Notion has updated its Data Processing Addendum effective February 22, 2023. For existing Users, these updates will apply beginning on March 4, 2023. For new Users, these updates apply immediately. To view the previous version of Notion's Data Processing Addendum, click the link below 👇

Data Processing Addendum (Deprecated February 22, 2023)


This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (the “Agreement”) between Customer and Notion Labs, Inc. (”Notion”).

1. Subject Matter and Duration

1.1 Subject Matter. This DPA is intended to govern Customer’s provision and Notion’s Processing of Customer Personal Data pursuant to the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its attachments conflicts with the Agreement, this DPA shall control.

1.2 Duration and Survival. This DPA will become binding upon the effective date of the Agreement and shall survive until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 8.1, whichever later.

2. Definitions

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including the California Privacy Rights Act amendments.

“Controller” means the person who, alone or jointly with others, determines the purposes and means of the Processing of personal data; for purposes of this DPA, the term "Controller" shall also include "business" as such term is defined under the CCPA.

“Customer Personal Data” means Customer Data that is “personal data” or “personal information” under applicable Data Protection Law.

“Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data, including, where applicable, EU/UK Data Protection Law and the CCPA.

"EEA" means the European Economic Area.

"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

“Notion Security Standards” means Notion’s security standards, as updated from time to time, available at: https://www.notion.so/help/security-and-privacy.

“Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means the person who, alone or jointly with others, Processes personal data on behalf of the Controller; for purposes of this DPA, the term "Processor" shall also include "service provider" as such term is defined under the CCPA.

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer.