Data Processing Addendum reMarkable Connect
This Data Processing Addendum (“DPA”) forms an integral part of the reMarkable Connect Agreement, and governs the processing of personal data related to the Customer’s use of reMarkable Connect.
The purpose of this DPA is to reflect the parties’ responsibilities with regard to reMarkable’s processing of Customer Personal Data. The parties agree to comply with this DPA with respect to any Customer Personal Data that reMarkable may process in the course of providing reMarkable Connect services pursuant to the reMarkable Connect Agreement.
If the Customer entity entering into this DPA is not a party to the reMarkable Connect Agreement, this DPA is not valid and is not legally binding.
1. Definitions
1.1. Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Terms or applicable Data Protection Laws.
“Customer Personal Data” means personal data (as defined in GDPR article 4 (1) contained in files or documents that is uploaded to the Customer’s reMarkable Connect account
“Data Incidents” means a personal data breach as defined in GDPR article 4 (12) GDPR.
“EEA” means the European Economic Area.
“European Data Protection Laws” means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the reMarkable Connect Agreement, including the GDPR.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC effective as of May 25, 2018, and any legislation and/or regulation which amends, replaces or re-enacts it.
“Sub-processor” means any third-party engaged by reMarkable which processes Customer Personal Data in order to provide parts of the Services.
“Term” means the period from the DPA effective date until the end of reMarkable’s provision of the Services, including, if applicable, any period during which provision of the services may be suspended and any post-termination period during which reMarkable may continue providing the services for transitional purposes.
“Terms” means the terms and conditions of reMarkable that apply to the reMarkable Connect Agreement, available at www.remarkable.com/legal.
1.2. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.
2. General Provisions
2.1. The parties agree that if the EU Data Protection Laws apply to the processing of Customer Personal Data under the Agreement, the parties acknowledge and agree that:
2.1.1. The Customer is the controller and reMarkable is the processor of the Customer Personal Data and reMarkable may engage Sub-processors pursuant to Section 7 (Sub-processors).
2.1.2. The Customer warrants that the processing of Customer Personal Data is based on appropriate legal grounds for processing and that it has made and shall maintain throughout the term of the reMarkable Connect Agreement all necessary rights, permissions, registrations and consents in accordance with and as required by European Data Protection Laws with respect to reMarkable’s processing of the Customer Personal Data under the reMarkable Connect Agreement.
2.1.3. The subject-matter of the data processing covered by this DPA is the provision of reMarkable Connect services and the processing will be carried out for the duration of the reMarkable Connect Agreement or so long as reMarkable is providing the services. Attachment 1 of this DPA sets out the nature and purpose of the processing, the types of Customer Personal Data reMarkable processes and the categories of data subjects whose personal data is processed.
2.1.4. Each party will comply with the obligations applicable to it under the European Data Protection Laws, including with respect to the processing of Customer Personal Data.
2.1.5. For the avoidance of doubt, Customer’s instructions to reMarkable for the processing of Customer Personal Data shall comply with all applicable laws, including the European Data Protection Laws. Customer shall be responsible for the means by which Customer acquires Customer Personal Data.
2.1.6. For the purposes of this DPA, the following is deemed an instruction by Customer to process Customer Personal Data (a) to provide reMarkable Connect services after Customer creates a reMarkable Connect account and connect the reMarkable paper tablet to the reMarkable Connect account; (b) as further requested through Customer’s use of the services (including uploading, converting and sharing notes); (c) as documented in the reMarkable Connect Agreement; and (d) as further documented in any other written instructions given by the Customer (which may be specific instructions or instructions of a general nature as set out in this DPA, the reMarkable Connect Agreement or as otherwise notified by Customer to reMarkable from time to time), only where such instructions are consistent with the Terms.
2.1.7. When reMarkable processes Customer Personal Data in the course of providing reMarkable Connect services, reMarkable will:
2.1.7.1 Process the Customer Personal Data only in accordance with (a) the reMarkable Connect Agreement and (b) Customer’s instructions as described in Section 2.1.6, unless reMarkable is required to process Customer Personal Data for any other purpose by the European Union or member state law to which reMarkable is subject. reMarkable shall inform the Customer of this requirement before processing unless prohibited by applicable laws on important grounds of public interest.
2.1.7.2 Notify the Customer without undue delay if, in reMarkable’s opinion, an instruction for the processing of Customer Personal Data given by the Customer infringes applicable European Data Protection Laws.
3. Security Measures
3.1.1. reMarkable will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Customer Personal Data, against unauthorized or unlawful processing and against unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data, and (ii) the confidentiality and integrity of Customer Personal Data. Security measures are further detailed in Appendix 3 of this DPA.
3.1.2. reMarkable will take reasonable steps to ensure the reliability and competence of reMarkable personnel engaged in the processing of Customer Personal Data. All reMarkable personnel engaged in the processing of Customer Personal Data shall enter into legally binding confidentiality agreement before given access to Customer Personal Data.
3.2 Data Incidents
3.2.1. If reMarkable becomes aware of a Data Incident, reMarkable will: (a) notify Customer of the Data Incident without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.
3.2.2. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps reMarkable recommends Customer to take to address the Data Incident.
3.2.3. Notification(s) of any Data Incident(s) will be delivered to Customer by direct communication. The Customer is solely responsible for ensuring that any contact information, including notification email address, provided to reMarkable is current and valid.
3.2.4. reMarkable will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident(s).
3.2.5. reMarkable’s notification of or response to a Data Incident under this Section 3.2 (Data Incidents) will not be construed as an acknowledgment by reMarkable of any fault or liability with respect to the Data Incident.
3.3 Customer’s Security Responsibilities
3.3.1. Customer agrees that, without prejudice to reMarkable’s obligations under Section 3.1 (Security Measures) and Section 3.2 (Data Incidents):
3.3.1.1. Customer is solely responsible for its use of reMarkable Connect services, including: (i) making appropriate use of the services and any additional security information to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (ii) securing the account authentication credentials, systems, and devices Customer uses to access the services; and
3.3.1.2. reMarkable has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of reMarkable’s and its Sub-processors’ systems (for example, offline or on-premises storage).
3.3.2. The Customer is solely responsible for reviewing the security measures and evaluating for itself whether the services, the security measures, the additional security information and reMarkable’s commitments under this Section 3 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under applicable data protection laws. Customer acknowledges and agrees that the security measures implemented and maintained by reMarkable as set out in Section 3.1 (Security Measures) provide a level of security appropriate to the risk in respect of the Customer Personal Data.
3.4 Customer Audit Rights
3.4.1. The Customer may contact reMarkable to request an on-site audit of the procedures relevant to the protection of Customer Personal Data. Customer shall reimburse reMarkable for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Customer and reMarkable shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations. The Customer shall promptly notify reMarkable with information regarding any non- compliance discovered during the course of an audit.
3.4.2. The Customer may conduct such on-site audit (a) itself, (b) through an Affiliate that is not a competitor of reMarkable or (c) through an independent, third- party auditor that is not a competitor of reMarkable.
3.4.3. The audit may only be undertaken when the Customer has requested and reviewed the relevant audit reports in possession of reMarkable, and presents reasonable specific grounds that justify an audit initiated by the Customer. An audit is justified if the relevant audit rapports give no or insufficient information about the compliance with this Data Processing Addendum. The audit initiated by the Customer shall not take place earlier than two weeks excluding Norwegian national holidays after the Customer has provided written notice to reMarkable and no more than once per year. All costs of the audit, including the costs incurred by reMarkable, will be borne by the Customer.
4. Data Deletion
4.1. reMarkable will enable the Customer to delete their data during the Term in a manner consistent with the functionality of reMarkable Connect services. If the Customer utilizes reMarkable Connect services to delete any data during the Term and that data cannot be recovered by the Customer, this use will constitute an instruction to reMarkable to delete the relevant data from reMarkable’s systems in accordance with applicable law.
4.2. Upon expiry of the Term or upon Customer’s written request, subject to the terms of the Agreement, reMarkable shall either (a) return (to the extent such data has not been deleted by the Customer from the services) or (b) securely delete Customer Personal Data, to the extent allowed by applicable law, in accordance within a maximum of 30 days, as applicable.
4.3. reMarkable will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless applicable law to which reMarkable is subject requires further storage, without prejudice to Section 5.
4.4. Customer acknowledges and agrees that the Customer will be responsible for requesting to reMarkable, before the Term expires, any Customer Personal Data it wishes to retain afterwards, including database dump(s) and static files.
5. Data Subject Rights
5.1. As of the DPA Effective Date for the duration of the period reMarkable provides the Services:
5.1.1. reMarkable will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by reMarkable as described in Section 4 (Data Deletion);
5.1.2. reMarkable will, without undue delay, notify the Customer, to the extent legally permitted, if reMarkable receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
5.1.3. if reMarkable receives any request from a data subject in relation to Customer Personal Data, reMarkable will advise the data subject to submit his or her request to the Customer and the Customer will be responsible for responding to any such request including, where necessary, by using the functionality of reMarkable Connect services.
5.1.4. Taking into account the nature of the processing, reMarkable will assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under European Data Protection Laws. In addition, to the extent the Customer, in its use of reMarkable Connect services, does not have the ability to address a Data Subject Request, reMarkable shall, upon Customer’s written request, provide the Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request, to the extent reMarkable is legally permitted to do so and the response to such Data Subject Request is required under European Data Protection Laws. To the extent legally permitted, the Customer shall be responsible for any costs arising from reMarkable’s provision of such assistance. Furthermore, reMarkable is entitled to charge reasonable costs for the requested assistance.
6. Data Protection Impact Assessment
6.1. Upon Customer’s written request, reMarkable will provide the Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to reMarkable. reMarkable will provide reasonable assistance to the Customer in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the GDPR. reMarkable is entitled to charge reasonable costs for the requested assistance.
7. Sub-processors
7.1. The Customer specifically authorizes the engagement of reMarkable’s Affiliates as Sub-processors. In addition, the Customer acknowledges and agrees that reMarkable and reMarkable’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. The Customer hereby gives reMarkable general permission to engage third parties (Sub-processors).
7.2. reMarkable will make available the current list of Sub-processors for reMarkable Connect services to the Customer. reMarkable shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Customer Personal Data in connection with the provision of the services by sending an email. The Customer has the right to object (in writing, within ten days and supported by arguments) to a proposed new/changed Sub-processor. Should the Customer object, the parties will jointly endeavour to find a solution.
7.3. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the Sub-processing by reMarkable for purposes of Clause 9 of the EU Commission’s Standard Contractual Clauses of June 4, 2021.
7.4. reMarkable shall be liable for the acts and omissions of its Sub-processors to the same extent reMarkable would be liable if performing the services of each Sub-processor directly under the terms of this DPA subject to the limitations set forth in Section 8 (Liability) and the reMarkable Connect Agreement.
8. Liability
8.1. Any liability arising out of or in connection with this DPA shall be exclusively governed by, the liability provisions set forth in, or otherwise applicable to, the reMarkable Connect Agreement.
9. Transfer of Customer Personal Data outside the EEA
9.1. reMarkable may process the Customer Personal Data in countries inside the European Economic Area (EEA). In addition, reMarkable may also transfer the Customer Personal Data to a country outside the EEA, provided that the legal requirements for such transfer have been fulfilled pursuant to GDPR chapter V.
9.2. Upon request, reMarkable shall notify the Customer as to which country or countries the Customer Personal Data will be processed in.
10. Miscellaneous
10.1. Governing law and jurisdiction. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the reMarkable Connect Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country stipulated for this purpose in the reMarkable Connect Agreement.
10.2. Order of precedence. Notwithstanding anything to the contrary in the reMarkable Connect Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the reMarkable Connect Agreement, this DPA will govern.
10.3. Amendments. reMarkable may amend, modify or supplement this DPA , with reasonable notice to the Customer:
10.3.1. if required to do so by a supervisory authority or other government or regulatory entity;
10.3.2. if necessary to comply with applicable law;
10.3.3. if changes are made to reMarkable’s service offering;
10.3.4. to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to GDPR Art. 40, 42 and 43.
10.4. Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
APPENDIX 1 TO THE DATA PROCESSING ADDENDUM
Description of processing activities
Processing purpose
reMarkable provide the paper tablet available for purchase online to both consumers and businesses to purchase. The paper tablet may be used with a cloud service called reMarkable Connect, provided by reMarkable. This DPA concerns the use of such cloud service where the Customer may connect the tablet to a my.reMarkable account. Customer need to proactively register for a my.reMarkable account and connect to wi-fi to be able to synchronize and the documents and notebooks on the paper tablet to the cloud. Once connected the Customer may upload and transfer notebooks, pdfs and other content to the Customer’s reMarkable Connect account by file transfer (syncing), email and other technical means, and use features to convert handwritten notes into typed text. reMarkable is not permitted to use Customer’s Personal Data for any purpose other than providing services for the customer.
Data subjects
Data subjects include the individuals about whom personal data is provided to reMarkable via reMarkable Connect services by (or at the direction of) the Customer or by Customer’s end users, the extent of which is determined and controlled by the Customer in its sole discretion.
Categories of data
Personal data relating to individuals provided to reMarkable via reMarkable Connect Services, by (or at the direction of) Customer, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data:
- Unstructured personal data contained in documents uploaded by the Customer to the cloud
Metadata will be processed to provide reMarkable Connect service in accordance with reMarkable’s privacy notice.
Processing operations
Customer Personal Data will be transferred, stored, organized, used, modified, disclosed and erased processed in accordance with reMarkable Connect features and services and this DPA.
APPENDIX 2 TO THE DATA PROCESSING ADDENDUM
Infrastructure and sub-processor list
Sub-processors
reMarkable operates a worldwide infrastructure with server hosting facilities of industry-leading cloud service providers. reMarkable owns and controls logical access to the infrastructure maintained by the entities set forth below, while these entities maintain the physical security of the servers, network and the data center.
reMarkable works with certain third parties to provide specific functionalities within its services, such as the “Share by email” and handwriting conversion functionality. These third parties may process Customer Personal Data solely for the purpose to provide the relevant functionality. If the Customer does not make use of this functionality from third parties, Customer Personal Data will not be processed by them.
Vendor |
Purpose |
Data center location |
Google Cloud Platform |
Cloud infrastructure provider |
EEA |
Auth0 |
User authentication and authorization provider |
EEA |
Mailgun |
E-mail service provider |
United States (Standard Contractual Clauses) |
APPENDIX 3 TO THE DATA PROCESSING ADDENDUM
Security Measures
reMarkable will implement and maintain the following technical and organizational security measures when when processing Customer Personal Data on behalf of Customer in connection with reMarkable Connect:
Physical Access Controls
reMarkable shall take reasonable measures to prevent physical access, such as security personnel and secured buildings, to prevent unauthorized persons from gaining access to Customer Personal Data, or ensure Third Parties operating data centers on its behalf are adhering to such controls.
System Access Controls
reMarkable shall take reasonable measures to prevent Customer Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords, combined with two-factor authentication where applicable, documented authorization processes, firewalls, intrusion detection, vulnerability scans, documented change management processes and/or, logging of access on several levels.
Data Access Controls
reMarkable shall take reasonable measures to provide that Customer Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Personal Data for which they have privilege of access; and, that Customer Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.
Transmission Controls
reMarkable shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Customer Personal Data by means of data transmission facilities are envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
Input Controls
reMarkable shall take reasonable measures to provide that it is possible to check and establish whether and by whom metadata has been entered into data processing systems, modified or removed. reMarkable shall make use of industry best practices, hereunder cryptographical protocols for authentication and secure audit logging.
Data Backup
Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted at rest to ensure that Customer Personal Data is protected against accidental destruction or loss.
Logical Separation
Data from different subscriber environments is logically segregated on systems managed by reMarkable.