Data Processing Agreement

Last Update date:
Sep 1, 2023

IMPORTANT NOTE: The Japanese version of this document will govern our relationship - this translated version is provided for convenience only and will not be interpreted to modify the Japanese version. For the Japanese version, please see

Article 1 (Background)

This ECPower Data Processing Agreement and its annexes (hereinafter referred to as ”DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by ECPower Inc. (hereinafter referred to as “ECPower”, “we”, “us” or “our”) on behalf of Customer (hereinafter referred to as “Customer”, “you” or “your”) in connection with the ECPower Service (hereinafter referred to as “the Service”) under the Terms of Service (also referred to in this DPA as “the Agreement”) available at between you and us (hereinafter referred to as “Parties”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

If you are accessing or using the Service on behalf of your company, you represent that you are authorized to accept this Agreement on behalf of your company, and all references to “you” or “Customer” reference your company.

Article 2 (Definitions)

The following capitalized terms used in this DPA shall be defined as follows.

"Account Information" refers to information about the customer that the Customer provides to us for the creation or management of the account for the Service. For example, account information includes names related to the account of the Service, usernames, login credentials, phone numbers, email addresses, and billing information.

"Usage Data" refers to data related to the Customer's use of the Service, including but not limited to event data logs related to the Customer's service usage frequency and utilized features.

"Your Customer" refers to customers or end-users in the Customer's business or service.

"Customer Data" refers to the data about Your Customer that the Customer uploads or links to the Service. This does not include the Customer's own Account Information and Usage Data.

"Personal Data" refers to any information relating to an identified individual or an identifiable individual. In this DPA, Account Information and Usage Data may correspond to the Personal Data of the Customer. Customer Data may correspond to the Personal Data of Your Customer.

"Sensitive Personal Data" refers to personal data including race, ethnic origin, social status, religious or philosophical beliefs, union membership, health data such as medical history or surgery history, genetic data, biometric data, and data about one's sex life.

"Data Protection Laws" refers to all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation APPI, GDPR, and CCPA, in each case as amended, repealed, consolidated or replaced from time to time; with regard to the Service, Data Protection Laws exclude laws governing Sensitive Personal Information, as defined in Article 7 of the Agreement,

"APPI" stands for the Act on the Protection of Personal Information, which is the law concerning the protection of personal information in Japan (Law No. 57 of 2003).

"Europe" refers to the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

"GDPR" refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Or, where applicable, it means "UK GDPR" as defined in Section 3 of the Data Protection Act 2018.

"Standard Contractual Clauses" refer to Modules Two (Controller to Processor) and/or Module Three (Processor to Processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as may be amended, superseded or replaced.

"CCPA" stands for California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").

"Japanese Personal Data" refers to Personal Data protected under the APPI.

"European Personal Data" refers to Personal Data protected under the GDPR and European Data Protection Laws.

"California Personal Information" refers to Personal Data protected under the CCPA.

"Data Subject" means the individual to whom Personal Data relates.

"Data Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

"Controller" refers to a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Or, where applicable, it means "Controller" in the GDPR.

"Processor" refers to a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. Or, where applicable, it means "Processor" in the GDPR.

"Sub-processor" refers to any Processor engaged by us or our affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Or, where applicable, it means "Sub-processor" in the GDPR.

"Business”, “Service Provider”, “Sell” and “Share" have the meanings given to them in the CCPA.

Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Personal Data Breach" refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Profiling" refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

"Automated Decision-making" refers to the process of making a decision by wholly or partly automated means without any human involvement.

"Solely Automated Decision-making" refers to the ability to make decisions by technological means without human involvement.

Article 3 (Application of this DPA)

3.1 The applicability of this DPA is limited to the Customer Data that we Process on behalf of the Customer. 

3.2 Customer Account Information and Usage Data are not covered by this DPA. However, we will handle these in accordance with a separate Privacy Policy as stipulated.

Article 4 (Role of the Parties)

Both Parties acknowledge and agree that: 

(a) In general, or for the purposes of the GDPR, we act as the Processor. Whether we are the Processor or the Sub-processor is determined based on the role of the Customer. In most cases, the Customer is deemed the Controller, and we are the Processor. 

(b) Under the APPI, we act as the Entrusted Person, conducting personal data Processing upon the delegation from the Customer. The Customer has the responsibility to appropriately supervise us to ensure the safe management of Personal Data. 

(c) Under the CCPA, the Customer acts as a "Business", and we act as a "Service Provider".

Article 5 (Customer Responsibilities)

5.1 Within the scope of the Agreement and in its use of the Services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.

5.2 In particular, you acknowledge and agree that you will be solely responsible for:

(i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement including this DPA; (iii) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws.

Article 6 (Details of Data Processing)

6.1 The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Schedule 1.

6.2 Customer Data will only be processed on behalf of and under the instructions of Customer and in accordance with applicable Data Protection Laws. The Agreement and this DPA shall constitute Customer’s complete Instructions for the Processing of Customer Data.

6.3 If Customer’s Instructions will cause us to Process Customer Data in violation of applicable Data Protection Laws, we shall promptly inform Customer.

6.4 We may store and Process Customer Data anywhere we or our Sub-processor maintain facilities.

Article 7 (Sub-processor)

7.1 Customers agree we may engage Sub-processors to Process Personal Data on your behalf. We have currently appointed, as Sub-processors, the third parties listed in Annex 3 to this DPA.

7.2 Where we engage Sub-processors, we will impose data protection terms on the Sub-processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-processors. We will remain responsible for each Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause us to breach any of its obligations under this DPA.

7.3 We shall provide Customers with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to process Customer Data. Customers may object to our use of a new Sub-processor by providing us with written notice of the objection within ten (10) days after we have provided notice to Customer of such proposed change. In the event Customer objects to our use of a new Sub-processor, Customer and we will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party.

Article 8 (Data Subject Requests)

8.1 As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Data (hereinafter referred to as “Data Subject Request”)

8.2 If a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Customer Data.

8.3 To the extent that you are unable to independently address a Data Subject Request through the Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance.

Article 9 (Security)

9.1 We shall implement and maintain appropriate technical and organizational data protection and security measures to prevent Personal Data Breaches, as well as for the overall safety management of Personal Data.

9.2 We will implement and maintain as a minimum standard the measures as described under Annex 2 to this DPA. We may, at its discretion, update or modify the safety management measures set out in Annex 2 to this DPA, provided that such updates and/or modifications do not reduce the overall level of protection afforded to Personal Data.

9.3 Customers, limited to when mandated by applicable Data Protection Laws or when having the right to request, can conduct an audit once a calendar year, unless there are reasonable grounds to suspect non-compliance with this DPA. This audit can be done either by the Customer or the Customer's auditor. We shall accept and cooperate with this.

9.4 All audits shall be conducted at the Customer's expense. The Customer shall reimburse us for any time we or its Sub-processors expended in relation to such audits.

9.5 Customers acknowledge and agree that, considering the state of art, the cost of implementation, the nature, scope, context and purpose of Processing, the security measures set out in Annex 2 to this DPA are appropriate to ensure the security of the Customer Data.

Article 10 (Personal Data Breaches)

10.1 We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you.

10.2 At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

Article 11 (Deletion or Return of Personal Data)

We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Agreement. This term will apply except where we are required by applicable law to retain some or all of the Customer Data.

Article 12 (Term and Termination)

This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, our deletion of all Customer Data as described in this DPA.

Article 13 (Additional Provisions for Japanese Personal Data)

13.1 Scope. This ‘Additional Provisions for Japanese Personal Data’ apply only with respect to Japanese Personal Data.

13.2 Regulations on Providing Personal Data to Third Parties in Foreign Countries.

(a) We may entrust the Processing of Customer Data to Sub-processors listed in Annex 3 to this DPA, and these Sub-processors may qualify as “Third Parties in Foreign Countries” under the APPI.

(b) Customer acknowledges, by Article 6.2, that we continuously take "Equivalent Measures” towards these Sub-processors. Through this, both parties mutually confirm that we and you are exempted from the obligation of obtaining personal consent from the Data Subject under the APPI's regulations on providing data to third parties abroad.

(c) We, after understanding the system and other aspects related to the protection of Personal Data in the respective foreign country, shall bear the responsibility to take safety management measures.

Article 14 (Additional Provisions for European Personal Data)

14.1 Scope. This ‘Additional Provisions for European Personal Data’ apply only with respect to European Personal Data.

14.2 Standard Contractual Clauses. Both parties agree that the conditions of the Standard Contractual Clauses are incorporated into this DPA by reference and constitute a part of the main contract.

14.3 Data Transfer.

(a) We will not transfer Personal Data from Europe to countries or recipients that are not recognized as having an appropriate level of protection for Personal Data.

(b) Customers acknowledge that ECPower Inc. is the data importer of European Personal Data in Japan in relation to the provision of the Service.

14.4 Profiling and Automated Decision Making.

(a) The Service has a function that allows you to Profile Your Customer. However, we provide this with the intention of assisting you in marketing decisions and judgments by yourself.

(b) You agree that the Service is not provided for the purpose of Solely Automated Decision-making, and that you will not use the Service as a part or whole of Automated Decision-making.

(c) You agree not to use the Service for decisions that produce legal effects regulated under the GDPR or that similarly significantly impact the Data Subject.

Article 15 (Additional Provisions for California Personal Information)

15.1 Scope. This ‘Additional Provisions for California Personal Information’ apply only with respect to California Personal Information.

15.2 Responsibilities. We certify that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement or otherwise permitted by the CCPA. Further, we certify all of the following: (i) We will not Sell or Share California Personal Information.(ii) Except as required by applicable law, we will not to Process California Personal Information outside of the direct business relationship between the parties, unless required by applicable law.(iii) We will not combine the California Personal Information contained in Customer Data with personal information collected or received from other sources, except for information received from other sources related to our obligations as a Service Provider under the Agreement.

15.3 Compliance. We will comply with the obligations applicable to us as a Service Provider under the CCPA and apply privacy protection at the same level as mandated by the CCPA to California Personal Information. We will notify you if we make a determination that we can no longer meet our obligations as a Service Provider under the CCPA.

Article 16 (Miscellaneous)

16.1 Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment’ section of the Agreement will apply.

16.2 Governing Law and Venue. This DPA will be governed by and construed in accordance with the ‘Governing Law and Venue’ sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws.

Annex 1 - Details of Processing

A. List of Parties

Data exporter:

Name: The Customer, as set out in the Account Information

Address: The Customer's address, as set out in the Account Information

Contact person’s name, position and contact details: The Customer's contact details, as set out in the Account Information.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Services under the Agreement

Role (controller/processor): Controller

Data importer:

Name: ECPower Inc.

Address: 2-2-15, Floor 6, Minami-Aoyama, Minato-Ku, Tokyo, JAPAN

Contact person’s name, position and contact details: Hiromu Masuda, CEO, 2-2-15, Floor 6, Minami-Aoyama, Minato-Ku, Tokyo, JAPAN

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Services under the Agreement

Role (controller/processor): Processor

B.  Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

The customers or end-users in the Customer's business or service ("Your Customer").

Categories of Personal Data Transferred

The data below is transferred and used solely for the purpose of being a unique ID to integrate various data or link with services from other companies. It will not be used for any purpose other than those specified in the Agreement and this DPA. For example, it will never be used for the purpose of directly contacting Your Customers from us.

  • Email address
  • Phone number
  • Name

The data below is only used to provide the functionality for the Customer to profile Your Customers and will not be used for any purpose other than those specified in the Agreement and this DPA.

  • Country of residence, province
  • Purchase data
  • Website behavior data related to e-commerce platforms

Sensitive Data transferred and applied restrictions or safeguards

Both parties do not plan to transfer sensitive personal data.

Frequency of the transfer


Nature of the Processing

Personal Data will be Processed in accordance with the Agreement including this DPA.

Purpose of the transfer and further processing

We Process Personal Data based on the necessity to provide the Service in accordance with the Agreement, and based on specific Instructions from Customer using the Service.

Period for which Personal Data will be retained

The Processing of Personal Data by us will be for the duration of the Agreement, in accordance with the "Deletion or Return of Personal Data" clause of this DPA, unless otherwise agreed by writing.

C.  Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.

Annex 2 - Security Measures

We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein will have the meanings as set forth in the Agreement.

A. Access Control

1. Preventing Unauthorized Access to Products

Outsourcing of Processing: We use an external cloud infrastructure provider for hosting the Service. To protect data processed or stored by such providers, we rely on the terms of this DPA, the Agreement, our Privacy Policy and the provider's compliance program.

Physical and Environmental Security: We do not own or manage the hardware at the infrastructure provider's data center where the Service is hosted. The production servers and applications for the Service are logically protected from our company's internal corporate information systems.

Authentication: We have adopted a uniform password policy for the Service. Customers need to authenticate when accessing through the user interface.

2. Preventing Misuse of Products

Access Control: We have implemented industry-standard access control and detection capabilities in our internal network supporting the Service.

Static Code Analysis: For code stored in our source code repository, we use automated tools to check for compliance with best practices and identifiable software defects.

3. Limitation of Permission Granting

Employee Access: Some of our employees have the authority to access the Service and Customer Data through controlled interfaces. The purpose of providing access to some employees is to provide quality customer support, product development and research, troubleshooting potential problems, and detecting and responding to security incidents.

B. Transmission Control

In-Transit: We mandate encryption (often referred to as SSL or TLS) via free HTTPS for all user interfaces, including login interfaces. Our implementation of HTTPS uses industry-standard algorithms and certificates.

At-rest: User passwords are stored following a policy that adheres to industry-standard security methods. Stored data is protected by encryption technologies.

C. Input Control

Anomaly Detection: Our infrastructure is designed to record a wide range of information about system behavior, received traffic, system authentication, and other application requests. Internal systems aggregate log data and alert responsible employees to malicious, unexpected, or anomalous behaviors.

Response and Tracking: We maintain a record of known security incidents, including the nature and timing of the behavior and how the incident was addressed. Security incidents, or events suspected of being such, are investigated by security, operations, or support personnel and appropriate procedures for resolution are identified and documented. For all confirmed incidents, we take appropriate measures to minimize customer harm or unauthorized disclosure. Notification to customers is governed by the provisions of the Agreement.

D. Availability Control

Design for Availability: The Service is designed to maximize the availability of both infrastructure and applications. This ensures smooth operation and consistent service delivery to users.

Infrastructure Availability: The Service is built on a reliable cloud infrastructure provider. This provider makes commercially reasonable efforts to ensure a high level of uptime.

Fault Tolerance: The Service utilizes the managed services of this provider to adopt a scalable design capable of handling high traffic loads, offering high availability.

Data Backup: We regularly back up data stores to ensure robustness and data preservation. This enables the recovery of information in case of data loss or damage.

Annex 3 - Sub-processors

For the provision of the Service, we entrust the task of data Processing to Sub-processors.

Data Processor Google LLC

Purpose Hosting and Infrastructure

Location of the Data Processor United States

Server Location United States and Japan