Data Processing Addendum (DPA)

Data Processing Addendum (DPA) — v1.0

1. Scope and Roles

• 1.1This Data Processing Addendum (“DPA”) forms an integral part of the Terms of Service (“ToS”) between Customer and the Company.
• 1.2When processing Personal Information on behalf of Customer, the Company acts as a Processor or Service Provider, and the Customer acts as the Controller.
• 1.3This DPA applies automatically to all Customers as part of the ToS without any separate signature or click-through required.

2. Purpose and Instructions

• 2.1The Company shall process Personal Information solely for the purpose of providing the Service, as documented in the ToS and this DPA.
• 2.2The Company shall not process Personal Information for its own purposes.
• 2.3The Company shall act only on documented instructions from Customer.

3. Data Security

• 3.1The Company shall implement and maintain appropriate technical and organizational measures to protect Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• 3.2Such measures include access controls, encryption, network security, and employee confidentiality obligations.

4. Subprocessors

• 4.1The Customer authorizes the Company to engage Subprocessors for the operation of the Service.
• 4.2The Company shall ensure Subprocessors are bound by data protection obligations no less protective than those set out in this DPA.
• 4.3A current list of Subprocessors shall be made available upon request.

5. International Transfers

• 5.1The Service is not offered or directed to users in the European Economic Area (EEA), the United Kingdom, Switzerland, or Mainland China (the People’s Republic of China, excluding Hong Kong SAR, Macau SAR, and Taiwan), nor to any other jurisdiction listed on the Company’s Restricted Regions List. Accordingly, the Company does not process Personal Information from or for individuals located in those Restricted Regions.
• 5.2If, in the future, the Service becomes lawfully available in any such regions or cross-border data transfers otherwise become necessary, the Company shall implement appropriate safeguards consistent with applicable law, such as Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA), prior to commencing such processing.
• 5.3For the avoidance of doubt, the Company does not provide Personal Information to any “third party located in a foreign country” as defined under Japan’s Act on the Protection of Personal Information (APPI), except where legally permitted and with appropriate safeguards.

6. Data Subject Rights

• 6.1The Company shall assist the Customer, to the extent possible, in responding to requests from data subjects exercising their rights under applicable law.
• 6.2Such requests may include access, correction, deletion, or restriction of processing.

7. Return and Deletion

• 7.1Upon termination or expiration of the Service, Customer’s access will be revoked and Customer Content will be deleted in accordance with the Service’s minimal deletion SOP (as described in the Terms of Service and Privacy Policy). We have no post-termination data export or restoration obligations. However, we may retain minimal records required by law, tax, security, or audit for a limited period (generally 90–365 days).
• 7.2Backups are overwritten on a rolling schedule and are not used to restore Customer Content after termination. Where tenant-scoped encryption keys are used, logical deletion may be effected through key rotation.

8. Compliance and Audit

• 8.1The Company shall make available information necessary to demonstrate compliance with this DPA.
• 8.2Upon reasonable notice, the Customer may request documentation verifying security and privacy controls.
• 8.3The Company may satisfy audit requests through documentation, certifications, or summaries of independent audits, without granting direct system access.

9. Governing Law

10. Acceptance