Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") forms part of the agreement between SimplyCubed GK ("Service Provider"), and the customer signing this Agreement ("Customer"), collectively referred to as the "Parties," and applies when the Service Provider, as part of its cybersecurity consulting services, may have access to personal data controlled by the Customer.

1. DEFINITIONS

1.1. Personal Data: Refers to any information related to an identified or identifiable individual as defined under the Act on the Protection of Personal Information (APPI) of Japan.

1.2. Data Controller: The Customer, which determines the purposes and means of processing the Personal Data.

1.3. Data Processor: The Service Provider, who may access or handle Personal Data as part of cybersecurity testing and consulting.

1.4. Processing: Any operation or set of operations performed on Personal Data, including but not limited to accessing, obtaining, reviewing, and storing Personal Data.

1.5. Act on the Protection of Personal Information (APPI): Japan’s legal framework regulating the handling of personal data.

 

2. SCOPE AND PURPOSE

2.1. This Agreement applies only to the extent that the Service Provider, while performing penetration testing, vulnerability assessments, or other security services for the Customer, has incidental access to Personal Data.

2.2. The Service Provider will not actively collect, process, or retain Personal Data on behalf of the Customer, except as required for the testing and evaluation of the Customer's systems.

 

3. COMPLIANCE WITH JAPANESE LAW

3.1. Both Parties agree to comply with all applicable provisions of the Act on the Protection of Personal Information (APPI) and related regulations of Japan, including any guidance provided by the Personal Information Protection Commission (PIPC) and other governmental authorities.

3.2. In the event that Personal Data is inadvertently obtained during the provision of security services, the Service Provider agrees to handle such data in a manner that ensures confidentiality, integrity, and security in accordance with the APPI.

 

4. SERVICE PROVIDER OBLIGATIONS

4.1. Data Handling and Confidentiality:

The Service Provider agrees to:

  • Access or handle Personal Data only to the extent necessary to provide the agreed-upon services.
  • Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Ensure that personnel involved in the processing of Personal Data are subject to appropriate confidentiality obligations.

4.2. Subprocessing:

The Service Provider will not engage any subcontractor to process Personal Data without prior written consent from the Customer.

4.3. Deletion of Data:

Upon completion of the services, the Service Provider agrees to delete or return any Personal Data that may have been accessed or obtained during testing, except where retention is required by law or where anonymization measures have been applied.

 

5. CUSTOMER OBLIGATIONS

5.1. The Customer is responsible for ensuring that any Personal Data provided or exposed during testing complies with all applicable Japanese laws, including the APPI.

5.2. The Customer shall not provide access to Personal Data that is unnecessary for the performance of the testing or security services.

 

6. DATA BREACH NOTIFICATION

6.1. In the event that the Service Provider becomes aware of any unauthorized access to, or disclosure of, Personal Data in its possession, the Service Provider shall promptly notify the Customer and provide all reasonable assistance to the Customer in managing the incident, including taking measures to mitigate any potential harm.

 

7. DATA TRANSFERS

7.1. The Service Provider does not transfer Personal Data outside Japan. If, in exceptional circumstances, data transfer is required, the Service Provider will ensure compliance with APPI requirements and seek the Customer’s written consent before proceeding.

 

8. AUDIT RIGHTS

8.1. Upon request, the Customer may audit the Service Provider’s data protection policies and practices to ensure compliance with this Agreement. The Service Provider shall cooperate with the Customer's audit, provided the audit is conducted during normal business hours and does not unreasonably interfere with business operations.

 

9. TERM AND TERMINATION

9.1. This Agreement will remain in force for the duration of the service agreement between the Parties.

9.2. Upon termination of services, the Service Provider will securely delete or anonymize any Personal Data in its possession, except where retention is required by law.

 

10. LIMITATION OF LIABILITY

10.1. The Service Provider’s liability under this Agreement is subject to the limitations of liability agreed to in the primary service agreement between the Parties.