1.はじめに
This Data Processing Addendum (“DPA”) supplements your Remote.It Terms of Use (the “Agreement”) and forms part of your contractual relationship with remot3.it, Inc. (“Remote.It”). Applicable Data Protection Law means all applicable laws relating to privacy, data protection, and information security, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and any successor legislation.
本DPAは、お客様が利用規約に同意するか、またはRemote.Itと個別の契約を締結した時点で拘束力を持つようになります。本DPAの締結には、法人の正式な代表者である必要があります。
2.定義
以下の定義が適用される:
- Applicable Law: As set forth in Section 1.
- 管理者:個人データの処理の目的および手段を決定する主体。
- 処理者:管理者に代わって個人データを処理する事業体。
- データ主体:個人データが処理される自然人。
- 個人データ:特定または識別可能な自然人に関連するすべての情報。
- 処理:個人データに対して行われるあらゆる操作。
- サブプロセッサー:コントローラーに代わってデータを処理するためにRemote.Itが従事する第三者処理業者。
3. Artificial Intelligence
With respect to any optional AI-enabled features of the Services:
- Remote.It does not use Customer Personal Data or Customer Content to train artificial intelligence or machine learning models.
- Remote.It does not disclose Customer Personal Data to third-party AI providers unless expressly configured or authorized by the Customer.
- Customers may elect to disable optional AI-enabled features.
4. Roles of the Parties
4.1 Controller and Processor
For Business customers, you act as the Data Controller, and Remote.It acts as the Data Processor with respect to the Personal Data processed to provide the Services. Remote.It processes Personal Data only on your documented instructions, except where processing is required by applicable law.
For Individual users, Remote.It acts as the Data Controller for Personal Data processed for account registration, account administration, billing, fraud prevention, security monitoring, legal compliance, and other purposes described in the Remote.It Privacy Policy.
4.2 Limited Controller Activities
In limited circumstances, Remote.It acts as an independent Data Controller with respect to Personal Data processed for its own legitimate business purposes, including account administration, billing, fraud prevention, platform security, legal compliance, service analytics, and improvement of the Services, as described in the Remote.It Privacy Policy.
Where Remote.It acts as an independent Data Controller, it determines the purposes and means of such processing and complies with its obligations under Applicable Data Protection Law.
4.3 Customer’s Obligations
You confirm that:
- お客様は、Remote.It.に個人情報を提供する法的権利を有します;
- あなたは文書による指示を提供する;
- GDPRに基づき必要なすべての同意を得ている。
4.4 Processing by Remote.It
リモート.同意する:
- 文書化された指示にのみ基づいて個人データを処理すること;
- 要員に守秘義務を課す;
- GDPR第32条から第36条に基づく義務の履行において管理者を支援すること;
- 毎年、要求に応じて、NDAの下で監査文書を入手できるようにする;
- Support responses to Data Subject Rights requests (see Section 5).
4.5 Confidentiality
Remote.It shall ensure that all personnel authorized to process Personal Data are bound by written confidentiality obligations and receive appropriate privacy and security training. Access to Personal Data is limited to personnel who require such access to perform their assigned responsibilities and is granted in accordance with the principle of least privilege.
Remote.It shall take reasonable steps to ensure that authorized personnel understand and comply with their obligations under this DPA and Applicable Data Protection Law.
4.6 Details of Processing
See Schedule A.
5. Data Subject Rights
Remote.Itは、GDPR第12条から第23条に基づき、データ主体の要求(アクセス、訂正、削除、制限、ポータビリティ、異議)に対応するための支援を行います。Remote.Itは、法律で禁止されていない限り、受領した要求についてお客様に通知します。
Remote.It does not intentionally inspect or retain Customer Content transmitted through the Services as part of normal platform operation except where expressly authorized by the Customer or required by law.
See the Privacy Policy for detailed procedures.
6. Sub-processors
6.1 Authorization. You authorize Remote.It to engage Sub-processors as necessary to provide the Services.
6.2 Obligations. All Sub-processors are bound by written agreements with data protection obligations equivalent to this DPA. Remote.It remains liable for their actions.
6.3 Current Sub-processors. See Schedule C.
6.4 Changes & Objection Rights. Remote.It will provide at least 30 days’ notice before adding new Sub-processors. You may object on reasonable grounds. If an objection is unresolved, either party may terminate the affected Services.
7. Security Measures
7.1 Remote.It implements appropriate technical, organizational and administrative safeguard measures (see Schedule B) in accordance with Article 32 GDPR.
7.2 Remote.It will notify the Customer without undue delay after becoming aware of a Personal Data Breach and, where feasible, within seventy-two (72) hours.
8. Return or Deletion of Data
Upon termination of the Services, Remote.It will delete all Personal Data within 30 days unless retention is required by law or authorized by the customer.
9. International Transfers
Remote.It may transfer Personal Data outside the European Economic Area (“EEA”) where necessary to provide the Services. Where Personal Data is transferred to a country that has not been recognized as providing an adequate level of protection under Applicable Data Protection Law, Remote.It will implement appropriate safeguards in accordance with Article 46 of the GDPR, including the European Commission’s Standard Contractual Clauses (including any successor or replacement versions) or other legally approved transfer mechanisms.
10. Audit Rights
You may audit Remote.It’s compliance with this DPA provided such audit does not unreasonably interfere with Remote.It’s operations or compromise the security of other customers:
- 年1回、少なくとも30日前までに通知すること;
- または、セキュリティインシデントや規制当局からの要請があった場合;
- 自費で、守秘義務の下で独立監査人を利用する。
11. Term and Termination
This Data Processing Addendum remains in effect for the duration of the Agreement under which Remote.It processes Personal Data on your behalf.
Upon termination or expiration of the Agreement, Remote.It will cease processing Personal Data except as necessary to comply with applicable law, fulfill outstanding legal obligations, or as otherwise authorized by this DPA.
The obligations relating to confidentiality, security, data deletion or return, liability, audit rights, and any other provisions that by their nature are intended to survive termination shall remain in effect following termination of this DPA.
12. Liability
Each party’s liability arising under or in connection with this Data Processing Addendum shall be governed by the limitations of liability and exclusions set forth in the underlying Agreement.
Nothing in this Data Processing Addendum shall be interpreted to expand, increase, or otherwise modify either party’s liability beyond that provided in the Agreement, except to the extent such limitation or exclusion is prohibited by Applicable Data Protection Law, including Article 82 of the General Data Protection Regulation (GDPR), the UK GDPR, or any equivalent mandatory provision of applicable law.
Nothing in this Data Processing Addendum shall limit, restrict, or waive any rights or remedies available to Data Subjects or Supervisory Authorities where such rights cannot be limited or excluded by Applicable Data Protection Law.
13. Governing Law and Jurisdiction
本DPAは、米国カリフォルニア州法に準拠します。ただし、EEAに本拠を置く管理者およびデータ主体は、GDPRの要求に従い、自国の司法管轄区において救済を求める権利を保持します。
14. Exercising Your Rights
GDPRの権利を行使するには、こちらまでご連絡ください:
- Eメール:legal@remote.it
- 住所:Remot3.it, Inc, 1309 Ross Street, Suite A, Petaluma, CA 94954, United States
その際、ご本人であることを確認させていただくとともに、ご請求の根拠となる情報をご提供いただく場合があります。
15. Updates to This DPA
Remote.Itは、法律またはサービスの変更を反映するために、本DPAを更新することがあります。当社は、重要な更新を通知します。更新後も本サービスの利用を継続する場合は、これを承諾したものとみなされます。
スケジュール A:処理内容
- 主題接続およびネットワーク・アクセス・サービスの提供
- 期間契約期間+30日間保持
- データのカテゴリー電子メールアドレス、一意のユーザーおよびデバイス識別子、トランザクションID
- データ対象者有償および無償のRemote.Itアカウントのエンドユーザー
- 目的:デバイスの接続とアカウントの身元確認を管理する
スケジュールB:セキュリティ対策
技術的および組織的なセキュリティ対策には以下が含まれる:
- 物理的および論理的アクセス制御
- 暗号化されたデータ
- 役割ベースのアクセス管理
- ロギングとモニタリング
- 侵入検知
- 事業継続と災害復旧手順
- 定期的な脆弱性評価
スケジュールC:サブプロセッサー
以下のサブプロセッサーを使用する:
| サブプロセッサー | 提供するサービス | サブプロセッサの位置 |
|---|---|---|
| Amazon Web Services | クラウドサービス | アメリカ合衆国 |
| グーグル | クラウド・サービスとアナリティクス | アメリカ合衆国 |
| ストライプ | 支払取引 | アメリカ合衆国 |
| ハブスポット | Marketing & Sales Communications | アメリカ合衆国 |
| マイクロソフト | クラウド・サービスとアナリティクス | アメリカ合衆国 |
| ゼンデスク | サポート | アメリカ合衆国 |