DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) applies to Kotoba’s Processing of Personal Information in connection with the Agreement. The entity executing this DPA is referred to herein as "Customer." In case of any conflict between the Agreement, and this DPA, the DPA shall prevail with respect to the Processing of Customer Personal Information. This DPA applies to Customers that have an enterprise relationship with Kotoba and execute this DPA in connection with the Agreement, or that otherwise execute this DPA.
Definitions
Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Agreement.
“Agreement” means the Terms of Service available at /terms_en.html, as entered into between Customer and Kotoba. For enterprise customers who execute this DPA, this DPA is incorporated into and forms part of the Agreement.
“Audio Data” means audio recordings, voice inputs, transcripts, translations, and related metadata generated through Customer's use of the Services.
"Authorized User" means any individual authorized by Customer to access and use the Services on Customer's behalf, including Customer's employees, contractors, consultants, and agents.
“Controller” means an entity that alone or jointly with others determines the purposes and means of Processing of Personal Information. For purposes of this DPA, a Controller includes a “business” as such term is defined by the CCPA or a similar or analogous designation under Data Protection Laws.
“Customer Personal Information” means any Customer data, including Audio Data, that is protected as “personal information”, “personal data,” “personally identifiable information” or analogous terms under Data Protection Laws that Kotoba Processes on behalf of Customer under the Agreement, as more particularly described in Annex I of this DPA. This may include the personal data of Customer’s Authorized Users.
“Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed by Kotoba under the Agreement. A “Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Laws” means, to the extent applicable, European Data Protection Laws and US Privacy Laws, as may be amended, superseded or replaced.
“Europe” means, for the purposes of this DPA, the European Economic Area and/or its member states, the United Kingdom (“UK”) and Switzerland.
“European Data Protection Laws” means (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) Directive 2002/58/EC concerning the processing of Personal Information and the protection of privacy in the electronic communications sector; (c) in respect of the United Kingdom, the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018, and any other applicable laws in force in the UK (in whole or in part) to the processing of Personal Information (together, “UK Data Protection Laws”); (d) the Swiss Federal Act on Data Protection of 2020 and its Ordinance (“Swiss FADP”); and (e) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (a), (b), (c) and (d) above; in each case as may be amended, superseded or replaced from time to time.
“Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means an entity that Processes Customer Personal Information on behalf, and in accordance with the instructions, of a Controller. For purposes of this DPA, a Processor includes a “service provider” as such term is defined by the CCPA or any similar or analogous designation under Data Protection Laws.
“Restricted Transfer” means a transfer (directly or via onward transfer) of Customer Personal Information that is subject to European Data Protection Laws to a country outside Europe which is not subject to an adequacy determination by the European Commission, UK or Swiss authorities (as applicable).
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Customer Personal Information to third countries annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, as updated or amended from time to time.
“Sub-processor” means any third party that has access to Customer Personal Information and is engaged by Kotoba to assist in fulfilling its obligations with respect to providing the Services under the Agreement. The term “Sub-processor” may include Kotoba Affiliates, but shall exclude Kotoba employees, contractors and consultants.
“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0) “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, as it is revised under Section 18 therein; as may be amended, superseded or replaced from time to time.
“US Privacy Laws” means all privacy laws and regulations of the United States in force and effect, including but not limited to (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Utah Consumer Privacy Act; (v) the Connecticut Data Privacy Act; and (vi) any and all binding regulations promulgated thereunder, pursuant to or that apply in conjunction with any of (i), (ii), (iii), (iv) and (v) above; in each case as may be amended, superseded or replaced from time to time.
Roles of the Parties Scope of this DPA
This DPA applies where and to the extent Kotoba Processes Customer Personal Information under the Agreement.
Kotoba shall only Process Customer Personal Information as a Processor or Sub-processor acting on behalf of Customer, and as necessary to provide and improve its Services or as otherwise permitted under Data Protection Laws.
The Parties agree that Kotoba may aggregate, anonymize or de-identify Customer Personal Information as part of its provision and ongoing improvement of its Services.
To the extent Kotoba receives from Customer de-identified Personal Information, Kotoba will not re-identify such data.
Obligations of the Parties
Both Parties shall comply with their respective obligations under Data Protection Laws, and each Party shall be solely responsible for determining its own legal and regulatory obligations. Customer further acknowledges that Customer is responsible for Customer’s secure use of the Services, including securing its account authentication credentials and taking appropriate steps to backup, any Customer Personal Information Processed in connection with the Services.
Each Party shall reasonably cooperate with the other in any activities contemplated by this DPA and to enable each Party to comply with its respective obligations under Data Protection Laws.
Kotoba’s Obligations
Permitted Purposes
Kotoba shall Process Customer Personal Information only (i) in accordance with Customer’s documented instructions; and (ii) to comply with applicable laws, and (iii) to provide, maintain, protect, and improve the Services, as described in Kotoba's Privacy Policy or the Agreement. Kotoba will not use Customer Personal Information to train or improve foundation models or general-purpose machine learning models without Customer's consent.
Kotoba shall notify Customer if it reasonably determines that it received an instruction that infringes Data Protection Laws. The Parties agree that the Agreement (including any Order Forms) constitute Customer’s documented instructions regarding Kotoba’s processing of Customer Personal Information.
Kotoba shall not (except as permitted under Data Protection Laws): (i) retain, use, or disclose any Customer Personal Information outside its direct business relationship with Customer or for any purpose other than for the limited and specified purposes identified in the Agreement, (ii) sell or share Customer Personal Information for cross-context behavioral advertising; or (iii) combine Customer Personal Information with Personal Information received from other sources.
Security Measures
Kotoba shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Information from Data Breaches and preserve the security and confidentiality of Customer Personal Information, which shall provide the same level of privacy protection required from Data Controllers under Data Protection Laws. If Kotoba determines that it can no longer meet these obligations, it shall notify Customer, and Customer shall have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of its data.
The security measures implemented by Kotoba are described in Annex II (the “Security Measures”), which may be updated from time to time.
Access and Confidentiality
Kotoba shall restrict its personnel from Processing Customer Personal Information without authorization and shall ensure that any person who is authorized by Kotoba to Process Customer Personal Information is under an appropriate contractual or statutory obligation of confidentiality.
Data Breaches
Kotoba shall notify Customer without undue delay upon becoming aware of a Data Breach. Kotoba shall provide Customer with timely information relating to the Data Breach as it becomes known or is reasonably requested by Customer to fulfill its obligations under Data Protection Laws. Kotoba shall take reasonable steps to contain, investigate, and mitigate any Data Breach. Kotoba’s notification of or response to a Data Breach in accordance with this section shall not be construed as an acknowledgment by Kotoba of any fault or liability with respect to the Data Breach.
Cooperation
Security
Taking into account the nature of the Customer Personal Information and related Processing activities, Kotoba shall provide such reasonable assistance as Customer may reasonably request to help it fulfill its security obligations under Data Protection Laws.
Data Subject Requests
To the extent that Customer is unable to independently access the relevant Customer Personal Information within the Services, Kotoba shall, taking into account the nature of the Processing, provide reasonable cooperation to assist Customer in responding to any requests from individuals relating to the Processing of Customer Personal Information under the Agreement. If any such request is made to Kotoba directly, Kotoba shall promptly notify Customer and will not respond to the request directly except to direct the Data Subject to the Customer without Customer’s prior authorization, unless and to the extent legally compelled to do so.
Law Enforcement Requests
If a law enforcement agency sends Kotoba a demand for Customer Personal Information (including through a subpoena or court order), Kotoba will attempt to redirect the law enforcement agency to request that Customer Personal Information directly from Customer. As part of this effort, Kotoba may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Personal Information to a law enforcement agency, Kotoba will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Kotoba is legally prohibited from doing so.
Data Protection Impact Assessment and Prior Consultation
Kotoba agrees to provide reasonable assistance to Customer where the type of Processing performed by Kotoba requires a data protection impact assessment, risk assessment, cybersecurity audit or similar under Data Protection Laws and/or queries, inquiry, complaint or prior consultation with any regulatory, supervisory, governmental, state agency, Attorney General or other competent authority with jurisdiction or oversight over compliance with Data Protection Laws.
Audits
Kotoba shall provide Customer (on a confidential basis) with written responses (which may include summaries/extracts of audit reports or independent assessments) to all reasonable requests made by Customer for information relating to Kotoba’s Processing of Customer Personal Information that are necessary to (i) confirm Kotoba’s compliance with this DPA; and/or (ii) required of Customer under Data Protection Law. Customer shall not exercise this right more than once per calendar year or when Customer is expressly requested or required to provide this information to a supervisory authority, or Kotoba has experienced a Data Breach, or on another reasonably similar basis. Nothing herein shall be construed to require Kotoba to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Kotoba’s confidentiality obligations, contractual obligations, or applicable laws; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Kotoba’s infrastructure, networks, systems, or data.
Customer Obligations
Compliance with Laws
Customer shall (i) comply with its obligations under Data Protection Laws regarding its use of the Services and the Processing of Customer Personal Information; (ii) ensure its instructions are lawful and that the Processing of Customer Personal Information in accordance with such instructions will not violate Data Protection Laws; and (iii) notify Kotoba if it is unable to comply with its obligations under Data Protection Laws or its Processing instructions will cause Kotoba or its Sub-processors to be in breach of Data Protection Laws.
Notices and Permissions
Customer recognizes that Customer alone is in a position to decide for which data it uses the Services, and that it is thus Customer’s sole responsibility to determine whether the Services are appropriate for the Processing of Customer Personal Information. Customer represents and warrants that it (i) has provided all required information and notices concerning the Processing of Personal Information in connection with Customer’s use of the Services; (ii) has all necessary rights, permissions, and consents to make Personal Information available to Kotoba for the purposes contemplated by the Agreement; and (iii) will not use the Services for the kinds of Personal Information for which Data Protection Laws require protections that are outside the scope of the Agreement.
Regulatory Inquiries
Unless prohibited by applicable laws, Customer shall notify Kotoba promptly of any governmental, regulatory or other third-party inquiry or complaint concerning Customer’s use of the Services.
Sub-processors
Customer provides a general authorization to Kotoba to engage Sub-processors to Process Customer Personal Information on Customer’s behalf. Customer specifically authorizes the engagement of those Sub-processors listed in Annex III (“Sub-processor List”). Kotoba will restrict Sub-processors’ access to Customer Personal Information to what is necessary to assist Kotoba in performing the Permitted Purposes and will remain responsible for any acts or omissions of Sub-processors to the extent they cause Kotoba to breach its obligations under this DPA.
Sub-processor Obligations. Kotoba shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Information as required by this DPA.
Changes to Sub-processors. Kotoba will provide at least ten (10) days’ prior notice via updating the Sub-processor List (or such other notification mechanism made available by Kotoba) if it intends to make any changes to its Sub-processors. Customer may object in writing to Kotoba’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Customer Personal Information available to the Sub-processor would violate European Data Protection Laws or weaken the protections for Customer Personal Information) by notifying Kotoba in writing within five (5) days of receiving notification from Kotoba. In such event, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a mutually acceptable resolution. If the Parties cannot reach a mutually acceptable resolution, Kotoba shall, at its sole discretion, either not use the Sub-processor for the Processing of Customer Personal Information, or permit Customer to suspend or terminate the affected portion of the Services in accordance with the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
Deletion or Return of Customer Personal Information
Upon termination or expiry of the Agreement or deletion of Customer's enterprise account, at Customer’s written request, Kotoba shall delete or return all Customer Personal Information in its possession or control in accordance with the terms of the Agreement. This requirement shall not apply to the extent Kotoba, or its Sub-processors are required by applicable laws to retain some or all the Customer Personal Information, or to Customer Personal Information archived on back-up systems, which shall be securely isolated and protected from any further Processing until securely deleted. The Parties agree that the certification of deletion of Customer Personal Information described in Clause 8.5 and 16 (d) of the SCCs shall be provided by Kotoba to Customer only upon Customer’s written request.
International Transfers
Customer acknowledges and agrees that Kotoba and its Sub-processors may transfer and Process Customer Personal Information to and in the United States and the other locations in which Kotoba or its Sub-processors maintain data processing operations as more particularly described in the Sub-Processor List. If Kotoba transfers Customer Personal Information to a Sub-processor, it shall ensure that such transfers are made in compliance with Data Protection Laws and this DPA.
Jurisdiction-Specific Terms
United States
To the extent that Customer Personal Information is subject to US Privacy Laws, the terms in this Section 9.1 shall apply in addition to the terms in the remainder of this DPA. In the event of any conflict or ambiguity between the terms in this Section 9.1 and any other terms in this DPA, the terms in this Section 9.1 shall take precedence but only to the extent they apply to the Customer Personal Information in question.
Kotoba is a service provider under the CCPA and receives Customer Personal Information pursuant to and solely for the business purpose of providing the Services to Customer in accordance with the Agreement.
Kotoba shall not, unless otherwise permitted by US Privacy Laws, (a) retain, use or disclose Customer Personal Information for any purpose other than the Permitted Purposes, including to retain, use or disclose Customer Personal Information for a commercial purpose other than performing the Services under the Agreement; (b) “sell” or “share” Customer Personal Information (as defined and interpreted within the requirements of US Privacy Laws); and (c) retain, use, or disclose the Customer Personal Information outside the direct business relationship between the Parties. Kotoba will comply with any applicable restrictions under the CCPA or other US Privacy Laws on combining Customer Personal Information received from Customer with personal information that Kotoba receives from, or on behalf of, another person or person, or that Kotoba collects from any interaction between it and an individual. The Parties agree that Customer’s transfer of Customer Personal Information to Kotoba is not a “sale” (as defined and interpreted under US Privacy Laws), and Customer provides no monetary or other valuable consideration to Kotoba in exchange for the Customer Personal Information.
As applicable under US Privacy Laws, Kotoba acknowledges Customer’s right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Information by Kotoba.
Europe
To the extent that Customer Personal Information is subject to European Data Protection Laws, the terms in this Section 9.2 shall apply in addition to the terms in the remainder of this DPA. In the event of any conflict or ambiguity between the terms in this Section 9.2 and any other terms in this DPA, the terms in this Section 9.2 shall take precedence but only to the extent they apply to the Customer Personal Information in question.
Processing Instructions. Without prejudice to Section 5 (Customer Obligations), Kotoba shall notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any Processing instructions from Customer violate European Data Protection Laws.
Restricted Transfers. The Parties agree that when the transfer of Customer Personal Information from Customer (as “data exporter”) to Kotoba (as “data importer”) is a Restricted Transfer, the Standard Contractual Clauses shall automatically be deemed incorporated into and form a part of this DPA, as follows:
in relation to Customer Personal Information protected by the GDPR, the SCCs shall apply completed as follows:
Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply, as appropriate;
in Clause 7, the optional docking clause will not apply;
in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 6.3;
in Clause 11, the optional language will not apply;
in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;
in Clause 18(b), disputes shall be resolved before the courts of the EU Member State selected above;
Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this DPA;
in relation to Customer Personal Information protected by UK Data Protection Laws, the SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:
the SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;
tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annexes I and II and Section 4.1 of this DPA (as applicable); and
table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
in relation to Customer Personal Information protected by the Swiss FADP, the SCCs will also apply in accordance with sub-paragraph (a) above with the following modifications:
references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss FADP;
references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”;
the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland;
Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and
the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA) the SCCs shall prevail to the extent of such conflict.
Alternative Transfer Arrangements. To the extent Kotoba adopts an alternative lawful data export mechanism for the transfer of Customer Personal Information not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall, upon notice to Customer, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Laws and extends to the territories to which Customer Personal Information is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism.
Limitation of Liability
Any claim or remedy Customer or its Affiliates may have against Kotoba and its Affiliates and their respective employees, agents and Sub-processors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under and in connection with the Agreement and this DPA together.
Miscellaneous
The provisions of this DPA are severable. If any phrase, clause or provision or Annex (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA or the remainder of the Agreement, which shall remain in full force and effect.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws or the SCCs or UK Addendum.
ANNEX I
LIST OF PARTIES
Data exporter:
Name of the data exporter: The entity identified as the “Customer” in the Agreement.
Address: The address for the Customer associated with its Kotoba account or otherwise specified in the Agreement.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or otherwise specified in the Agreement.
Activities relevant to the data transferred: The activities specified in Annex I(B) below.
Role (Controller/Processor): Controller.
Signature and date: This Annex I shall automatically be deemed executed when this DPA is executed by Customer.
Data importer:
Name of the data importer: Kotoba Technologies, Inc.
Address: The address specified in the Agreement.
Contact person’s name, position and contact details: The contact details associated with Kotoba’s account, or otherwise specified in the Agreement.
Activities relevant to the data transferred: The activities specified in Annex I(B) below.
Role (Controller/Processor): Processor.
Signature and date: This Annex I shall automatically be deemed executed when this DPA is executed by Kotoba.
DESCRIPTION OF THE PROCESSING / TRANSFER
Categories of data subjects whose Personal Information is transferred
Authorized Users
Individuals whose voice inputs are processed through the Services
Categories of Personal Information transferred
Email addresses
IP address
Voice recordings submitted through the application
Transcripts generated from voice recordings
Translations generated from transcripts
Analytic events (e.g., recording milestones, interactions such as 'saw the paywall')
Device information (e.g., device type such as iPhone 11)
Device ID
Technical metadata associated with the use of the Services
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure
Voice recordings may contain personal data and, depending on the content of the recordings, may include sensitive personal data under applicable data protection laws.
Safeguards implemented by Kotoba include:
Encryption of data in transit and at rest
Restricted personnel access to audio data
Logical separation of customer data
Security monitoring and logging
Processing of audio data only as necessary to provide the Services
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Processing occurs on a continuous and event-driven basis as users interact with the Kotoba application and submit audio inputs or other data through the Services.
Nature of the processing
The provision of the Services as described in the Agreement and Privacy Policy and initiated by the Customer or its Authorized Users from time to time.
Purpose(s) of the data transfer and further processing
The Permitted Purposes (as defined in the DPA).
Kotoba will not use Customer Personal Information to train or improve foundation models or generalpurpose machine learning models without Customer’s consent.
Customer is responsible for ensuring that it has obtained all necessary rights, consents, and permissions required to submit personal data, including audio data, to the Services.
The period for which the Personal Information will be retained or, if that is not possible, the criteria used to determinate that period
Personal data will be retained for the duration of the Agreement and any additional period necessary for service operation, security, and legal compliance.
Backup copies may be retained temporarily and will be securely isolated and protected until securely deleted.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Sub‑processors may process personal data only as necessary to provide infrastructure, hosting, or related services supporting the Kotoba Services.
Sub-processors are listed in Annex III, which may be updated from time to time in accordance with the DPA.
COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with European Data Protection Laws.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational security measures implemented by Kotoba:
Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using industry-standard encryption (e.g., AES-256)
Secure key management procedures
Encrypted communication between services and infrastructure components
Role-based access control (RBAC)
Least privilege access principles
Multi-factor authentication (MFA) for administrative accounts
Periodic review of access privileges
Immediate revocation of access upon role change or termination
Secure configuration of cloud infrastructure
Network security controls such as firewalls and security groups
Environment separation between development, testing, and production
Protection against unauthorized network access
Continuous infrastructure monitoring
Centralized logging of security-relevant system events
Monitoring for anomalous or suspicious activity
Alerting and escalation procedures for security incidents
Regular vulnerability scanning
Security patch management
Periodic security reviews
Timely remediation of identified vulnerabilities
Incident detection and escalation procedures
Security incident investigation processes
Remediation procedures
Notification of Data Breaches in accordance with the Agreement and applicable Data Protection Laws
Confidentiality agreements for personnel
Security awareness and training programs
Restricted access to production systems
Access granted only to personnel with legitimate operational needs
Logical separation of customer data
Data minimization practices
Access restrictions for stored data
Secure deletion procedures for data no longer required
Processing audio data only as necessary to provide the Services
Logical separation of customer audio data
Access controls restricting internal access to audio data
Protection of transcripts and translations using the security measures described in this Annex
Controlled access to machine learning models
Access restrictions to training and inference environments
Protection of model artifacts and parameters
Monitoring for abnormal system behavior
Infrastructure redundancy where appropriate
Backup and recovery procedures
Monitoring of system health and service availability
Kotoba may update or modify its technical and organisational security measures from time to time, provided that such updates do not materially reduce the overall level of security provided for Customer Personal Information.