UtterNote
Legal

Data Processing Addendum

The contractual terms governing UtterNote's processing of personal data under GDPR, CCPA, and analogous laws.

Roles

When you use UtterNote, you are the Data Controller for any personal data contained in uploads, transcripts, or generated guides. UtterNote is the Data Processor and acts only on your documented instructions.

Subprocessors

UtterNote uses the following subprocessors to deliver the service. Each is bound by a written processing agreement with us:

  • Clerk (authentication) — clerk.com
  • Vercel (hosting, edge functions, blob storage) — vercel.com
  • Neon (managed Postgres) — neon.tech
  • OpenAI (transcription + guide generation) — openai.com (no training on your data per their API terms)
  • Sentry (error monitoring) — sentry.io
  • Vercel Analytics + Speed Insights — vercel.com

Security measures

  • TLS in transit, AES-256 at rest
  • Access via SSO; per-doc permissions
  • Audit logs of admin and access actions
  • OWASP Top 10 practices; CSP + HSTS + BotID + rate limiting
  • Incident response SLA: 72 hours notification of confirmed breach

Your rights

  • Access — export your data anytime
  • Rectification — edit or correct your data
  • Erasure — delete data; irrecoverable within 30 days
  • Portability — JSON / Markdown / PDF export
  • Restriction & objection — contact privacy@utternote.com

How to execute the DPA

For most plans, the DPA is incorporated by reference into our Terms of Service. For an executed copy or custom DPA terms, email privacy@utternote.com.