FormAgent.ai

FormAgent Data Processing Addendum (DPA) – Japan APPI & Global Compliance

Version: v1.0

Effective Date: May 19, 2025

This Data Processing Addendum (“DPA”) supplements the FormAgent Service Agreement (the “Service Agreement”) entered into by and between FormAgent.ai Inc. (“Company”) and its enterprise customer (“Customer”) using the FormAgent chatbot SaaS platform. This DPA becomes effective on the date of Customer's acceptance and is designed to ensure the lawful and secure processing of personal data in accordance with the Act on the Protection of Personal Information of Japan (“APPI”) and applicable international regulations.

Article 1: Definitions

  • Personal Data: Information that can identify a living individual, including but not limited to chat content, IP address, location information, device identifiers, and browsing behavior.
  • End User: A visitor to Customer's website or app who interacts with the FormAgent chatbot interface.
  • Customer Data: Information provided by Customer through the FormAgent service, including user profiles, API logs, CRM data, and business content.
  • Sub-Processor: Any third-party processor engaged by Company to process data on behalf of Customer for the provision of the Services.
  • Applicable Laws: The Japanese APPI and relevant laws, regulations, and guidelines; and where applicable, the GDPR and CCPA.

Article 2: Purpose of Processing

  • To provide chatbot communication to End Users;
  • To analyze behavior and generate user profiles;
  • To deliver marketing reports and insights to the Customer;
  • To ensure security, stability, and lawful operation of the service;
  • To comply with legal obligations.

Article 3: Roles and Responsibilities

  • The Customer is the data controller for End User Personal Data. The Company acts as a data processor.
  • The Customer shall ensure lawful collection of End User data and, where necessary, obtain valid consent under APPI or other applicable laws.
  • The Customer warrants the accuracy and legality of the data submitted and is responsible for its source and intended processing.

Article 4: Data Security

  • The Company shall implement appropriate technical and organizational measures to ensure the security of Personal Data, including:
    • TLS encryption during transmission;
    • AES-256 encryption at rest;
    • Multi-factor authentication for access;
    • Access logging and monitoring;
    • Secure backup and recovery mechanisms;
    • Internal data governance and staff confidentiality obligations.

Article 5: Sub-Processing

  • The Company may engage Sub-Processors for the purposes of:
    • Hosting in Japan (e.g., AWS Tokyo Region);
    • Notification delivery and monitoring tools;
  • All Sub-Processors shall be contractually bound to comply with the same level of data protection as the Company.

Article 6: Cross-Border Data Transfers

  • The Company prioritizes processing and storing data within Japan.
  • Where international transfers are necessary, the Company shall ensure:
    • The receiving country is recognized by Japanese authorities as having an adequate level of protection; or
    • Standard Contractual Clauses (SCCs) are in place; or
    • The data subject has explicitly consented to such transfer.

Article 7: Data Subject Rights

  • If an End User requests access, correction, deletion, or restriction of their data, the Company will assist the Customer in responding to such requests in accordance with applicable laws.
  • The Customer is responsible for informing End Users of their data subject rights via privacy policy or terms of use.

Article 8: Personal Data Breach Response

  • In the event of a data breach, the Company shall:
    • Notify the Customer within 72 hours of confirmation;
    • Provide detailed information on scope, impact, and remedial actions;
    • Cooperate with any required reporting to authorities or data subjects.
  • The Company shall not be liable for breaches caused by the Customer's misconfiguration or negligence.

Article 9: Data Retention and Deletion

  • All Customer Data will be automatically deleted within 30 days after contract termination.
  • The Customer may request deletion at any time during the service period via the admin interface.
  • Where legal obligations apply, certain data may be retained for an appropriate duration.

Article 10: Transparency and Audits

  • The Customer may request a data protection audit once per year.
  • The Company shall provide access to:
    • Transmission and access logs;
    • Security control summaries;
    • Relevant audit reports (e.g., ISO27001 compliance).

Article 11: Precedence

  • In the event of any inconsistency between this DPA, the Service Agreement, and the Company's Privacy Policy, the order of precedence shall be:
    • This Data Processing Addendum (DPA);
    • FormAgent Service Agreement;
    • Privacy Policy content.

Article 12: Governing Law and Jurisdiction

  • This DPA shall be governed by the laws of Japan. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Tokyo District Court of Japan.

Appendix A – Data Processing Scope

CategoryDescription
Types of DataEnd User behavior data, CRM integrations, chat transcripts, API logs
Processing MethodsCollection, recording, storage, analysis, reporting, deletion, access control
Storage LocationPrincipally within Japan (AWS Tokyo Region, Azure Japan, Akamai Japan)
Retention PeriodDuration of the service contract + 30 days (default)