This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (the “Agreement”) between Customer and Notion.

1. Subject Matter and Duration

1.1 Subject Matter. This DPA is intended to govern Customer’s provision and Notion’s Processing of Customer Personal Data pursuant to the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its attachments conflicts with the Agreement, this DPA shall control.

1.2 Duration and Survival. This DPA will become binding upon the effective date of the Agreement and shall survive until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 8.1, whichever later.

2. Definitions

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

Controller” means the person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Customer Personal Data” means Customer Data that is “personal data” or “personal information” under applicable Data Protection Law.

Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data, including, where applicable, EU/UK Data Protection Law and the California Consumer Privacy Act of 2018 (“CCPA”), as amended from time to time, including any related regulations and guidance provided or issued by the California Attorney General pertaining to same.  For the avoidance of doubt, if Notion’s processing activities involving Customer Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this Agreement.

"EEA" means the European Economic Area.

"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

Notion Security Standards” means Notion’s security standards, as updated from time to time, available at: https://www.notion.so/help/security-and-privacy.

Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor” means the person who, alone or jointly with others, Processes Personal Data on behalf of the Controller;

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer.

"SCCs" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs").

Security Incident(s)” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Customer Data processed under or in connection with the Agreement, including but not limited to Customer Personal Data.

Subprocessor(s)” means a third party engaged by Notion to Process Customer Personal Data under the Agreement.

3. Data Use and Processing