Data Processing & International Transfers

Baseline approach

We aim to minimize data use, define the handling scope early, and keep high-risk actions under human approval.

Main third-party providers

• Cloudflare for delivery, protection, and edge execution
• Google / Google Apps Script for integrations, notifications, and fallback paths
• OpenAI for model inference and support processing
• Stripe for payments

International transfers

Depending on the architecture and providers used, data may be processed outside Japan. We rely on provider terms and reasonable safeguards appropriate to the applicable law.

B2B-first approach

We currently prioritize business customers. Cross-border B2C delivery should be reviewed case by case, including local tax and consumer-law considerations.

Customer and provider roles

• Customer: lawful collection and internal authorization for source data
• Project documents: define processing scope, destinations, retention, and deletion
• High-risk changes: human approval before execution

GDPR Article 28 / Data Processing Agreement (DPA)

For EU/UK customer data, we conclude a Data Processing Agreement (DPA) compliant with GDPR Article 28 at the individual contract level. Standard terms include:

• Purpose and categories of data being processed
• Processing duration and end-of-contract return/deletion procedures
• Sub-processor engagement: prior notice and reasonable objection period
• Confidentiality and limitation of authorized personnel
• Security measures (TOMs; see Privacy Policy "Security and Technical/Organizational Measures")
• Data breach notification (within 72 hours of awareness, to controller)
• Audit cooperation
• Cross-border transfer safeguards (e.g., Standard Contractual Clauses)

Sub-processor list (GDPR Art 28(2)(4))

Sub-processor additions or changes will be notified in advance with a reasonable objection period.

Cross-border transfers / Standard Contractual Clauses (SCC)

For transfers of EU/UK personal data outside the EU/UK (primarily to the USA), we incorporate European Commission Standard Contractual Clauses (SCC) or equivalent safeguards in individual contracts. We also rely on receiving providers' own SCC arrangements (e.g., Cloudflare's DPA includes SCC).

Data breach notification (GDPR Art 33 / 72-hour rule)

Upon becoming aware of a personal data breach, we will notify the customer (data controller) without undue delay (target: within 72 hours of awareness). Notifications will include affected scope, cause, response measures, and mitigation. For serious breaches, we will support notification to the relevant supervisory authority.

Data categories processed (GDPR Art 30)

• Customer contact details (name, email, phone, company information)
• Transaction information (quote, contract, billing, payment)
• Operationally-shared business information (scope per individual contract)
• Technical information (IP address, cookies, access logs)
• (In principle, NOT processed) Special category data (health, beliefs, race, etc.; GDPR Art 9 / APPI sensitive data)

This page supplements the pages.dev site. Final commercial terms should be confirmed in the applicable quote, order form, or contract.