Acuerdo de procesamiento de datos
(En inglés)Last Updated: December 12, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") and Privacy Policy between Waterglass UK Limited ("Notehouse", "Processor", "we", "us", or "our") and the Customer ("Controller", "you", or "your").
This DPA applies to the extent that Notehouse processes Personal Data on behalf of the Controller in the course of providing the Notehouse case management platform (the "Service") and such processing is subject to Data Protection Laws.
By accepting the Terms of Service or Privacy Policy, creating an account, or using the Service, you agree to be bound by this DPA. This DPA is effective upon your acceptance and remains in effect until the termination of the Agreement.
In this DPA, the following terms have the meanings set out below. Terms not defined herein have the meanings given to them in the Agreement or applicable Data Protection Laws.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data. In this DPA, the Controller is the Customer.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) (Regulation 2016/679), and the California Consumer Privacy Act (CCPA), as applicable and as amended from time to time.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Notehouse on behalf of the Controller in connection with the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processor" means the entity that processes Personal Data on behalf of the Controller. In this DPA, the Processor is Notehouse.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life, or sexual orientation.
"Subprocessor" means any third party engaged by Notehouse to process Personal Data on behalf of the Controller.
2.1 The Controller uses the Service to create, store, and manage case notes and documentation about its clients ("End-Clients"). In doing so, the Controller inputs Personal Data into the Service.
2.2 For the purposes of this DPA: (a) the Controller is the data controller with respect to Personal Data inputted into the Service; and (b) Notehouse is the data processor, processing Personal Data solely on behalf of and under the instructions of the Controller.
2.3 The details of the processing are set out in Annex 1 to this DPA.
The Controller represents and warrants that:
(a) It has complied and will continue to comply with all Data Protection Laws applicable to its collection and processing of Personal Data.
(b) It has obtained all necessary consents, authorisations, and legal bases required to process Personal Data and to permit Notehouse to process Personal Data on its behalf as described in this DPA.
(c) It has provided appropriate privacy notices to Data Subjects as required by Data Protection Laws.
(d) The instructions it provides to Notehouse regarding the processing of Personal Data will comply with Data Protection Laws.
(e) It is responsible for ensuring that the processing of Special Category Data or data relating to vulnerable individuals (including children) complies with all applicable requirements and safeguards under Data Protection Laws.
Notehouse agrees to:
(a) Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. If Notehouse is required by law to process Personal Data other than on the Controller's instructions, it will notify the Controller before such processing (unless prohibited by law).
(b) Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Annex 2.
(d) Comply with the conditions for engaging Subprocessors as set out in Section 6.
(e) Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects to exercise their rights under Data Protection Laws.
(f) Assist the Controller in ensuring compliance with its obligations under Data Protection Laws relating to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Notehouse.
(g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
(h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality requirements.
5.1 The Controller is responsible for responding to requests from Data Subjects to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
5.2 If Notehouse receives a request from a Data Subject regarding Personal Data, Notehouse will promptly inform the Controller and will not respond to the request directly unless authorised by the Controller or required by law.
5.3 Notehouse will provide reasonable assistance to the Controller in responding to Data Subject requests, including by providing tools within the Service for data export and deletion where technically feasible.
6.1 The Controller provides general authorisation for Notehouse to engage Subprocessors to process Personal Data. A list of current Subprocessors is provided in Annex 3.
6.2 Notehouse will notify the Controller of any intended changes concerning the addition or replacement of Subprocessors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds relating to data protection, the parties will discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Service.
6.3 Notehouse will ensure that each Subprocessor is bound by data protection obligations no less protective than those set out in this DPA. Notehouse remains liable to the Controller for the performance of its Subprocessors.
7.1 Personal Data may be transferred to and processed in countries outside the UK and European Economic Area ("EEA"), including the United States, where our infrastructure is located.
7.2 Notehouse will ensure that any transfer of Personal Data to a country outside the UK or EEA is subject to appropriate safeguards as required by Data Protection Laws, including Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner's Office, as applicable.
7.3 Where required by Data Protection Laws, Notehouse will conduct and document a transfer impact assessment and implement supplementary measures to ensure an essentially equivalent level of protection for Personal Data.
8.1 Notehouse implements and maintains appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are described in Annex 2.
8.2 Notehouse will regularly test, assess, and evaluate the effectiveness of these measures and will update them as necessary to maintain an appropriate level of security.
9.1 Notehouse will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
9.2 Notification will include, to the extent known: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; and (c) the measures taken or proposed to address the breach and mitigate its effects.
9.3 Notehouse will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9.4 The Controller remains responsible for making any notifications to supervisory authorities or Data Subjects as required by Data Protection Laws.
10.1 Notehouse will make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA.
10.2 The Controller may conduct an audit (or appoint a third-party auditor) to verify Notehouse's compliance with this DPA, subject to: (a) at least 30 days' prior written notice; (b) the audit being conducted during normal business hours; (c) reasonable confidentiality obligations; and (d) the Controller bearing its own costs.
10.3 Notehouse may satisfy audit requests by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance.
11.1 Upon termination or expiry of the Agreement, Notehouse will retain Personal Data for 90 days to allow the Controller to export data. After this period, Notehouse will delete all Personal Data from its active systems, unless retention is required by applicable law.
11.2 Personal Data may persist in backup systems for a limited period following deletion from active systems, solely for disaster recovery purposes.
11.3 The Controller may request earlier deletion of Personal Data by contacting support@getnotehouse.com.
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such liability cannot be limited under applicable law.
13.1 This DPA commences on the date the Controller accepts the Agreement and continues until the Agreement terminates or expires.
13.2 The obligations of Notehouse under Sections 8, 9, 10, and 11 survive termination of this DPA to the extent Notehouse retains any Personal Data.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In all other respects, the Agreement prevails.
This DPA is governed by the laws of England and Wales, without regard to conflict of law principles, except that the data protection provisions shall be interpreted in accordance with the applicable Data Protection Laws.
Notehouse provides case management and note-taking software enabling the Controller to create, store, organise, and manage documentation and case records. Processing continues for the duration of the Controller's subscription to the Service.
Storage, organisation, retrieval, and display of case notes and records inputted by the Controller; provision of search and collaboration features; backup and disaster recovery; technical support.
End-Clients of the Controller, which may include clients receiving legal, social, healthcare, or other professional services. Data Subjects may include adults, children, and vulnerable individuals, depending on the Controller's use of the Service.
As determined by the Controller, which may include: names, contact information, dates of birth, identification numbers, case notes, assessments, correspondence, and any other information the Controller inputs into the Service.
The Controller may input Special Category Data, including data concerning health, as part of case management. The Controller is responsible for ensuring appropriate legal bases and safeguards for such processing.
Personal Data is retained for the duration of the Controller's subscription plus 90 days, unless the Controller requests earlier deletion or applicable law requires longer retention.
Notehouse implements the following security measures to protect Personal Data:
Notehouse engages the following Subprocessors to process Personal Data on behalf of the Controller:
An updated list of Subprocessors may be requested at any time by contacting info@getnotehouse.com. The Controller will be notified of any changes to Subprocessors at least 30 days in advance.
Gestión de casos simple y poderosa que realmente usará
4.7 estrellas de 101 reseñas de clientes
Software de gestión de casos para líderes de organizaciones sin fines de lucro, consejeros, gerentes y trabajadores sociales.
© 2026 Waterglass UK Ltd.
