AriseNote

Subprocessors

Last Updated: December 10, 2025

Overview

This page lists all third-party service providers (sub-processors) that AriseNote uses to process customer data when providing the AriseNote service. We are committed to transparency about who has access to your data and why.

As required by our Data Processing Agreement (DPA), we provide at least 30 days' advance notice before adding new sub-processors or making material changes to existing ones.

Current Subprocessors

1. Hetzner Online GmbH

Service: Infrastructure hosting (servers, databases, self-hosted analytics)

What data is processed:

  • All customer account data
  • Widget configurations and settings
  • Cached database contents (temporary, < 24 hours)
  • Application databases and files

Purpose: Primary hosting infrastructure for AriseNote application and data storage

Location:

  • EU Users: Hetzner data centers in Falkenstein and Nuremberg, Germany
  • US Users: Hetzner data centers in United States (Ashburn, Virginia and Hillsboro, Oregon)

Data transfer mechanism: Data stored within EU for EU users; no transfer outside EEA required

Hetzner information:

2. Amazon Web Services, Inc. (AWS)

Service: Cloud file storage (S3)

What data is processed:

  • User-uploaded profile avatars
  • Image files

Purpose: Storing and serving user profile images

Location: AWS S3 in us-east-1 region (United States)

Data transfer mechanism: EU Standard Contractual Clauses (SCCs) for transfers from EEA; UK IDTA for transfers from UK

AWS information:

3. Stripe, Inc.

Service: Payment processing

What data is processed:

  • Billing information
  • Credit card details (tokenized)
  • Customer email address
  • Transaction records
  • Last 4 digits of credit card
  • Card expiration date

Purpose: Processing subscription payments and managing billing

Location: United States

Data transfer mechanism: EU Standard Contractual Clauses (SCCs); UK IDTA for UK transfers

Important notes:

  • Stripe directly handles sensitive payment information
  • AriseNote does not store full credit card numbers
  • Stripe is PCI DSS Level 1 certified

Stripe information:

4. Mailgun Technologies, Inc. (Sinch)

Service: Transactional email delivery from AriseNote domain

What data is processed:

  • Email addresses
  • Customer names
  • Email message content (account notifications, password resets, etc.)

Purpose: Delivering transactional and service-related emails from our own domain

Location: United States

Data transfer mechanism: EU Standard Contractual Clauses (SCCs); UK IDTA for UK transfers

Important notes:

  • Used only for transactional emails (account notifications, password resets, billing confirmations)
  • Not used for marketing emails unless you opt in
  • Mailgun does not permanently store email content

Mailgun information:

5. Notion Labs, Inc.

Service: API integration for accessing Notion databases

What data is processed:

  • Notion workspace information
  • Access tokens for connected databases
  • Database contents that you grant AriseNote access to
  • User information from Notion (name, email, avatar)

Purpose: Accessing your Notion databases to display widgets (core functionality)

Location: United States

Data transfer mechanism: EU Standard Contractual Clauses (SCCs); UK IDTA for UK transfers

Important notes:

  • You control which databases AriseNote can access through Notion's permission system
  • AriseNote reads database contents in real-time but does not permanently store them
  • Data is temporarily cached for performance (< 24 hours)
  • You can revoke access at any time through Notion settings

Notion information:

Data Processing Safeguards

For all sub-processors located outside the European Economic Area (EEA) or United Kingdom, AriseNote ensures appropriate safeguards through:

  1. Standard Contractual Clauses (SCCs): EU Commission-approved clauses for data transfers to third countries
  2. UK International Data Transfer Addendum (UK IDTA): For transfers from the United Kingdom
  3. Data Processing Agreements: All sub-processors sign DPAs with security and confidentiality obligations

Technical Safeguards

  1. Encryption in Transit: All data transfers use TLS 1.3 encryption
  2. Encryption at Rest: Data stored by sub-processors is encrypted
  3. Access Controls: Strong authentication and authorization mechanisms
  4. Regular Audits: Sub-processors undergo regular security audits
  5. Monitoring: Continuous monitoring for security incidents

Contractual Requirements

All sub-processors must:

  • Implement appropriate technical and organizational security measures
  • Process data only for specified purposes
  • Not use data for their own purposes (e.g., advertising, AI training)
  • Maintain confidentiality
  • Assist with data subject rights requests
  • Notify AriseNote of security incidents
  • Delete data when no longer needed
  • Cooperate with audits and inspections

Sub-processor Updates

How We Notify You

When we add a new sub-processor or make material changes to an existing one, we will:

  1. Send email notification to your account email address at least 30 days in advance
  2. Update this page with the new information
  3. Post announcement on our status page at https://status.arisenote.com/status/arisenote

Your Right to Object

If you have legitimate data protection concerns about a new sub-processor, you may:

  1. Object in writing within 15 days of notification
  2. Provide specific reasons related to data protection
  3. Work with us to find a resolution

If we cannot resolve your concerns within 30 days, you may:

  • Terminate your subscription and receive a pro-rata refund
  • Export your data before termination

For more details, see Section 4.4 of our Data Processing Agreement.

Regional Data Storage

AriseNote uses geographic routing to store your data close to you:

EU/EEA Users

  • Primary storage: Hetzner servers in Germany (EU)
  • File storage: AWS S3 in United States (profile avatars only)
  • Your Notion data: Read in real-time from Notion (US), temporarily cached in EU

US Users

  • Primary storage: Hetzner servers in United States
  • File storage: AWS S3 in United States
  • Your Notion data: Read in real-time from Notion (US), temporarily cached in US

Other Regions

  • Routed to nearest server (EU or US) based on geographic location
  • You can contact us to confirm your data storage location

Third-Party Certifications

Our sub-processors maintain industry-standard security certifications:

Sub-processorCertifications
HetznerISO 27001, ISO 9001
AWSISO 27001, SOC 1/2/3, PCI DSS Level 1
StripePCI DSS Level 1, ISO 27001, SOC 1 & SOC 2
MailgunGDPR-compliant processing
NotionSOC 2 Type II, ISO 27001

Questions or Concerns?

If you have questions about our sub-processors or data processing practices:

Email: help@arisenote.com

Review our related documents:

Change History

DateChange
December 10, 2025Initial publication of subprocessors list

Last reviewed: December 10, 2025
Next review: March 10, 2026

Related Policies