Last updated on January 21, 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into by the Bizznote customer identified on the applicable Bizznote ordering document for services ("Customer") and Bizznote ("Bizznote"), and governs the processing of personal data that Customer uploads or otherwise provides Bizznote in connection with the services provided by Bizznote to the Customer ("Services").
1. Definitions
- Customer Personal Data means Personal Data that Customer uploads or otherwise provides Bizznote in connection with its use of Bizznote's services or for which Customer is otherwise a Data Controller.
- Data Controller or Controller means Customer.
- Data Processor or Processor means Bizznote.
- GDPR means the General Data Protection Regulation (EU) 2016/679.
- Personal Data means any information relating to an identified or identifiable natural person.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- Privacy Laws means all applicable laws relating to privacy and data protection, including GDPR, CCPA, and other relevant regulations.
- Process or Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Subprocessor means a third party engaged by Bizznote to process Customer Personal Data.
- Supervisory Authority means a public authority responsible for monitoring the application of Privacy Laws.
2. Subject of DPA
The Data Controller hereby empowers the Data Processor to process Customer Personal Data in relation to providing the Services under the following conditions set out in this DPA.
3. Compliance with Laws
Each party shall comply with all Privacy Laws applicable to it with respect to this DPA. If there is any conflict between this DPA and Privacy Laws, the Privacy Laws shall prevail.
4. Customer Obligations
Customer shall ensure that it has obtained all necessary consents for the processing of Personal Data by Bizznote. Customer shall provide documented instructions for the processing of Customer Personal Data. Customer shall ensure that Personal Data is collected and processed in compliance with Privacy Laws.
5. Bizznote Obligations
Bizznote shall process Customer Personal Data only for the purpose of providing the Services and in accordance with Customer's documented instructions. Bizznote shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality. Bizznote shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Bizznote shall assist Customer in responding to requests from data subjects exercising their rights under Privacy Laws.
6. Document Security and Confidentiality
Bizznote understands that documents submitted for analysis contain sensitive and confidential business information. To protect this data, Bizznote implements the following measures:
Data Isolation. Each customer receives a fully isolated, single-tenant deployment with a dedicated database instance and dedicated file storage bucket. Customer data is never mixed with or accessible by other customers.
Encryption. All documents are encrypted in transit using TLS/HTTPS and encrypted at rest using server-side encryption. All credentials and API tokens are stored in hashed form.
Access Control. Document access is restricted to authorized users only through role-based access control. File access URLs are time-limited for security.
No AI Training. Neither Bizznote nor its AI providers (OpenAI, Anthropic) use Customer documents or data to train AI models. Documents are processed solely for the purpose of providing analysis services.
AI Limitations. AI-generated analyses may contain inaccuracies or errors and do not constitute investment, financial, or legal advice. Customer is responsible for reviewing and verifying all outputs before use.
Secure Deletion. When documents are deleted by the user or upon request, they are permanently removed from storage. No copies are retained.
7. Audit
Upon Customer's written request, Bizznote shall provide information necessary to demonstrate compliance with this DPA. Customer may conduct audits upon reasonable notice of at least 30 days, during normal business hours, and subject to confidentiality obligations.
8. Data Transfers
Customer Personal Data is stored in the European Union. For transfers outside the EU/EEA, including to AI providers located in the United States, Standard Contractual Clauses (SCCs) are in place and appropriate safeguards are applied as required by GDPR Chapter V.
9. Return and Deletion
Upon termination of the Services, Bizznote shall, at Customer's choice, return or delete all Customer Personal Data. Customer may export data during a 30-day period following termination. Confirmation of deletion is provided upon request.
10. Subprocessors
Customer authorizes Bizznote to engage the Subprocessors listed below. Bizznote shall notify Customer of any intended changes to Subprocessors. Customer may object to new Subprocessors within 30 days. All Subprocessors are bound by data protection obligations equivalent to this DPA.
11. Duration
This DPA shall remain in effect for as long as Bizznote processes Customer Personal Data on behalf of Customer.
12. Governing Law
This DPA shall be governed by the laws applicable to the main service agreement between the parties.
13. Contact
For data protection inquiries, please contact Bizznote at dpo@bizznote.net.
Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| AWS | Cloud infrastructure and file storage | EU |
| Hetzner | Cloud infrastructure | EU |
| OpenAI | AI analysis | USA |
| Anthropic | AI analysis | USA |
The subprocessor list is current as of the Last Updated date.