Nulab’s Security System
Security, Audit and Certificate
Nulab is audited and certified by a third party. Nulab services are designed, developed and operated under strict management of information.
Nulab undergoes an independent audit every year by an internationally-recognized audit agency to verify its adherence to security, privacy, continuity and compliance policies and procedures.
Certifications obtained by Nulab services
ISO/IEC 27001 is an integrated Information Security Management System (conformity assessment system, hereinafter referred to as “ISMS”) for managing information security by protecting information assets from various threats and reducing risks.
What is ISMS Cloud Security Certification?
The ISMS Cloud Security Certification is a framework provided as an add-on to the JIS
Q 27001:2014 (ISO/IEC 27001:2013) certification concerning the provision and use of cloud services within the scope of such certification, and is aimed at certifying organizations that meet the requirements for cloud service information security management outlined in ISO/IEC 27017:2015.
Nulab takes the following security measures:
- Nulab services security measures
- Protection of customer data stored in Nulab services
- Security measures for middleware, OS and other infrastructure used in providing Nulab services
It is your responsibility to take the following security measures:
- Proper management of the password assigned to each User
- Proper management of the Nulab service account (registration, deletion, granting of administrator authority, etc.)
Nulab Service Supplemental Terms regarding Privacy and Security
- Compliance with privacy law. Nulab complies with all data protection and privacy laws generally applicable to the Service. However, Nulab shall not be liable for noncompliance with data protection and privacy laws applicable to specific types of data, users or user industries, but which are not applicable to information technology service providers.
- Use of User Data. Unless otherwise stipulated in the agreements, consents, memoranda of understanding or other documents executed with Users, Nulab will process User Data in accordance with each of the provisions set forth in Supplemental Terms, and will not (a) have the administrator rights or any other similar rights concerning User Data or (b) use or disclose User Data for purposes other than each of the items below. Nulab will use User Data for the following purposes:
- User Data will be used only for the purpose of providing the Service to Users, including troubleshooting to prevent, detect or solve issues affecting the operation of the Service, as well as improving User Data protection functions by detecting threats occurring and spreading (malware or spam).
- Nulab will not disclose User Data to law enforcement agencies unless otherwise required by law. In the event that Nulab is required by a law enforcement agency to disclose User Data, Nulab will request such law enforcement agency to directly make such request to Users. As part of this process, Nulab may provide Users’ basic contact information to the law enforcement agency. If the disclosure of User Data is compelled by a law enforcement agency, Nulab shall make commercially reasonable efforts to notify the respective Users prior to making such disclosure.
- Deletion of User Data. Nulab will delete User Data when the Administrator of the Service submits a service termination request (which means “Deletion of Organization” in Nulab Account or “Termination of Service” in Backlog Classic Plan. The same applies hereinafter.). In this case, User Data may not be recovered once deleted, even by Nulab. The following table summarizes the conditions and timing of deletion for each applicable User Data.
(Conditions and timing of deletion)
Conditions for deletion of User Data
Timing of deletion(general rule)
Backlog Classic Plan
Termination request has been submitted The deletion process will start after 180 days have elapsed following (i) the termination of the current agreement for Spaces under paid plans; or (ii) the submission of a termination request for Spaces during paid plan trial periods or under free plans, and will be complete within 10 days of start*. Cacoo Plus Plan, and Free Plan subscribed prior to November 27, 2019. Deletion of Nulab account The deletion process will start upon deletion of the Nulab account and will be complete within 10 days of start*. Backlog, Cacoo and Typetalk plans other than above Organization 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*. Nulab account Deletion of Nulab Account The deletion process will start upon deletion of the Nulab Account and will be complete within 10 days*.
* Notwithstanding the above, User Data will remain stored in the backup data collected for each service for a certain period even after the deletion completion dates listed above. For example, if the backup retention period is 30 days, the data will remain stored for 30 days after deletion is complete and will be deleted on the 31st day.
(User Data subject to deletion)
All User Data registered by Users for each service shall be deleted except for the following data:
– Data related to contracts, billing and deposit for each service
– Administrator’s name and contact for each service
– Backlog space owner’s name and contact (Classic Plan)
– Backlog space ID
– Image inserts uploaded to Cacoo
However, the User Data in Backlog, Typetalk or Cacoo (excluding Free Plan and Plus Plan prior to November 27, 2019), which were created through a Nulab account (Account) or Backlog account (Classic Plan), will not be deleted upon deletion of the respective Nulab or Backlog account.
- Non-accommodation of requests from End Users. Unless required by law, Nulab will not accommodate requests from End Users concerning data protection or privacy without the User’s written consent.
- Transferring of User Data. User Data processed by Nulab for Users may be transferred, stored and processed in the United States or other countries where Nulab, its affiliates or contractors maintain systems. You appoint Nulab as an agent to transfer User Data to, and store and process it in such countries for the purpose of providing the Service.
- Nulab’s employees. In no event will Nulab’s employees process User Data without Nulab’s approval. Nulab’s employees are under confidentiality obligations which survive any termination of their employment.
- Nulab’s contractors. Nulab may contract a limited service such as user support to a third party. Such third parties (hereinafter referred to as Contractor(s)”) shall obtain only the User Data necessary to accomplish the purpose of their assignment and shall not use such User Data for other purposes. Nulab shall be responsible for Contractors’ compliance with obligations concerning privacy and security set forth in Nulab Terms of Service and Supplemental Terms. Furthermore, Nulab shall impose, on all Contractors receiving User Data, obligations of confidentiality and protection of personal information concerning such User Data received from Nulab. You agree that Nulab may transfer User Data to Contractors under the conditions set forth in the Supplemental Terms. Except as mentioned above, Nulab will not transfer to a third party User Data collected through the use of the Service (even for the purpose of storage).
- Your responsibilities
- It is Your responsibility to comply with the applicable legal requirements for privacy, data protection and communication confidentiality concerning the use of the Service.
- In cases where a User provides its account to an End User, such User agrees that Nulab may contact such End User, using End User’s information provided by the User, for the purpose of providing such End Users with tips, advice and other useful information or product related information to help such End-User make the best use of Nulab products and services. In such cases, Nulab shall obtain End User’s consent in advance. Furthermore, Nulab shall take the commercially appropriate steps for suspending future communication whenever End-User’s consent is not obtained.
- Technical and organizational security system. Nulab has in place and will maintain appropriate technical and organization measures, internal controls and information security routines, in order to protect User Data from loss, damage or alteration due to force majeure, unauthorized access or leakage, or destruction through illegal acts. These responsibilities of Nulab concerning its security system shall apply only to the security and handling of User Data, and its obligations regarding confidentiality of User Data are set forth in Nulab Terms of Service.
- Security incidents
- In the event of illegal access to User Data stored in Nulab’s equipment or facility, or loss, disclosure or alteration of User Data due to unauthorized access to such equipment or facility (each such incident shall be hereinafter referred to as “Security Incident(s)”), Nulab shall (a) notify the Users of such Security Incident, (b) investigate the Security Incident and report the result to the Users and (c) reduce the impact of the Security Incident and take appropriate measures to minimize any damage.
- You agree to the following:
- If a Security Incident attempt fails, the foregoing item shall not apply and Nulab shall not be responsible to investigate, notify, report or take measures. A Security Incident is considered a failure when no unauthorized access to User Data or Nulab’s equipment or facility storing User Data occurs, including, but not limited to, ping attacks or broadcast attacks against firewalls or edge servers, port scans, failed logon attempts, service denial attacks, packet sniffing (or other unauthorized access to data traffic which did not reach data other than IP address or header).
- The aforementioned Nulab’s notification or measures against Security Incidents shall not be construed as an admission of negligence, indemnity or any other liability by Nulab.
- In the event of any Security Incidents, Nulab will, at its option, notify Your Administrator via email and other methods, in principle within 72 hours. For this purpose, it is Users’ responsibility to ensure that Your Administrator keeps its registered contact information on the Service portal current and accurate at all times in accordance with Nulab Terms of Service.
- Please contact Nulab Support Desk (https://nulab.com/contact/) if You become aware of a Security Incident or have a question about information Security Incidents.
Nulab uses Amazon Web Services, whose products and services have overall high reliability and enhanced security. We also protect confidentiality of data stored in our infrastructure, by providing paths protected by security systems using multiple encryption methods, protocols and algorithms, which allow data to safely pass through the infrastructure.
- Transport Layer Security/Secure Sockets Layer (TLS/SSL). TLS/SSL encrypts communications exchanged on networks using symmetric encryption based on shared keys.
- Internet Protocol Security (IPsec). IPsec is an industry-standard protocol suite used to provide network data authentication, integrity and confidentiality at the IP packet level.
Backlog: Data backup policy
Cacoo: Data backup policy
Typetalk: About backing up data
- Databases store data for a period of 2 weeks
- Data is stored in the running server used for the corresponding service within Amazon Web Services
Protection of Log
Logs are stored in Amazon Web Services. Access is permitted only to persons engaged in specific assignments.
- Access logs (IP, URL, time)
- Semi-permanent duration
- Storage of User Data and personal information collected through the Service
User Data and personal information collected through the Service is shared with the following services:
・Amazon Web Services
・G Suite / Google Analytics
List of countries where User Data and personal information collected through the Service is stored:
・The United States of America
Note: Information stored in the US is subject to US laws.