Data Processing Agreement (DPA)

Version 1.0 · Effective: April 12, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between LGC — Larry Group Corp (KK) ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed through LMS
Processing: Any operation performed on personal data, including collection, storage, retrieval, use, and deletion
Sub-processor: Any third party engaged by the Processor to process personal data

2. Scope of Processing

The Processor processes personal data solely to provide the LMS service as instructed by the Controller through API commands. Processing includes:

Executing commands against the Controller's connected services (Gmail, Slack, etc.)
Processing natural language commands via AI (Anthropic Claude)
Storing usage logs and audit trails
Generating invoices and billing records

3. Data Location & Security

Measure	Implementation
Data region	Google Cloud asia-northeast1 (Tokyo, Japan)
Encryption at rest	AES-256 (Google Cloud default)
Encryption in transit	TLS 1.3
Credential storage	Google Cloud Secret Manager (IAM-controlled)
Data isolation	Logical namespacing per tenant in Firestore
Access control	RBAC with JWT authentication
Audit logging	All operations logged with timestamp, actor, action
Rate limiting	30 commands/minute per tenant

4. Sub-processors

Sub-processor	Purpose	Location
Google Cloud Platform	Infrastructure, database, secrets	Tokyo, Japan
Anthropic (Claude AI)	Natural language processing	United States
Stripe	Payment processing	United States

The Processor will notify the Controller at least 30 days before adding a new sub-processor.

5. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests including: access, rectification, erasure, portability, and restriction of processing. GDPR data export is available via the API endpoint /api/v1/tenant/export.

6. Data Breach Notification

The Processor will notify the Controller within 72 hours of becoming aware of a personal data breach, providing: nature of the breach, categories of data affected, estimated number of individuals, likely consequences, and measures taken.

7. Data Retention & Deletion

Data is retained while the Controller's account is active
Upon termination, data export is available for 90 days
After 90 days, all personal data is permanently deleted
Backups are retained for 30 days after deletion

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon 30 days written notice, no more than once per year, during business hours. The Processor will provide reasonable cooperation and access to relevant documentation.

9. Governing Law

This DPA is governed by the laws of Japan. For EU-based controllers, Standard Contractual Clauses (SCCs) apply to transfers outside Japan.

10. Contact

Data Protection Contact:
LGC — Larry Group Corp (KK)
千代田区丸の内1-6-2 新丸の内センタービル21階, Tokyo, Japan
Email: info@lgc.inc
Corporate Number: 0127-01-017983

To request a signed copy of this DPA for your records, email info@lgc.inc with your company name and LMS tenant ID.