Kimaru AI株式会社

Data Processing Agreement

Effective Date: As of the date Customer agreed to the Terms

Kimaru AI Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by and between Kimaru AI Inc. (“Kimaru,” “we,” or “our”) and the user of our Services (“Customer”). This DPA is supplemental to the Terms of Service (“Terms”) and sets out the terms that apply when Personal Data (defined below) is processed by Kimaru on behalf of the Customer under the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below) and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms, or Kimaru’s Privacy Policy as applicable.

Definitions

“Authorized Sub‑Processor” means a third‑party who has a need to know or otherwise access Customer’s Personal Data to enable Kimaru to perform its obligations under this DPA, and who is authorized under Section 4.2 of this DPA.

“Customer” means a user of the Services.

“Data Exporter” means Customer.

“Data Importer” means Kimaru.

“Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) US state privacy laws, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (xii) other privacy laws governing the processing of Personal Data or Personal Information; in each case, as updated, amended or replaced from time to time. The terms “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth under applicable Data Protection Laws.

“Data Subject” means an individual that is protected under any applicable Data Protection Law.

“EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), the current version of which is available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

“ex‑EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.

“ex‑UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

“Master Services Agreement” or “MSA” means the underlying contract between Kimaru and Customer.

“Personal Data” or any such variation of the term (such as “Personal Information” or “Personally Identifiable Information”) shall have the meaning set forth under applicable Data Protection Laws.

“Security Incident” means any unauthorized action by a known or unknown person which should reasonably be considered one of the following: an attack, penetration, disclosure of confidential customer or other sensitive information, misuse of system access, unauthorized access or intrusion (hacking), virus intrusion, or scan of Kimaru’s systems or networks, all to the extent they affect the security, confidentiality, or integrity of Customer Personal Data received, stored, processed, or maintained by Kimaru.

“Services” means the use of Kimaru’s offerings by Customer for its business purposes, as defined in the Terms of Service.

“Standard Contractual Clauses” means the EU SCCs.

“UK Addendum” means the international data transfer addendum to the EU SCCs issued by the UK Information Commissioner for parties making restricted transfers under the UK GDPR, the current version of which is available at: https://ico.org.uk/media/for‑organisations/documents/4019539/international‑data‑transfer‑addendum.pdf.

“UK IDTA” means the international data transfer agreement adopted by the United Kingdom and adopted by the UK Information Commissioner for parties making restricted transfers under the UK GDPR, the current version of which is available here: https://ico.org.uk/media/for‑organisations/documents/4019538/international‑data‑transfer‑agreement.pdf.

Relationship of the Parties; Processing of Data

The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is a “controller” and Kimaru is a “processor” (as those terms are defined under applicable Data Protection Laws).

Kimaru shall not process Personal Data (i) for purposes other than those set forth in this DPA and (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer.

The parties agree that the details of the data processing subject to this DPA are outlined in Exhibit A.

Following completion of the Services, at Customer’s choice, Kimaru shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, Kimaru shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately protect the Data remaining in its possession, custody, or control.

CCPA. The parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit E.

Confidentiality

Kimaru shall ensure that any person it authorizes to process Personal Data is subject to a duty of confidentiality. Kimaru shall ensure that such persons are prohibited from further disclosing Personal Data they receive pursuant to this DPA except for the purpose of performing obligations under the DPA or exercising any rights granted in the DPA.

Authorized Sub‑Processors

Customer acknowledges and agrees that Kimaru may engage its sub‑processors to access and process Customer Personal Data in connection with the Services.

Customer agrees that Kimaru may use any Authorized Sub‑Processors to process Customer Personal Data pursuant to this DPA that are listed in Exhibit D. Kimaru will provide Customer with notice of any new sub‑processors it uses in relation to the processing of Customer Personal Data by updating the List within 60 days of finalising an agreement with a new Authorized Sub‑Processor. Customer may have the right to object to the use of such additional sub‑processors under applicable Data Protection Laws.

Kimaru will enter into an agreement with its Authorized Sub‑processors imposing on the Authorized Sub‑processors data protection obligations comparable to those imposed on Kimaru under this DPA and consistent with applicable Data Protection Laws with respect to the protection of Customer Personal Data.

If Customer and Kimaru have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorisations will constitute Customer’s prior written consent to the subcontracting by Kimaru of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub‑Processors that must be provided by Kimaru to Customer pursuant to Clause 9(c) of the EU SCCs or the UK IDTA or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Kimaru beforehand, and that we will provide such copies only upon request by Customer.

Security of Personal Data; Security Incidents

Taking into account the context of the processing, Kimaru shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data. Exhibit C sets forth additional information about our technical and organisational security measures.

Kimaru shall notify Customer of all known Security Incidents within the time periods required under applicable Data Protection Laws. Kimaru’s notice to Customer regarding such Security Incidents shall include all of the information required under applicable Data Protection Laws.

Transfers of Personal Data

The parties agree that Kimaru may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. If we transfer Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, we will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

Ex‑EEA Transfers

The parties agree that ex‑EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Kimaru is processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.
For each module, where applicable the following applies:
- The optional docking clause in Clause 7 does not apply.
- In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub‑processor changes shall be as set forth in Section 4.2 of this DPA;
- In Clause 11, the optional language does not apply;
- All square brackets in Clause 13 are hereby removed;
- In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
- In Clause 18(b), disputes will be resolved before the courts of Ireland;
- Exhibit B to this DPA contains the information required in Annex I of the EU SCCs;
- Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
- By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

Ex‑UK Transfers

The Parties agree that ex‑UK Transfers are made pursuant to the provisions in this section or the UK International Data Transfer Agreement (“IDTA”) set forth in Exhibit D, whichever applies.

Data Exports from the United Kingdom under the Standard Contractual Clauses

For ex‑UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses (“Approved Addendum”) shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits A, B, and C of this DPA (as applicable). The information required for Table 2 is set out in Section 6 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the importer may end the Approved Addendum when it changes.

Transfers from Switzerland

The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:

The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilised in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
The term “EU Member State” as utilised in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

Supplementary Measures

In respect of any ex‑EEA Transfer or ex‑UK Transfer, the following supplementary measures shall apply:

As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Vendor shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Vendor may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Vendor shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so. Vendor shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
The Data Exporter and Data Importer will meet as needed to consider whether:
- the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
- additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws;
- it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
If either (i) any of the means of legitimising transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.

Data Subject Rights

If Kimaru receives a Data Subject Request in relation to Personal Data associated with a Customer or the Personal Data of an authorised user of the Customer, we will follow Customer’s instructions in relation to complying with such Data Subject Request, including by completing the request on Customer’s behalf to the extent that it is technically feasible. If Customer asks Kimaru to comply with a Data Subject Request on its behalf, Customer will provide adequate information to us in order for the request to be fulfilled.

Actions and Access Requests; Audits

Kimaru shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance.

Upon Customer’s request and to the extent required under applicable Data Protection laws, Kimaru shall allow for, and contribute to, reasonable audits and inspections by Customer or the Customer’s designated auditor. Such audits shall only take place annually. If Customer and Kimaru have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in the EU SCCs and the UK IDTA and UK Addendum shall be carried out in accordance with this Section 8.2.

Miscellaneous

The effective date of this DPA is the same date as to when the Customer agreed to the Terms.

To the extent there is any conflict between the terms of this DPA and any other agreement entered into between the Parties, the terms of this DPA will govern with respect to the subject matter hereof.

This DPA shall remain in effect as long as Kimaru processes Customer Personal Data.

Exhibit A: Details of Processing

Nature and Purpose of Processing:

Kimaru will process Customer’s Personal Data as necessary to provide the Services, for the purposes specified in this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

Duration of Processing:

Kimaru will process Customer’s Personal Data as long as required (i) to provide the Services to Customer; (ii) for our legitimate business needs; or (iii) by applicable law or regulation.

Categories of Data Subjects:

Human Resources (HR)-related data such as the names and roles of individuals employed by Customer, including employees, managers, and contractors, and any personal information that may be disclosed by employees with AI agents.

Categories of Personal Data:

Names, email addresses, phone numbers, and other information provided by Customer or an individual associated with a Customer in relation to the Services.

Sensitive Data or Special Categories of Data:

Customer is prohibited from providing sensitive personal data or special categories of data to Kimaru. If Kimaru obtains knowledge that an individual associated with the Customer, such as a user, discloses this information to Kimaru through a chatbot service, Kimaru will take efforts to permanently delete this information.

Exhibit B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.

The Parties

Data Exporter(s):

[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: As identified in the MSA.

Address: As identified in the MSA.

Contact person’s name, position and contact details: As identified in the MSA.

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Role (controller/processor): Controller

Data Importer(s):

[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Kimaru AI Inc.

Address: 5‑27‑7 Shimo, Kita City, Tokyo 115‑0042

Email: evan@kimaru.ai

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Role (controller/processor): Processor

Description of the Transfer

Item	Description
Data Subjects	The data exporter may submit personal data to the data importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the data exporter in compliance with applicable data‑protection laws and regulations. This may include, but is not limited to, personal data relating to the following categories of data subjects: names and roles of individuals employed by Customer (employees, managers, contractors) and other individuals related to their use of the Services.
Categories of Personal Data	The personal data transferred concerns the following categories: names; email addresses; phone numbers; other personal information provided by Customer in relation to the Services; and any personal information disclosed by employees to AI agents.
Special‑Category Personal Data (if applicable)	Data exporters are prohibited from providing sensitive data or special‑category data to the data importer.
Nature of the Processing	Data is processed in order for Kimaru to offer its Services to Customer.
Purposes of Processing	To fulfil each party’s obligations under the DPA.
Duration of Processing & Retention	During the term of the DPA.
Frequency of the Transfer	During the term of the DPA on a periodic basis and/or at the discretion of Customer.
Recipients of Personal Data Transferred to the Data Importer	The list includes the sub‑processors identified in Exhibit D.

Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs.

Exhibit C

Description of the Technical and Organizational Security Measures implemented by Kimaru

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Use strong encryption protocols for data both at rest and in transit. Ensure that encryption keys are stored securely and separately from the encrypted data.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Ensure that the hardware and software used in processing the Personal Data are reliable and protected against all kinds of malicious software and viruses.
Measures for user identification and authorization	Implement multi‑factor authentication (MFA) for accessing systems that process personal data.
Measures for the protection of data during transmission	Use secure transmission protocols, such as TLS (Transport Layer Security), to encrypt data in transit.
Measures for the protection of data during storage	Implement a secure method of storing Personal Data and control access to the Personal Data. Control remote access and ensure that Personal Data is not downloaded to portable devices unless strictly necessary—and only then if encrypted.
Measures for ensuring physical security of locations at which personal data are processed	Use password protection on computer systems on which Personal Data is stored.
Measures for ensuring system configuration, including default configuration	Ensure systems are configured securely by default, following best practices and security guidelines. Regularly review and update system configurations to address emerging threats and vulnerabilities.
Measures for certification / assurance of processes and products	Conduct regular internal and external audits to ensure compliance with security standards and certifications.
Measures for ensuring data minimisation	Implement data‑minimisation principles by collecting only the personal data necessary for specific purposes and provided by Customers. Regularly review data‑collection practices.
Measures for ensuring data quality	Implement procedures for regularly reviewing and updating personal data to ensure accuracy and completeness.

Exhibit D: List of Kimaru’s Authorized Sub‑Processors

Kimaru may use the following Authorized Sub‑Processors to process Personal Data pursuant to this DPA, including by transferring Personal Data to such entities:

Amazon Web Services (AWS) – Amazon Web Services, Inc.
Google Workspace (formerly G Suite) – Google LLC
Microsoft Azure – Microsoft Corporation
OpenAI – OpenAI, LLC
HubSpot – HubSpot, Inc.

Exhibit E: CCPA Addendum

To the extent applicable, this CCPA addendum (“Addendum”) regulates the processing of Personal Information (as defined in the CCPA) of California residents pursuant to the CCPA by Kimaru under the DPA. To the extent that there is any inconsistency between this Addendum and the DPA with regard to the processing of Personal Information regulated under the CCPA, this Addendum shall control.

Definitions

Any capitalised term in this Addendum that is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA.

Representations and Warranties

Kimaru represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA.

Kimaru’s Processing of Customer Personal Data

Kimaru shall process Customer Personal Data it receives only for the limited and specified purposes of providing its artificial intelligence services and is prohibited from using Customer Personal Data for any other purpose.
Kimaru shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Customer Personal Data as required by Customer under the law.
Kimaru agrees that Customer has the right to take reasonable and appropriate steps to ensure that we use Customer Personal Data that we receive from or process on behalf of Customer in a manner consistent with Customer’s obligations under the CCPA.
Kimaru agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate our unauthorized use of Personal Data.
Kimaru shall notify Customer as soon as possible after we determine that it can no longer meet its obligations under the CCPA.
If Kimaru engages Sub‑Processors in relation to providing services to Customer, we shall have a contract with the Sub‑Processor that complies with the CCPA and has the same restrictions on the processing of Personal Data as outlined in this Addendum.

Restrictions on Kimaru’s Use of Personal Data

Kimaru shall not Sell or Share Customer Personal Data it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.
Kimaru shall not retain, use, or disclose Customer Personal Data it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the DPA, and except as otherwise permitted by the CCPA.
Kimaru shall not retain, use, or disclose Customer Personal Data it receives from or processes on behalf of Customer outside the direct business relationship between Kimaru and Customer, except as otherwise permitted under the CCPA.
Kimaru shall not combine the Customer Personal Data it receives from or processes on behalf of Customer with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that we may combine Personal Data to perform any Business Purpose, such as to analyse how users interact with Services, or as otherwise permitted under the CCPA.

Consumer Requests

Customer agrees to: (i) inform Kimaru of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for Kimaru to comply with the request.