IX. Assistance with Customer’s Compliance of this DPA.
vii) If SciNote cannot comply with its obligations under the Standard Contractual Clauses or is in breach of any warranties under the Standard Contractual Clauses or SCC UK Addendum (as applicable) for any reason, and the Customer intends to suspend the transfer of European Personal Data to SciNote or terminate the Standard Contractual Clauses, or SCC UK Addendum, the Customer agrees to provide SciNote with reasonable notice to enable it to cure such non-compliance and reasonably cooperate with SciNote to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If SciNote has not or cannot cure the non-compliance, the only remedy at Customer’s disposal is to immediately stop Processing Personal Data within SciNote ELN or other Services.
41. CALIFORNIA
i) This Section 41 applies only to Personal Data, which is subject to the protection of the CCPA (hereinafter: California Personal Data).
ii) When Processing California Personal Data in accordance with Customer’s Instructions, the Parties acknowledge and agree that the Customer is a Business (as defined by the CCPA) and SciNote is a Service Provider (as defined by the CCPA).
iii) SciNote certifies that it will Process California Personal Data as a Service Provider strictly for the purpose of performing the Services under the Contract or as otherwise permitted by the CCPA, including as described for Activity Data in the Terms of Service. SciNote certifies it a) will not Sell (as defined by the CCPA) or Share (as defined by the CCPA) California Personal Data, b) will not Process California Personal Data outside the direct business relationship between the Parties, unless required by applicable law, and c) will not combine the California Personal Data included in Research Data with personal data that SciNote collects or receives from another source, other than information SciNote receives from another source in connection with its obligations as a Service Provider (as defined by the CCPA) under the Contract.
iv) SciNote will a) comply with obligations applicable to it as a Service Provider (as defined by the CCPA) under the CCPA and b) provide California Personal Data with the same level of privacy protection as is required by the CCPA. SciNote will notify the Customer if it determines that it can no longer meet its obligations as a Service Provider (as defined by the CCPA) under the CCPA.
v) The Customer will have the right to take reasonable and appropriate steps to help ensure that SciNote uses California Personal Data in a manner consistent with Customer’s obligations under the CCPA. Upon notice, the Customer will have the right to take reasonable and appropriate steps in accordance with the DPA to stop and remediate unauthorized use of California Personal Data.
vi) The Parties acknowledge and agree that the disclosure of California Personal Data by the Customer to SciNote does not form part of any monetary or other valuable consideration exchanged between the Parties.
Schedule A: Details of Personal Data Processing
A. LIST OF PARTIES
Data exporter:
Name: Customer, as specified in the Order Form
Address: Customer’s address, as specified in the Order Form
Contact person’s name, position and contact details: Customer’s contact details, as as specified in the Order Form
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Customer’s use of the Services in accordance with the Contract
Signature and date: As per the signature of the Order Form and the Contract Effective Date
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Data importer:
Name: SciNote, as specified in the Order Form
Address: SciNote’s address, as specified in the Order Form
Contact person’s name, position and contact details: As specified in the Order Form, whereas all requests regarding Personal Data may be made to support@scinote.net
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Customer’s use of the Services in accordance with the Contract Signature and date: As per the signature of the Order Form and the Contract Effective Date
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred
Customer may include Personal Data in the Research Data while using the Services, whereas the inclusion of Personal Data, its transfer and Processing is determined and controlled by the Customer and is in its sole discretion. The Personal Data is related to the categories of Data Subjects determined solely by the Customer.
Categories of Personal Data transferred
Customer may submit Personal Data to the Services, whereas the extent and categories of which is determined and controlled solely by the Customer.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The Parties do not anticipate the transfer of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data shall be transferred on a continuous basis.
Nature of the Processing
SciNote shall Process Personal Data to provide the Services in accordance with the Contract and Terms of Service.
Purpose(s) of the data transfer and further Processing
SciNote shall Process Personal Data to provide the Services in accordance with the Contract and Terms of Service.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
SciNote shall retain the Personal Data until its deletion in accordance with the provisions of this DPA and Terms of Service.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing
As above.
C. COMPETENT SUPERVISORY AUTHORITY
Only if GDPR, UK GDPR or Swiss DPA apply – Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses
The competent supervisory authority is located in the jurisdiction of the data exporter.
Schedule B: Security Measures
SciNote shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of Personal data as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement appropriate technical and organizational Security Measures to ensure a level of security appropriate to the risk.
Currently applicable Security Measures are available at: https://trust.scinote.net/item/information-disclosure-protection, as amended from time to time
Schedule C: Sub-Processors
SciNote engages Sub-Processors to assist with provision of Services. A list of our Sub-Processors and our purpose for engaging them is located on SciNote’s Sub-Processors page available at: https://www.scinote.net/list-of-sub-processors/.
