Data Processing & International Transfers

Data Processing & International Transfers

Our commitments for keeping your business data safe — covering processing and international transfers.

This page explains our baseline approach where Cloudflare, Google, OpenAI, Stripe, and similar providers may be involved in delivery.

Baseline approach

We aim to minimize data use, define the handling scope early, and keep high-risk actions under human approval.

Main third-party providers

• Cloudflare for delivery, protection, and edge execution
• Google / Google Apps Script for integrations, notifications, and fallback paths
• OpenAI for model inference and support processing
• Stripe for payments

International transfers

Depending on the architecture and providers used, data may be processed outside Japan. We rely on provider terms and reasonable safeguards appropriate to the applicable law. See Privacy Policy for details.

B2B-first approach

We currently prioritize business customers. Cross-border B2C delivery should be reviewed case by case, including local tax and consumer-law considerations.

Customer and provider roles

• Customer: lawful collection and internal authorization for source data
• Project documents: define processing scope, destinations, retention, and deletion
• High-risk changes: human approval before execution

GDPR Article 28 / Data Processing Agreement (DPA)

For EU/UK customer data, we conclude a Data Processing Agreement (DPA) compliant with GDPR Article 28 at the individual contract level. Standard terms include:

• Purpose and categories of data being processed
• Processing duration and end-of-contract return/deletion procedures
• Sub-processor engagement: prior notice and reasonable objection period
• Confidentiality and limitation of authorized personnel
• Security measures (TOMs)
• Data breach notification to the controller without undue delay (the 72-hour deadline applies to controller→supervisory authority)
• Audit cooperation
• Cross-border transfer safeguards (e.g., Standard Contractual Clauses)

Sub-processor list (GDPR Art 28(2)(4))

Sub-processor additions or changes will be notified in advance with a reasonable objection period.

Cross-border transfers / Standard Contractual Clauses (SCC)

For transfers of EU/UK personal data outside the EU/UK (primarily to the USA), we incorporate European Commission Standard Contractual Clauses (SCC) or equivalent safeguards in individual contracts. We also rely on receiving providers’ own SCC arrangements (e.g., Cloudflare’s DPA includes SCC). For transfers subject to the UK GDPR, the EU SCCs alone are insufficient; we additionally use the UK IDTA or the UK Addendum. Japan’s EU/UK adequacy does not extend to US sub-processors, so separate safeguards apply to US transfers.

Data breach notification (GDPR Art 33)

Upon becoming aware of a personal data breach, we (as a processor) notify the customer (data controller) without undue delay under GDPR Art 33(2); the 72-hour deadline applies to the controller’s notification to the supervisory authority (Art 33(1)). Notifications will include affected scope, cause, response measures, and mitigation. For serious breaches, we will support notification to the relevant supervisory authority.

Data categories processed (GDPR Art 30)

• Customer contact details (name, email, phone, company information)
• Transaction information (quote, contract, billing, payment)
• Operationally-shared business information (scope per individual contract)
• Technical information (IP address, cookies, access logs)
• (In principle, NOT processed) Special category data (health, beliefs, race, etc.; GDPR Art 9 / APPI sensitive data)

Final commercial terms should be confirmed in the applicable quote, order form, or contract.

Transparency under the EU AI Act

Within this data processing arrangement, we provide infrastructure that helps you (the deployer) meet your obligations under provisions such as Article 26 of the EU AI Act. For details, please see our EU AI Act Compliance page.