NoteMail.me Data Processing Addendum (DPA) – Japan APPI & Global Compliance
Version: v1.0
Effective Date: January 15, 2025
This Data Processing Addendum ("DPA") supplements the NoteMail.me Service Agreement (the "Service Agreement") entered into by and between NoteMail.me ("Company") and its enterprise customer ("Customer") using the NoteMail.me email marketing platform. This DPA becomes effective on the date of Customer's acceptance and is designed to ensure the lawful and secure processing of personal data in accordance with the Act on the Protection of Personal Information of Japan ("APPI"), the European General Data Protection Regulation ("GDPR"), and applicable international regulations.
Article 1: Definitions
- Personal Data: Information that can identify a living individual, including but not limited to email content, IP address, location information, device identifiers, and browsing behavior.
- End User: A user who receives emails through the NoteMail.me platform as part of Customer's services.
- Customer Data: Information provided by Customer through the NoteMail.me service, including user profiles, API logs, CRM data, and business content.
- Sub-Processor: Any third-party processor engaged by Company to process data on behalf of Customer for the provision of the Services.
- Applicable Laws: The Japanese APPI, the European GDPR, and relevant laws, regulations, and guidelines.
Article 2: Purpose of Processing
- To provide email sending and management services to End Users;
- To analyze behavior and generate marketing reports;
- To deliver insights and recommendations to the Customer;
- To ensure security, stability, and lawful operation of the service;
- To comply with legal obligations.
Article 3: Roles and Responsibilities
- The Customer is the data controller for End User Personal Data. The Company acts as a data processor.
- The Customer shall ensure lawful collection of End User data and, where necessary, obtain valid consent under APPI, GDPR, or other applicable laws.
- The Customer warrants the accuracy and legality of the data submitted and is responsible for its source and intended processing.
Article 4: Data Security
- The Company shall implement appropriate technical and organizational measures to ensure the security of Personal Data, including:
- TLS encryption during transmission;
- AES-256 encryption at rest;
- Multi-factor authentication for access;
- Access logging and monitoring;
- Secure backup and recovery mechanisms;
- Internal data governance and staff confidentiality obligations.
Article 5: Sub-Processing
- The Company may engage Sub-Processors for the purposes of:
- Hosting in Japan (e.g., AWS Tokyo Region);
- Email delivery services;
- Server maintenance and monitoring tools;
- All Sub-Processors shall be contractually bound to comply with the same level of data protection as the Company.
Article 6: Cross-Border Data Transfers
- The Company prioritizes processing and storing data within Japan.
- Where international transfers are necessary, the Company shall ensure:
- The receiving country is recognized by Japanese authorities as having an adequate level of protection; or
- Standard Contractual Clauses (SCCs) are in place; or
- The data subject has explicitly consented to such transfer.
Article 7: Data Subject Rights
- If an End User requests access, correction, deletion, or restriction of their data, the Company will assist the Customer in responding to such requests in accordance with applicable laws.
- The Customer is responsible for informing End Users of their data subject rights via privacy policy or terms of use.
Article 8: Personal Data Breach Response
- In the event of a data breach, the Company shall:
- Notify the Customer within 72 hours of confirmation;
- Provide detailed information on scope, impact, and remedial actions;
- Cooperate with any required reporting to authorities or data subjects.
- The Company shall not be liable for breaches caused by the Customer's misconfiguration or negligence.
Article 9: Data Retention and Deletion
- All Customer Data will be automatically deleted within 30 days after contract termination.
- The Customer may request deletion at any time during the service period via the admin interface.
- Where legal obligations apply, certain data may be retained for an appropriate duration.
Article 10: Transparency and Audits
- The Customer may request a data protection audit once per year.
- The Company shall provide access to:
- Transmission and access logs;
- Security control summaries;
- Relevant audit reports (e.g., ISO27001 compliance).
Article 11: Precedence
- In the event of any inconsistency between this DPA, the Service Agreement, and the Company's Privacy Policy, the order of precedence shall be:
- This Data Processing Addendum (DPA);
- NoteMail.me Service Agreement;
- Privacy Policy content.
Article 12: Governing Law and Jurisdiction
- This DPA shall be governed by the laws of Japan. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Tokyo District Court of Japan.
Appendix A – Data Processing Scope
| Category | Description |
|---|
| Types of Data | Email content, user behavior data, CRM integrations, API logs, account information |
| Processing Methods | Collection, recording, storage, analysis, reporting, deletion, access control |
| Storage Location | Principally within Japan (AWS Tokyo Region, Azure Japan, Akamai Japan) |
| Retention Period | Duration of the service contract + 30 days (default) |