Data Processing Agreement

リリース日2026年02月10日

This Octopus Data Inc. Data Processing Agreement (“DPA”), that includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Octopus Data Inc. Customer Terms and Conditions (the “Agreement”). This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.

The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

The purpose of this Agreement is to set out the relevant legislation and to describe the steps Octopus Data Inc. is taking to ensure that it complies with GDPR.

The following clauses are included in this document:

Standard Contractual Clauses attached hereto as EXHIBIT 1.
Appendix 1 to the Standard Contractual Clauses, which includes specifics on the Personal Data transferred by the data exporter to the data importer.
Appendix 2 to the Standard Contractual Clauses, which includes a description of the technical and organizational security measures implemented by the data importer as referenced.

1. DEFINITIONS

“GDPR” means The General Data Protection Regulation (EU) 2016/679 and any national legislation implementing or supplementing it, or which replaces it, as may be amended or updated from time to time, and including any and all applicable guidance issued by supervisory authorities.
“Controller” is defined as the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Processor” means Octopus Data Inc., the natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
“Processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal data” is defined as Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” means A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision 2021/914.
“Instruction” means the written, documented instruction from the Controller to the Processor to perform specific Processing operations in accordance with this Agreement and applicable Data Protection Laws.

2. DETAILS OF THE PROCESSING

2.1 Subject Matter and Scope of Processing

The Processor shall process Personal Data only on the Instructions of the Controller for the performance of services set out in the Agreement. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of data subjects are set out in Appendix 1 to the Standard Contractual Clauses.

2.2 Scope of Authority

The Processor shall process Personal Data only in accordance with Instructions received from the Controller, unless otherwise required by law. The Processor shall not process Personal Data for purposes other than those specified in the Agreement or required by applicable law. The Processor shall not engage in any Processing of Personal Data except as directed by the Controller.

2.3 Categories of Personal Data

The categories of Personal Data being processed include but are not limited to: name, email address, company name, job title, phone number, IP address, usage data, and any other information transmitted by the data subject to the Processor. The specific categories of Personal Data processed are detailed in Appendix 1 to the Standard Contractual Clauses.

2.4 Categories of Data Subjects

The categories of data subjects from whom the Personal Data is processed may include end users, customers, employees, contractors, and any other natural persons whose data is submitted to the Processor in accordance with the Agreement. The specific categories of data subjects are described in Appendix 1 to the Standard Contractual Clauses.

2.5 Retention of Personal Data

The Processor shall retain Personal Data in accordance with the Instructions of the Controller and as required by applicable Data Protection Laws. Upon termination or expiration of the Agreement, the Processor shall, at the Controller’s election, delete or return all Personal Data and existing copies unless law requires storage of the Personal Data. The retention period for Personal Data is set out in Appendix 1 to the Standard Contractual Clauses.

3. CUSTOMER RESPONSIBILITY

The Controller warrants that the Personal Data provided to the Processor for processing has been collected and processed in accordance with all applicable Data Protection Laws and that it has the lawful right to transfer such Personal Data to the Processor for processing as contemplated herein. The Controller is responsible for establishing the lawful basis for the processing of Personal Data and for ensuring that all processing Instructions are lawful and compliant with applicable Data Protection Laws.

The Controller is responsible for providing notice to data subjects as required by Data Protection Laws concerning the Processing of their Personal Data. The Controller shall ensure that any required data subject consents or lawful bases for Processing have been obtained prior to transferring Personal Data to the Processor. The Controller alone is responsible for determining whether Processing meets the requirements of Data Protection Laws with respect to lawfulness and fairness of Processing.

The Controller shall, in its use of the Processor’s services, comply with all applicable Data Protection Laws and shall not instruct the Processor to process Personal Data in a manner that violates such laws. The Controller is responsible for responding to data subject requests concerning their Personal Data and for exercising rights afforded to data subjects under applicable Data Protection Laws.

The Controller is responsible for determining the appropriate safeguards and measures necessary to protect Personal Data from unauthorized access and Processing. The Controller shall ensure that it is able to comply with its obligations under Data Protection Laws and that the services provided by the Processor, as described in Appendix 2 of the Standard Contractual Clauses, provide sufficient technical and organizational measures to ensure protection of the Personal Data according to the risk presented by the Processing.

4. OBLIGATIONS OF PROCESSOR

4.1 Processing Instructions

The Processor shall process Personal Data only on documented Instructions from the Controller. The Processor shall not process Personal Data beyond the scope of the Instructions except where required to do so by applicable law. If the Processor is required by law to process Personal Data beyond the scope of the Instructions, the Processor shall, to the extent permitted by law, promptly notify the Controller of such legal requirement prior to processing such Personal Data.

4.2 Personnel and Confidentiality

The Processor shall ensure that its personnel are subject to binding obligations of confidentiality concerning Personal Data. Personnel shall be informed of the confidential nature of the Personal Data and the importance of maintaining the security and confidentiality of such data. The Processor shall take appropriate disciplinary and legal action against any personnel who breach confidentiality obligations. The Processor shall ensure that all personnel involved in the Processing of Personal Data are appropriately trained and instructed regarding Data Protection Laws and the secure handling of Personal Data.

4.3 Sub-processors

The Processor shall not authorize sub-processors to process Personal Data without prior written authorization from the Controller. The Processor has obtained specific or general written authorization from the Controller for the engagement of sub-processors. A list of authorized sub-processors is provided in Exhibit 2 to this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. In the event that the Controller objects to the engagement of a sub-processor, the Processor shall make reasonable efforts to resolve the Controller’s concerns.

Where the Processor engages sub-processors, the Processor shall remain liable for the performance of the sub-processor’s obligations. The Processor shall impose the same data protection obligations on sub-processors that are imposed on the Processor in this DPA through a contract or other legal act that is binding on the sub-processor.

4.4 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

Encryption of Personal Data in transit and at rest;
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
Ability to restore the availability and access to Personal Data in a timely manner in the event of an incident;
Process for regularly testing, assessing and evaluating the effectiveness of security measures;
Protection against unauthorized or accidental access, processing, deletion, loss, alteration, disclosure or destruction of Personal Data.

A detailed description of the technical and organizational measures implemented by the Processor is set forth in Appendix 2 to the Standard Contractual Clauses.

The Processor shall, taking into account the nature of Processing and the information available to the Processor, provide reasonable assistance to the Controller in ensuring compliance with the Controller’s obligations pursuant to Articles 32 through 36 of the GDPR, including assistance with Data Protection Impact Assessments and prior consultation with supervisory authorities where required.

The Processor shall not materially reduce the overall level of security measures described in Appendix 2 without providing the Controller with at least thirty (30) days’ prior written notice. The Controller shall have the right to review and object to any proposed material changes to the security measures. If the Controller reasonably objects, the parties shall negotiate in good faith to address the Controller’s concerns.

4.5 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and in no case later than twenty-four (24) hours after becoming aware of a Personal Data Breach. The Processor shall provide all information necessary to enable the Controller to fulfill its legal obligations regarding notification of data subjects and notification to supervisory authorities. The Processor shall cooperate with the Controller and provide all reasonably requested information to the Controller regarding the Personal Data Breach, including the likely consequences and the measures being taken or proposed to address the Personal Data Breach and mitigate harm to affected data subjects.

Such notification shall include, at a minimum: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and Personal Data records concerned; (b) the name and contact details of the Processor’s data protection officer or other contact point; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its adverse effects.

4.6 Data Requests and Data Subject Rights

The Processor shall, taking into account the nature of Processing, assist the Controller by implementing appropriate technical and organizational measures in fulfilling the Controller’s obligation to respond to requests from data subjects exercising their rights under applicable Data Protection Laws, including access, rectification, deletion, and data portability rights. The Processor shall provide reasonable assistance to the Controller in responding to data subject requests within the timeframes required by applicable Data Protection Laws. The Processor’s reasonable assistance with data subject requests as described in this Section 4.6 shall be provided at no additional cost to the Controller, except where requests are manifestly unfounded, excessive, or require disproportionate technical effort, in which case the Processor may charge a reasonable fee agreed upon in advance with the Controller.

4.7 Audit Rights and Compliance

The Processor shall, making information available to the Controller and, where applicable, to the supervisory authority, and allow for audits and inspections by the Controller and the competent supervisory authorities. The Processor shall provide reasonable cooperation and assistance to enable the Controller to conduct audits and inspections and to verify the Processor’s compliance with this DPA and applicable Data Protection Laws.

4.8 International Transfers

Any transfer of Personal Data outside of the European Union, the European Economic Area or a country that is deemed to have adequate protection under Data Protection Laws shall be governed by the Standard Contractual Clauses as set forth in Exhibit 1 and as amended by this DPA. The Processor shall ensure that any sub-processor that processes Personal Data outside of such regions also implements Standard Contractual Clauses or another appropriate safeguard mechanism as approved by the relevant supervisory authority.

Prior to the commencement of any transfer of Personal Data to a country not recognized as providing an adequate level of protection, the Processor shall conduct or cooperate with the Controller in conducting a Transfer Impact Assessment to evaluate whether the laws of the recipient country provide an essentially equivalent level of protection to that guaranteed under the GDPR. The Processor shall implement supplementary technical, organizational, and contractual measures as necessary to address any gaps identified in the Transfer Impact Assessment, including but not limited to encryption with Controller-held keys, pseudonymization, and enhanced access controls.

4.9 UK Data Transfers

To the extent that Personal Data of data subjects located in the United Kingdom is transferred outside of the United Kingdom, the parties agree that such transfers shall be governed by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK IDTA”), as issued by the UK Information Commissioner’s Office under Section 119A of the UK Data Protection Act 2018, which is incorporated herein by reference. In the event of any conflict between the UK IDTA and this DPA, the UK IDTA shall prevail with respect to transfers of UK Personal Data. The Processor shall comply with all requirements of UK Data Protection Laws applicable to the Processing of UK Personal Data.

5. AUDITS

The Controller or its appointed auditor shall have the right to audit the Processor to ensure compliance with this DPA and applicable Data Protection Laws. The right to audit shall be exercised in the following manner:

The Controller shall provide the Processor with reasonable advance notice of any proposed audit, normally at least thirty (30) days in advance, except in the case of a suspected Personal Data Breach or compliance violation, in which case the Controller may conduct an audit on shorter notice.
Any audit shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor’s operations.
The Processor shall reasonably cooperate with audits and shall provide access to relevant documentation, systems, and personnel as necessary to verify compliance.
The Controller shall maintain the confidentiality of information obtained during audits and shall not disclose such information except as required by law or to the extent necessary for Data Protection Authorities to carry out their statutory obligations.

6. GENERAL PROVISIONS

Termination and Deletion of Personal Data. Upon termination or expiration of the Agreement, the Processor shall, at the written election of the Controller, delete all Personal Data and existing copies thereof within thirty (30) days of the effective date of termination, or return all Personal Data to the Controller within such period, unless applicable law requires the Processor to retain the Personal Data. The Processor shall provide the Controller with written certification of deletion upon request.

Amendment. This DPA may be amended by mutual written consent of the parties. The parties may also amend this DPA to comply with changes in applicable Data Protection Laws or regulatory requirements.
Governing Law. This DPA shall be governed by and construed in accordance with the laws of the jurisdiction specified in the Agreement, excluding conflict of laws principles.

Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior and contemporaneous negotiations, representations and agreements, whether written or oral.

7. PARTIES TO THIS DPA

Data Exporter: The Controller is the party transferring Personal Data. The Controller is identified in the Agreement.

Data Importer: Octopus Data Inc. is the party receiving and processing Personal Data on behalf of the Controller. Octopus Data Inc. is established in the United States.

Limitation of Liability. Notwithstanding any limitation of liability in the Agreement, the Processor’s liability under this DPA for claims arising from a Personal Data Breach, a violation of Data Protection Laws, or a breach of the Processor’s obligations under this DPA shall not be limited to amounts paid by the Controller under the Agreement. The Processor’s aggregate liability for such claims shall be the greater of (a) two (2) times the total fees paid or payable by the Controller to the Processor in the twelve (12) months preceding the event giving rise to the claim, or (b) one million euros (EUR 1,000,000).

EXHIBIT 1 STANDARD CONTRACTUAL CLAUSES

The Standard Contractual Clauses adopted by the European Commission decision 2021/914 are incorporated herein by reference and shall apply to the transfer of Personal Data from the Controller (data exporter) to the Processor (data importer).

Annex 1: Information on Data Processing

Categories of data subjects	End users, customers, employees, contractors
Categories of personal data	Name, email address, company name, job title, phone number, IP address, usage data
Sensitive data	No special category data is processed
Frequency of transfer	Continuous during the term of the Agreement
Nature of the processing	Storage, retrieval, analysis, and transmission of Personal Data as necessary to provide services under the Agreement
Purpose of the processing	To provide services to the Controller as set forth in the Agreement
Retention period	For the duration of the Agreement and as required by applicable law
Sub-processor transfers	Sub-processors listed in Exhibit 2 may process Personal Data

Annex 2: Technical and Organisational Measure

a) Access Control

The Processor implements access control measures to restrict access to Personal Data to authorized personnel only. Access is granted on a need-to-know basis. The Processor maintains records of access to Personal Data systems and logs access attempts. Multi-factor authentication is required for access to systems containing Personal Data. Access rights are reviewed and updated regularly. Employees and contractors sign confidentiality agreements prior to gaining access to Personal Data.

b) Transmission Control

All Personal Data in transit is encrypted using industry-standard encryption protocols (TLS 1.2 or higher). Virtual Private Networks (VPNs) are used for remote access to systems containing Personal Data. Secure file transfer protocols are used for the exchange of Personal Data. Data transmission logs are maintained and regularly reviewed. Any suspicious transmission activities are immediately investigated.

c) Input Control

All Personal Data input into systems is validated and authenticated. Only authorized users can input Personal Data. Audit trails are maintained for all data inputs. The Processor ensures that only correct and authorized Personal Data is processed. Data validation checks are performed to identify incomplete or incorrect data.

d) Availability Control

The Processor maintains redundant backup systems to ensure the availability of Personal Data. Backups are stored in geographically diverse locations. Disaster recovery procedures are in place and tested regularly. The Processor maintains systems and services with high availability and resilience. Recovery objectives include a Recovery Time Objective (RTO) of no more than 4 hours and a Recovery Point Objective (RPO) of no more than 1 hour. Regular testing of backup and recovery systems is performed to ensure effectiveness.

EXHIBIT 2: LIST OF SUB-PROCESSORS

Sub-Processor Name	Purpose	Location
AWS/Google Cloud/Azure	Cloud Infrastructure	United States
Grafana/Kibana/Prometheus	Monitoring and Logging	United States
Intercom/Slack	Customer Support and Communication	United States
Postmark/Mailchimp	Email Delivery	United States

General Provisions

The Processor shall not engage additional sub-processors without prior written authorization from the Controller. The Controller authorizes the use of the sub-processors listed above. Any new sub-processor shall be subject to the same data protection obligations as set forth in this DPA.

Changes to Sub-Processors

The Processor shall provide at least thirty (30) days’ written notice to the Controller of any intended changes concerning the addition or replacement of sub-processors. During this period, the Controller may object to the use of the new sub-processor on reasonable grounds relating to data protection. If the Controller objects in writing within thirty (30) days, the parties shall cooperate in good faith to resolve the Controller’s concerns or identify an alternative sub-processor. If the parties cannot reach agreement on an alternative sub-processor within thirty (30) days of the Controller’s objection, the Controller may terminate the affected portion of the Agreement without penalty.