Skip to main content
Log inContact sales

Data Processing Addendum (DPA)

Index

Language Note

This English version is provided for convenience. In the event of any inconsistency between the Japanese version and the English version, the Japanese version shall prevail.

Data Processing Addendum (DPA)

Article 1 (Application)

  1. This Data Processing Addendum (this “DPA”) applies where Nulab Inc. (the “Company”), in providing the Service pursuant to the Nulab Terms of Use or any other agreement between the Company and the Subscriber (collectively, the “Main Agreement”), processes User Data (as defined in Article 2) based on the instructions of the Subscriber.
  2. This DPA forms a part of the Main Agreement, and if this DPA conflicts with the Main Agreement or any other agreement with respect to the handling of data, this DPA shall prevail.

Article 2 (Definitions)

Unless otherwise provided in the Main Agreement, the terms used in this DPA shall have the following meanings:

(1) “User Data” means information input, sent, uploaded, or caused to be generated by a user in the Service (including content, attachments, comments, diagram data, and the like), and metadata generated within the Service in connection with the management, display, search, or sharing of such information (including creation date and time, update date and time, creator, identifiers, tags, and the like). For the avoidance of doubt, User Data does not include logs, measurement data, performance indicators, or any other information generated or collected for the provision, operation, security, or quality maintenance of the Service (Service Data).

(2) “Personal Data” means User Data that constitutes personal information or personal data under the Act on the Protection of Personal Information of Japan or other applicable laws.

(3) “Processing” means collection, recording, organization, structuring, storage, viewing, retrieval, copying, use, provision, transfer, deletion, destruction, and any other handling whatsoever.

(4) “Subprocessor” means a third party to whom the Company re-outsources the Processing of User Data.

(5) “Security Incident” means an event that affects, or may affect, the confidentiality, integrity, or availability of User Data (including unauthorized access, leakage, alteration, loss, denial of service, and the like).

(6) “TOMs” means the technical and organizational measures implemented by the Company (Technical and Organizational Measures), as set forth in Schedule 2.

(7) “List Page” means the fixed URL on the Company’s website where the list of Subprocessors is posted (see Schedule 3).

(8) “Deletion Policy” means the page posted on the Company’s website that sets forth the retention and deletion conditions for User Data, logs, backups, and other data relating to the Service. The fixed URLs for the Deletion Policy are as follows:

Japanese:https://nulab.com/app/assets/pdf/terms/deletion-policy-ja.pdf
English:https://nulab.com/files/terms/deletion-policy-en.pdf

Article 3 (Roles)

  1. The Subscriber shall, as the controller of the User Data (or a party in an equivalent position), be responsible for the lawful acquisition and use of the User Data and for entrusting the same to the Company.
  2. The Company shall, as the processor (or a party in an equivalent position), Process the User Data in accordance with the Main Agreement and this DPA.

Article 4 (Scope and Purpose of Processing)

  1. The Company shall Process User Data only within the scope and for the purposes described in Schedule 1 (Processing Details).
  2. The Company shall not use User Data, including for AI functions, for learning, training (including fine-tuning), or any other purpose outside the stated purposes. Provided, however, that with respect to AI functions or other functions, programs, or forms of provision (including beta versions and other trial offerings) to which separate additional terms apply, the Company may use User Data within the scope of the purposes set forth in such additional terms, provided that the Company specifies in advance the relevant data, the purposes of use, and the method for participation or suspension.

Article 5 (Obligations of the Company)

The Company shall bear the following obligations:

(1) Compliance with Instructions: The Company shall Process User Data in accordance with the reasonable instructions of the Subscriber, to the extent not inconsistent with the Main Agreement or this DPA.

(2) Confidentiality: The Company shall impose confidentiality obligations on employees who access User Data and grant access rights only to the extent necessary for their duties.

(3) Security: The Company shall implement and maintain the TOMs.

(4) Records and Audit Trails: The Company shall retain records relating to access controls and security to a reasonable extent.

Article 6 (Obligations of the Subscriber)

The Subscriber represents and shall comply with the following:

(1) The Subscriber has obtained the necessary authority and consents with respect to the contents and lawfulness of the User Data and complies with applicable laws.

(2) The Subscriber appropriately configures and manages the Service (including permission settings and account management).

(3) Any instructions provided by the Subscriber to the Company do not violate applicable laws.

Article 7 (Access Controls)

  1. The Company shall limit access to User Data to the minimum extent necessary.
  2. If the Company exceptionally views or refers to User Data for maintenance, incident analysis, or similar purposes, the Company shall do so only to the minimum extent necessary and under controls such as approval and recordkeeping (details are set forth in Schedule 2).
  3. Even where actual data may be referred to on a limited basis in connection with maintaining the quality of AI functions (including regression testing due to model changes and bug investigations), the Company shall comply with the controls under the preceding paragraph.

Article 8 (Security Incidents)

  1. If the Company becomes aware of a Security Incident, it shall notify the Subscriber within a reasonable period and share, to the extent known by the Company, an outline of the incident, the scope of impact, and the status of the Company’s response.
  2. The Company shall cooperate to a reasonable extent in impact assessment, containment, and recurrence prevention.
  3. Details of the method and contents of notification shall be governed by Schedule 2.

Article 9 (Subprocessors)

  1. The Subscriber approves the Company’s use of Subprocessors.
  2. The Company shall post the list of Subprocessors in Schedule 3.
  3. The Company shall impose on Subprocessors obligations regarding confidentiality, security, and purpose limitation that are at least equivalent to those under this DPA.

Article 10 (Changes to Subprocessors)

  1. The Company may add, change, or remove Subprocessors by updating Schedule 3.
  2. The following shall constitute material changes, and for updates that constitute material changes, the Company shall post notice on the List Page and, in principle, set the effective date as 30 days after the date of posting:

(a) addition of a new Subprocessor;
(b) increase in contact with User Data;
(c) addition or change of Processing or storage regions (expansion of cross-border scope);
(d) material expansion of the purposes of entrustment or categories of data.

  1. If the Subscriber has reasonable grounds with respect to a material change, the Subscriber may raise an objection by the method prescribed by the Company by the effective date. The Company and the Subscriber shall discuss the matter and endeavor to resolve it reasonably.
  2. If the matter cannot be resolved through discussion, the Subscriber may terminate the Main Agreement solely with respect to the functions affected by the relevant material change (subject to the Company’s reasonable conditions).

Article 11 (Cross-Border Transfers)

  1. The Company may Process or store User Data in the regions indicated in Schedule 1 and on the List Page.
  2. Where requirements relating to cross-border transfers under EU / UK or similar laws apply, the Company shall address them by means of a transfer addendum (such as the SCCs or UK Addendum).
  3. If the Company receives a request from a governmental authority or under applicable law to disclose User Data, the Company shall notify the Subscriber to the extent permitted by applicable law and, where possible, examine the lawfulness of such request.

Article 12 (Assistance with Data Subject Requests)

The Company shall cooperate to a reasonable extent to enable the Subscriber to respond to requests relating to Personal Data, including requests for disclosure, correction, deletion, and suspension of use. Provided, however, that the scope and manner of such cooperation shall be subject to the Company’s technical and operational constraints.

Article 13 (Audit and Information Provision)

  1. If the Company has obtained any third-party audit reports, certifications, or equivalent materials, the Company shall provide them to a reasonable extent.
  2. If the Subscriber wishes to conduct an individual audit of the Company’s handling of User Data (including questionnaires and online meetings), such audit shall be conducted within the scope of the Company’s reasonable conditions (including scope, frequency, allocation of costs, and confidentiality).

Article 14 (Retention and Deletion)

  1. Following termination of the Main Agreement or upon the occurrence of any other event specified in the Company’s Deletion Policy, the Company shall delete User Data in accordance with the Company’s Deletion Policy and Schedule 2.
  2. User Data may not be deleted immediately due to backups, logs, and the like. The retention periods and deletion procedures for such data shall be governed by the Deletion Policy and Schedule 2.
  3. If User Data includes information that is required to be used or retained under applicable law or for business purposes, such information may be retained for a certain period in accordance with applicable law.

Article 15 (Liability)

The liability of the Company and the Subscriber under this DPA shall be governed by the limitation of liability provisions in the Main Agreement.

Schedule 1: Processing Details (by Service)

Typetalk is out of scope. AI / RUM is stated only for Backlog. Retention periods are consolidated in the Deletion Policy.

1. Nulab Apps (Nulab Account)

Overview: Cross-service account / organization management (login, organizations, users, permissions, etc.)

Main Data: Account information, organization / permission information, operational logs, etc.

Purpose: Account provision, authentication, security operations, fraud prevention, and incident analysis

Processing / Storage Region: AWS (U.S., Oregon)

Subprocessor: AWS (infrastructure / operations)

Retention / Deletion: In accordance with the Deletion Policy

2. Nulab Pass

Overview: SSO / access management, audit logs, etc.

Main Data: Integration settings, authentication events, audit logs, etc.

Purpose: Authentication / access control, auditing, incident analysis, and security monitoring

Processing / Storage Region: AWS (U.S., Oregon) (except audit logs), AWS (Japan, Tokyo) (audit logs only)

Subprocessor: AWS (infrastructure / operations)

Retention / Deletion: In accordance with the Deletion Policy (retention of audit logs is defined separately)

3. Cacoo

Overview: Diagram creation and sharing

Main Data: Diagram data, templates, comments, attachments, etc.

Purpose: Service provision, maintenance and operations, security monitoring, and incident analysis

Processing / Storage Region: AWS (U.S., California)

Subprocessor: AWS (infrastructure / operations)

Retention / Deletion: In accordance with the Deletion Policy

4. Backlog (Core)

Overview: Issue tracking, Wiki, files, etc.

Main Data: Issues / Wiki / comments / attachments, metadata, operational logs, etc.

Purpose: Service provision, maintenance and operations, security monitoring, fraud prevention, and support response

Telemetry / Measurement: For the purposes of the above maintenance and operations, quality maintenance, security monitoring, and the like, the Company may collect telemetry (RUM / product analytics), including device / browser information, session identifiers, events, URLs, and the like (including analysis of product usage), and may Process and store such telemetry, using Subprocessors listed on the List Page, in the regions stated on the List Page, including the United States (U.S.). The minimization, retention periods, access controls, and the like for such telemetry shall be governed by Schedule 2 (TOMs), and details of Subprocessors are set forth in Schedule 3 (List Page).

Processing / Storage Region: Japanese site applications = AWS (Japan, Tokyo); English site applications = AWS (U.S., Oregon)

Subprocessors: AWS (infrastructure / operations), etc. (see the List Page)

Retention / Deletion: In accordance with the Deletion Policy

4-1. Backlog AI Assistant (Bedrock)

Provision Conditions: Premium / Platinum. May be enabled or disabled on an organization-by-organization basis (administrator settings).

Input / Reference: User inputs, reference context within Backlog (the scope is subject to the feature specifications), generated outputs, and operational logs (minimized).

Purpose: Provision of the feature through response generation, and maintenance incidental to such provision (quality maintenance, incident analysis, and fraud prevention).

Learning: User Data will not be used for learning, training, or fine-tuning.

Exceptional Reference: Actual data may be referred to on a limited basis for maintenance purposes such as bug investigations and regression tests (subject to the controls in Schedule 2).

Entrusted Provider: AWS (Amazon Bedrock).

Processing Region: United States (U.S. region).

Retention / Deletion: In accordance with the Deletion Policy (whether inputs / outputs are stored and any short-term retention will be determined by the feature specifications).

Schedule 2: TOMs / Security Exhibit

The Company implements the following technical and organizational measures, taking into account ISO/IEC 27001, 27017, 27018, and similar standards (without promising certification). For the avoidance of doubt, the Company does not warrant that it has obtained such certifications.

  1. Governance: information security policies, risk assessments, training, subcontractor management, internal audits, etc.
  2. Access Controls: least privilege (RBAC), privileged access management, MFA, access rights reviews, and segregation of duties
  3. Exceptional Access: where User Data is referred to for maintenance, incident analysis, or similar purposes, approval, recordkeeping, scope minimization, time-limited access, and post-review are implemented
  4. Logs and Monitoring: the Company collects and stores access logs, application logs, and other logs for the operation and maintenance of the Service, quality maintenance, security monitoring, and incident analysis, and implements anomaly detection, alerts, and restrictions on log viewing permissions
  5. Data Minimization (Measurement): in RUM / analytics, suppression of collection of input values and text bodies, design of only the minimum necessary events, sampling, and shortening of retention periods
  6. Encryption: encryption of communications (TLS). For storage, measures commensurate with confidentiality and risk are implemented (such as encryption and access controls)
  7. Vulnerability / Change Management: vulnerability management, patch application, change review, regression testing, and rollback procedures
  8. Operation of AI Functions: prohibition on use for learning, impact assessment when models are changed, and controls where reference to actual data is necessary for bug investigations (in accordance with item 3)
  9. Incident Response: detection, containment, recovery, root cause analysis, recurrence prevention, and notification to the Subscriber. As a guideline, notification will be made within 72 hours, but this may vary depending on the nature of the individual matter, the status of the investigation, and legal requirements.
  10. Retention and Deletion: in accordance with the Deletion Policy, production data, logs, and backups are deleted in stages. The Company may create backups for availability assurance, disaster recovery, and similar purposes, and if immediate deletion of backups is difficult, such backups shall be deleted sequentially after expiration of the retention period.
  11. Audit and Records: provision of third-party materials, and reasonable explanations and cooperation

Schedule 3: Subprocessor List (see the List Page)

The list of Subprocessors (including country of location, purpose, and Processing / storage region) is posted on the List Page.

List Page URLs:

Japanese: https://nulab.com/ja/privacy/list-of-service-providers/
English: https://nulab.com/privacy/list-of-service-providers/

First edition established and effective on April 8, 2026.

(For users applying on or after April 8, 2026, this DPA applies from the same date. For users who applied on or before April 7, 2026, the effective date is May 7, 2026. In addition, the supplemental security terms will be abolished for existing users on the same date.)