Supplemental Terms regarding Security (Version 9: February 1st, 2023)

These terms supplement the Nulab Terms of Service with respect to handling of User Data and the security of the Services provided by Nulab (hereinafter referred to as “these Supplemental Terms”). The Users should use Nulab Services subject to and in accordance with the Supplemental Terms in addition to Nulab Terms of Service. If there are any discrepancies between the Supplemental Terms and Nulab Terms of Service including the Privacy Policy, these Supplemental Terms shall prevail. Terms used in the Supplemental Terms shall have the same meaning as used in the Terms of Services unless otherwise defined in these Supplemental Terms. 

1. Purpose

 These Supplemental Terms set forth our security policy regarding the handling of User Data and other information relating to security pursuant to Article 13 in Nulab Terms of Service.  For our policy regarding Personal Information in general, please refer to our Privacy Policy.

2. Management of User Data

  1. Compliance with privacy laws. Nulab complies with all data protection and privacy laws generally applicable to the Services. However, Nulab shall not be liable for noncompliance with data protection and privacy laws applicable to specific types of data, or specific industries of the users , which are not applicable to information technology service providers.
  2. Processing of User Data. Unless otherwise stipulated in the agreements, consents, memoranda of understanding or other documents executed with Users, Nulab will process User Data in accordance with each of the provisions set forth in these Supplemental Terms, and will not (a) have the administrator rights or any other similar rights concerning User Data or (b) use or disclose User Data for purposes other than each of the items below. Nulab will use User Data for the following purposes:
    1. User Data will be used only for the purpose of providing the Services to Users, including troubleshooting to prevent, detect or solve issues affecting the operation of the Service, as well as improving User Data protection functions by detecting threats occurring and spreading (malware or spam).
    2. Nulab will not disclose User Data to law enforcement agencies unless otherwise required by law. In the event that Nulab is required by a law enforcement agency to disclose User Data, Nulab will request such a law enforcement agency to directly make such a request to Users. As part of this process, Nulab may provide Users’ basic contact information to the law enforcement agency.  If the disclosure of User Data is compelled by a law enforcement agency, Nulab shall make commercially reasonable efforts to notify the respective Users prior to making such disclosure.
  3. Transferring of User Data. User data processed by Nulab on behalf of Users may be processed by vendors outside of Japan as stipulated in our Privacy Policy.  The list of vendors used by Nulab and the list of countries where Personal Information is stored or processed is available here.
  4. Nulab’s Employees. Nulab’s employees will never process User Data without Nulab’s approval. Nulab’s employees are under confidentiality obligations which survive any termination of their employment. 
  5. Nulab’s Vendors. Except for the limited cases described in our Privacy Policy, Nulab will not transfer to a third party User Data collected through the use of the Service. 

3. Deletion of User Data. 

  1. Nulab will delete User Data when the Administrator of the Service submits a service termination request (which refers to either the “Deletion of Organization” in Nulab Account or “Termination of Service” in Backlog Classic Plan. The same applies hereinafter.). 

    Nulab will also delete User Data when the Trial period is ended without the submission of a request for a Paid plan and when the Services are terminated due to payment delay or any other reasons set forth in the Nulab Terms of Service.

    In these cases, User Data may not be recovered once deleted, even by Nulab. The following table summarizes the conditions and timing of deletion for each applicable User Data.

    (Conditions and timing of deletion)
  Conditions for deletion of User Data Timing of deletion (General rule)
Backlog Classic Plan Termination request has been submitted The deletion of User Data will start after 180 days have elapsed following (i) the termination of  the current agreement for Spaces under paid plans; or (ii) the submission of a termination request for Spaces during paid plan trial periods or under free plans, and will be complete within 10 days of start*.
  The trial period is ended without a request for formal paid plans The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion of User Data process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
  The Services have been suspended for more than 90 days due to payment delay or any other reasons pursuant to Article 9.1 of the Nulab Terms of Service The termination of the Services will be automatically implemented after 90 days have passed from a suspension of use of  the Services. The deletion of User Data process will start after 180 days following the the termination and will be completed within 10 days of start*.
Cacoo Plus Plan, and Free Plan subscribed prior to November 27, 2019. Deletion of Nulab account The deletion of User Data will start upon deletion of the Nulab account and will be completed within 10 days of start*.
Backlog, Cacoo and Typetalk plans other than above Deletion of Organization The deletion of User Data will start after 180 days following the implementation of deletion of the Organization and will be completed within 10 days of start*.
  The trial period is ended without a request for formal paid plans

The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion of User Data process will start after 180 days following the deletion of the Organization and will be complete within 10 days of start*.

  The Services have been suspended for more than 90 days due to payment delay or any other reasons pursuant to Article 9.1 of Nulab Terms of Service The termination of the Services will be automatically implemented after 90 days have passed from the suspension of the Services. The deletion of User Data process will start after 180 days following the implementation of the termination and the subsequent deletion of the Organization and will be complete within 10 days of start*.
Audit log Deletion of Organization The deletion of the audit log process will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days from the start*.
  The contract period for Nulab Pass has expired The deletion of the audit log process will start after 30 days following the expiration of the Nulab Pass contract and will be complete within 10 days from the start*.
  The trial period for Nulab Pass has ended without a request for formal paid plans The deletion of the audit log process will start after 30 days following the expiration of the Nulab Pass trial term and will be complete within 10 days from the start*.
  The Services have been suspended for more than 90 days due to payment delay or any other reasons pursuant to  Article 9.1 of the Nulab Terms of Service The termination of the Services will be automatically implemented after 90 days have passed from suspension of use of the Services. The deletion of audit log will start after 30 days following the implementation of the termination and will be complete within 10 days of start*.
  The retention period of the audit log, 13 months, have passed The deletion process of the audit log will start after 400 days following the retention of the audit log, and will be completed within 10 days from the start*.
Nulab Account Deletion of Nulab Account The deletion of User Data will start upon deletion of the Nulab account and will be complete within 10 days of start*.

Managed Account

(Accounts created before January 16, 2023 or accounts that have not been updated )

Deletion of Organization or Managed Account In case the deletion of the Organization is implemented; the deletion process of User Data will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*. In case the deletion of the Managed Account is implemented; the deletion process of User Data starts upon the deletion and will be complete within 10 days of start*.
  The trial period has ended without a request for formal paid plans The deletion of the Organization will be automatically implemented after 30 days from the end date of the trial period. The deletion process of User Data will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.
  The Services have been suspended for more than 90 days due to payment delay or any other reasons pursuant to Article 9.1 of the Nulab Terms of Service The Services will be deemed to be terminated after 90 days have passed from the suspension of the Services. Upon the termination, the deletion of the Organization will be automatically implemented. The deletion of User Data will start after 180 days following the  deletion of the Organization and will be complete within 10 days of start*.

Managed Accounts

(Accounts created after January 16, 2023 or updated accounts)

Deletion of Managed Account The deletion process of User Data will start upon deletion of the Managed Account and will be complete within 10 days of start*.
  Deletion of Managed Account is selected at the time of deletion of Organization In case the deletion of the Organization is implemented; the deletion of User Data will start after 180 days following the implementation of deletion of the Organization. In case the deletion of the Managed Account is selected at the same time; the deletion of User Data starts at the same time as the deletion of the Organization and will be complete within 10 days of start*
  Deletion of Organization In case the deletion of the Organization is implemented; the deletion of User Data process will start after 180 days following the implementation of deletion of the Organization. When the deletion of the Organization is implemented, Managed Accounts that have been managed by that Organization are not automatically deleted, but converted into regular Nulab accounts*.
  The trial period is ended without a request for formal paid plans The deletion of the Organization will be be automatically implemented after 30 days from the end date of the trial period. When the deletion of the Organization is implemented, Managed Accounts that have been managed by that Organization are not automatically deleted, but converted into regular Nulab accounts*.
  The Services have been suspended for more than 90 days due to payment delay or any other reasons pursuant to Article 9.1 of the Nulab Terms of Service The Services will be deemed to be terminated after 90 days have passed from the suspension of the Services. Upon the termination, the deletion of the Organization will be automatically implemented.  When the deletion of the Organization is implemented, Managed Accounts that have been managed by that Organization are not automatically deleted, but converted into regular Nulab accounts. The deletion of User Data will start after 180 days following the implementation of deletion of the Organization and will be complete within 10 days of start*.

* Notwithstanding the above, User Data will remain stored in the backup data collected for each service for a certain period even after the deletion completion dates listed above. For example, if the data’s backups are made once a day and retained 30 times, the data will remain stored for 30 days in the data’s backups after deletion is complete and will be deleted on the 31st day. 

  1. User Data exempted from  deletion
    All User Data registered by Users for each service shall be deleted except for the following data:
    • Data related to contracts, billing and deposit for each service
    • Administrator’s name and contact for each service
    • Backlog space owner’s name and contact (Classic Plan)
    • Backlog space ID
    • Nulab Pass’ Nulab Organization ID
    • Image inserts uploaded to Cacoo

However, in case of the deletion of the Nulab account, Managed Account or Backlog account (Classic Plan), the User Data in Backlog, Typetalk or Cacoo (excluding Free Plan and Plus Plan prior to November 27, 2019), created through the respective accounts, will not be deleted.

In order for this  User Data to be deleted, it must fall into one of the categories listed  above other than “Nulab Account” or “Managed Account”.

4. User’s responsibilities

  1. It is the User’s responsibility to comply with the applicable legal requirements for privacy, data protection and communication confidentiality concerning the use of the Services.
  2. It is the User’s responsibility to take the following security measures:
    • Proper management of the password assigned to each User
    • Proper management of their Nulab service account (registration, deletion, granting of administrator authority, etc.)
  3. When using SSO (single sign-on) in conjunction with an ID platform outside of the Nulab services, Users are responsible for the management of their password of the linked account as well. 

5. Security

  1. Technical and organizational security system.
    Nulab has in place and will maintain appropriate technical and organization measures, internal controls and information security routines, in order to protect User Data from loss, damage or alteration due to force majeure, unauthorized access or leakage, or destruction through illegal acts. These responsibilities of Nulab concerning its security system shall apply only to the security and handling of User Data, and its obligations regarding confidentiality of User Data are set forth in Nulab Terms of Service.
  2. Security incidents
    • In the event of illegal access to User Data stored in Nulab’s equipment or facility, or loss, disclosure or alteration of User Data due to unauthorized access to such equipment or facility (each such incident shall be hereinafter referred to as “Security Incident(s)”), Nulab shall (a) notify the Users of such Security Incident, (b) investigate the Security Incident and report the result to the Users and (c) reduce the impact of the Security Incident and take appropriate measures to minimize any damage.
    • You agree to the following
      • If an attempted  Security Incident fails, the foregoing item shall not apply and Nulab shall not be responsible to investigate, notify, report or take measures. A Security Incident is considered to be a failure when no unauthorized access to User Data or Nulab’s equipment or facility storing User Data occurs, including, but not limited to, ping attacks or broadcast attacks against firewalls or edge servers, port scans, failed logon attempts, service denial attacks, packet sniffing (or other unauthorized access to data traffic which did not reach data other than IP address or header).
      • The aforementioned Nulab’s notification or measures against Security Incidents shall not be construed as an admission of negligence, indemnity or any other liability by Nulab.
    • In the event of any Security Incidents, Nulab will, at its option, notify the   Administrator via email and other methods, in principle within 72 hours. For this purpose, it is Users’ responsibility to ensure that the Administrator keeps its registered contact information on the Service portal current and accurate at all times in accordance with Nulab Terms of Service.
    • Please contact Nulab Support Desk (https://nulab.com/contact/) if You become aware of a Security Incident or have a question about information Security Incidents.  
  1. Certification and audit. Nulab has established and maintains a data security policy that meets the ISO/IEC27000 series of standards: ISO 27001, 27017, and 27018. It is Your responsibility to review the content of documents separately prepared by Nulab concerning the Service, and independently determine whether the Service meets your requirements. 

6. Encryption

Nulab uses Amazon Web Services, whose products and services have overall high reliability and enhanced security. We also protect confidentiality of data stored in our infrastructure, by providing paths protected by security systems using multiple encryption methods, protocols and algorithms, which allow data to safely pass through the infrastructure.

  • Transport Layer Security/Secure Sockets Layer (TLS/SSL). TLS/SSL encrypts communications exchanged on networks using symmetric encryption based on shared keys. 
  • Internet Protocol Security (IPsec). IPsec is an industry-standard protocol suite used to provide network data authentication, integrity and confidentiality at the IP packet level.

7. Backup 

Backlog: Data backup policy

Cacoo: Data backup policy

Nulab Account

  • Database backups are made once a day and retained for 14 times.
  • Data is stored in the running server used for the corresponding service within Amazon Web Services 

8. Protection of logs

Logs are stored in Amazon Web Services. Access is permitted only to employees engaged in specific assignments. 

  • Logs created by the Services (Access logs, Activity logs)
  • After a 545 day retention period, the deletion of logs will be automatically implemented and the deletion will be completed within 10 days of start.