Nulab Service Supplemental Terms regarding Privacy and Security

These terms constitute those supplementing the Nulab Terms of Service with respect to privacy and security in the Services provided by Nulab (hereinafter referred to as “Supplemental Terms”). The Users should use Nulab services subject to and in accordance with the Supplemental Terms in addition to Nulab Terms of Service. If there is any discrepancy between the Supplemental Terms and Nulab Terms of Service including the Privacy Policy, Supplemental Terms shall prevail. Terms used in the Supplemental Terms shall have the same meaning as used in the Terms of Services unless otherwise defined in the Supplemental Terms.

  1. Purpose
    These Supplemental Terms set forth our security policy regarding User Data and other information pursuant to Article 13 in Nulab Terms of Service.  For our policy regarding personal information, please refer to Privacy Policy.
  2. Privacy
    1. Compliance with privacy law. Nulab complies with all data protection and privacy laws generally applicable to the Service. However, Nulab shall not be liable for noncompliance with data protection and privacy laws applicable to specific types of data, users or user industries, but which are not applicable to information technology service providers.
    2. Use of User Data. Unless otherwise stipulated in the agreements, consents, memoranda of understanding or other documents executed with Users, Nulab will process User Data in accordance with each of the provisions set forth in Supplemental Terms, and will not (a) have the administrator rights or any other similar rights concerning User Data or (b) use or disclose User Data for purposes other than each of the items below. Nulab will use User Data for the following purposes:
      1. User Data will be used only for the purpose of providing the Service to Users, including troubleshooting to prevent, detect or solve issues affecting the operation of the Service, as well as improving User Data protection functions by detecting threats occurring and spreading (malware or spam).
      2. Nulab will not disclose User Data to law enforcement agencies unless otherwise required by law. In the event that Nulab is required by a law enforcement agency to disclose User Data, Nulab will request such law enforcement agency to directly make such request to Users. As part of this process, Nulab may provide Users’ basic contact information to the law enforcement agency.  If the disclosure of User Data is compelled by a law enforcement agency, Nulab shall make commercially reasonable efforts to notify the respective Users prior to making such disclosure.
    3. Deletion of User Data. Nulab will delete User Data when the Administrator of the Service submits a service termination request (which means “Deletion of Organization” in Nulab Account or “Termination of Service” in Backlog Classic Plan. The same applies hereinafter.). In this case, User Data may not be recovered once deleted, even by Nulab. The following table summarizes the conditions and timing of deletion for each applicable User Data.
      (Conditions and timing of deletion)

        Conditions for deletion of User Data Timing of deletion 

      (general rule)

      Backlog Classic Plan Termination request has been submitted The deletion process will start after 180 days have elapsed following (i) the termination of  the current agreement for Spaces under paid plans; or (ii) the submission of a termination request for Spaces during paid plan trial periods or under free plans, and will be complete within 10 days of start*. 
        The trial period is ended without a request for formal paid plans The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
        The Services are terminated due to payment delay or any other reasons pursuant to the Section 9.1 of Nulab Terms of Service The deletion of the Organization will be automatically implemented within 90 days of the termination of the Services. The deletion of User Data process will start after 180 days following the implementation of termination and will be complete within 10 days of start*.
      Cacoo Plus Plan, and Free Plan subscribed prior to November 27, 2019.  Deletion of Nulab account The deletion of User Data process will start upon deletion of the Nulab account and will be complete within 10 days of start*.
      Backlog, Cacoo and Typetalk plans other than above Deletion of Organization The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
        The trial period is ended without a request for formal paid plans The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
        The Services are terminated due to payment delay or any other reasons pursuant to the Section 9.1 of Nulab Terms of Service The deletion of the Organization will be automatically implemented after 90 days from the termination of the Services. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
      Audit log Deletion of Organization The deletion of the audit log process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days from the start*.
        The contract period for Nulab Pass has expired The deletion of the audit log process will start after 30 days following the expiration of the Nulab Pass contract and will be complete within 10 days from the start*.
        The trial period for Nulab Pass has ended without a request for formal paid plans The deletion of the audit log process will start after 30 days following the expiration of the Nulab Pass trial term and will be complete within 10 days from the start*.
        The Services are terminated due to payment delay or any other reasons pursuant to the Section 9.1 of Nulab Terms of Service The deletion of the audit log process will start after 30 days following the expiration of the Nulab Pass trial period and will be complete within 10 days from the start*.
        13 months the audit log retention period has passed The deletion process of the audit log will start after 400 days following the retention of the audit log, and will be completed within 10 days from the start*.
      Nulab Account Deletion of Nulab Account The deletion of User Data process will start upon deletion of the Nulab account and will be complete within 10 days of start*.
      Managed Account Deletion of Organization or Managed Account In case the deletion of the Organization is implemented; the deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*. In case the deletion of the Managed Account is implemented; the deletion of User Data process starts upon the deletion and will be complete within 10 days of start*.
        The trial period is ended without a request for formal paid plans The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
        The Services are terminated due to payment delay and any other reasons pursuant to the Section 9.1 of Nulab Terms of Service The deletion of the Organization will be automatically implemented after 90 days from the termination of the Services. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.

      * Notwithstanding the above, User Data will remain stored in the backup data collected for each service for a certain period even after the deletion completion dates listed above. For example, if the data’s backups are made once a day and retained 30 times, the data will remain stored for 30 days in the data’s backups after deletion is complete and will be deleted on the 31st day.

      (User Data subject to deletion)
      All User Data registered by Users for each service shall be deleted except for the following data:
      – Data related to contracts, billing and deposit for each service
      – Administrator’s name and contact for each service
      – Backlog space owner’s name and contact (Classic Plan)
      – Backlog space ID
      Nulab Pass’ Nulab Organization ID
      – Image inserts uploaded to Cacoo

      However, in case of the deletion of the Nulab account, Managed Account or Backlog account(Classic Plan), the User Data in Backlog, Typetalk or Cacoo (excluding Free Plan and Plus Plan prior to November 27, 2019), created through the respective accounts, will not be deleted.In order for these User Data to be deleted, it must fall into one of the items listed above other than “Nulab Account” and “Managed Account”.

      The User Data will be deleted only in the cases listed above.

       

    4. Non-accommodation of requests from End Users. Unless required by law, Nulab will not accommodate requests from End Users concerning data protection or privacy without the User’s written consent. Provided, however, that, in cases where a User provides its account to an End User, such User agrees that Nulab may contact such End User, using End User’s information provided by the User, for the purpose of providing such End Users with tips, advice and other useful information or product related information to help such End-User make the best use of Nulab products and services. In such cases, Nulab shall obtain End User’s consent in advance. Furthermore, Nulab shall take the commercially appropriate steps for suspending future communication whenever End-User’s consent is not obtained.
    5. Transferring of User Data. User Data processed by Nulab for Users may be transferred, stored and processed in the United States or other countries where Nulab, its affiliates or contractors maintain systems. You appoint Nulab as an agent to transfer User Data to, and store and process it in such countries for the purpose of providing the Service.
    6. Nulab’s employees. In no event will Nulab’s employees process User Data without Nulab’s approval. Nulab’s employees are under confidentiality obligations which survive any termination of their employment.
    7. Nulab’s contractors. Nulab may contract a limited service such as user support to a third party. Such third parties (hereinafter referred to as Contractor(s)”) shall obtain only the User Data necessary to accomplish the purpose of their assignment and shall not use such User Data for other purposes. Nulab shall be responsible for Contractors’ compliance with obligations concerning privacy and security set forth in Nulab Terms of Service and Supplemental Terms. Furthermore, Nulab shall impose, on all Contractors receiving User Data, obligations of confidentiality and protection of personal information concerning such User Data received from Nulab. You agree that Nulab may transfer User Data to Contractors under the conditions set forth in the Supplemental Terms. Unless otherwise specified herein, Nulab will not transfer to a third party User Data collected through the use of the Service (even for the purpose of storage).
    8. Storage of User Data and personal information collected through the Services.  User Data and personal information collected through the Service is shared under our responsibility with the following service providers for the specified purposes:
      (For the purpose of development of the Services)

      Amazon Web Services
      (For the purpose of support of the Services)
      PayPal
      ・Google Workspace / Google Analytics
      ・MixPanel
      ・Intercom
      ・Stripe
      ・PAY.JP
      ・MailChimp
      ・Marketo
      ・Salesforce
    9. List of countries where User Data and personal information collected through the Service is stored in the following countries subject to the laws and regulations governing the jurisdictions:
      • Japan
      • The United States of America
    10. Your responsibilities
      • It is Your responsibility to comply with the applicable legal requirements for privacy, data protection and communication confidentiality concerning the use of the Service.
      • It is Your responsibility to take the following security measures:
        • Proper management of the password assigned to each User
        • Proper management of the Nulab service account (registration, deletion, granting of administrator authority, etc.)
  3. Security
    • Technical and organizational security system. Nulab has in place and will maintain appropriate technical and organization measures, internal controls and information security routines, in order to protect User Data from loss, damage or alteration due to force majeure, unauthorized access or leakage, or destruction through illegal acts. These responsibilities of Nulab concerning its security system shall apply only to the security and handling of User Data, and its obligations regarding confidentiality of User Data are set forth in Nulab Terms of Service.
    • Security incidents
      • In the event of illegal access to User Data stored in Nulab’s equipment or facility, or loss, disclosure or alteration of User Data due to unauthorized access to such equipment or facility (each such incident shall be hereinafter referred to as “Security Incident(s)”), Nulab shall (a) notify the Users of such Security Incident, (b) investigate the Security Incident and report the result to the Users and (c) reduce the impact of the Security Incident and take appropriate measures to minimize any damage.
      • You agree to the following:
        • If a Security Incident attempt fails, the foregoing item shall not apply and Nulab shall not be responsible to investigate, notify, report or take measures. A Security Incident is considered a failure when no unauthorized access to User Data or Nulab’s equipment or facility storing User Data occurs, including, but not limited to, ping attacks or broadcast attacks against firewalls or edge servers, port scans, failed logon attempts, service denial attacks, packet sniffing (or other unauthorized access to data traffic which did not reach data other than IP address or header).
        • The aforementioned Nulab’s notification or measures against Security Incidents shall not be construed as an admission of negligence, indemnity or any other liability by Nulab.
      • In the event of any Security Incidents, Nulab will, at its option, notify Your Administrator via email and other methods, in principle within 72 hours. For this purpose, it is Users’ responsibility to ensure that Your Administrator keeps its registered contact information on the Service portal current and accurate at all times in accordance with Nulab Terms of Service.
      • Please contact Nulab Support Desk (https://nulab.com/contact/) if You become aware of a Security Incident or have a question about information Security Incidents.
      • Certification and audit. Nulab has established and maintains a data security policy that meets the ISO/IEC27000 series of standards: ISO 27001, 27017, and 27018. It is Your responsibility to review the content of documents separately prepared by Nulab concerning the Service, and independently determine whether the Service meets your requirements.
  4. Encryption
    Nulab uses Amazon Web Services, whose products and services have overall high reliability and enhanced security. We also protect confidentiality of data stored in our infrastructure, by providing paths protected by security systems using multiple encryption methods, protocols and algorithms, which allow data to safely pass through the infrastructure.

    • Transport Layer Security/Secure Sockets Layer (TLS/SSL). TLS/SSL encrypts communications exchanged on networks using symmetric encryption based on shared keys.
    • Internet Protocol Security (IPsec). IPsec is an industry-standard protocol suite used to provide network data authentication, integrity and confidentiality at the IP packet level.
  5. Backup
    Backlog: Data backup policy
    Cacoo: Data backup policy
    Nulab Account

    • Database backups are made once a day and retained for 14 times
    • Data is stored in the running server used for the corresponding service within Amazon Web Services
  6. Protection of logs
    Logs are stored in Amazon Web Services. Access is permitted only to persons engaged in specific assignments.

    • Access logs (IP, URL, time)
    • Semi-permanent duration

Update: