DoNotes and Cada - Data Processing Agreement (DPA) & GDPR Compliance

Effective Date: 1st August 2025

1. Introduction

This Data Processing Agreement ("DPA") is entered into between the user ("Controller") and the operators of DoNotes and Cada ("Processor"), Cognitive Limited (UK). This DPA ensures compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using our Services, you agree to this DPA.

2. Subject Matter and Duration

This DPA governs the processing of personal data in connection with the use of DoNotes and Cada. It remains in force as long as the user account is active or until deletion is requested.

3. Nature and Purpose of Processing

We process personal data solely for the purpose of:

  • Providing access to encrypted note-taking and question bank services
  • Managing subscriptions and user authentication
  • Ensuring secure and stable operation
  • Communicating with users and responding to support inquiries

4. Categories of Data Subjects

Registered users of DoNotes and Cada

5. Categories of Personal Data

  • Email address
  • Account metadata (subscription status, login history)
  • Encrypted content stored by users (DoNotes only; inaccessible to us)

6. Data Protection Measures

We implement the following technical and organizational measures:

  • Encryption of notes
  • HTTPS for all communication
  • Role-based access control
  • Security monitoring and logging
  • Secure hosting infrastructure via Cloudflare, Vercel, Servarica, and Clerk

7. Subprocessors

We use the following subprocessors:

  • Cloudflare (CDN & DDoS protection)
  • Vercel (Application hosting)
  • Servarica (Infrastructure provider)
  • Clerk (Authentication and user management)
  • Payment processor (e.g., Stripe or similar, for billing)

Each subprocessor complies with GDPR and provides sufficient guarantees regarding data protection.

8. International Transfers

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).

9. Data Subject Rights and Assistance

We will assist users in exercising their GDPR rights:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

Requests can be sent to: [email protected]

10. Data Breach Notification

In the event of a data breach, we will notify affected users and relevant authorities without undue delay, in accordance with Article 33 and 34 of the GDPR.

11. Data Retention and Deletion

  • Personal data is retained as long as necessary to fulfill the purposes described.
  • Users may request account and data deletion at any time.
  • Encrypted data is deleted upon account deletion.

12. Audits and Inspections

We will make available all information necessary to demonstrate compliance and, where applicable, cooperate with reasonable audit requests.

13. Termination

Upon termination of the user relationship, all personal data will be deleted unless legal obligations require retention.

14. Contact

For data processing questions, contact: [email protected]

This DPA is binding upon acceptance of the Terms of Use and Privacy Policy. For more information, visit https://updates.donotes.app.