Data Processing Agreement (DPA)

Version 1.0 · Effective: April 12, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between LGC — Larry Group Corp (KK) ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

2. Scope of Processing

The Processor processes personal data solely to provide the LMS service as instructed by the Controller through API commands. Processing includes:

3. Data Location & Security

MeasureImplementation
Data regionGoogle Cloud asia-northeast1 (Tokyo, Japan)
Encryption at restAES-256 (Google Cloud default)
Encryption in transitTLS 1.3
Credential storageGoogle Cloud Secret Manager (IAM-controlled)
Data isolationLogical namespacing per tenant in Firestore
Access controlRBAC with JWT authentication
Audit loggingAll operations logged with timestamp, actor, action
Rate limiting30 commands/minute per tenant

4. Sub-processors

Sub-processorPurposeLocation
Google Cloud PlatformInfrastructure, database, secretsTokyo, Japan
Anthropic (Claude AI)Natural language processingUnited States
StripePayment processingUnited States

The Processor will notify the Controller at least 30 days before adding a new sub-processor.

5. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests including: access, rectification, erasure, portability, and restriction of processing. GDPR data export is available via the API endpoint /api/v1/tenant/export.

6. Data Breach Notification

The Processor will notify the Controller within 72 hours of becoming aware of a personal data breach, providing: nature of the breach, categories of data affected, estimated number of individuals, likely consequences, and measures taken.

7. Data Retention & Deletion

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon 30 days written notice, no more than once per year, during business hours. The Processor will provide reasonable cooperation and access to relevant documentation.

9. Governing Law

This DPA is governed by the laws of Japan. For EU-based controllers, Standard Contractual Clauses (SCCs) apply to transfers outside Japan.

10. Contact

Data Protection Contact:
LGC — Larry Group Corp (KK)
千代田区丸の内1-6-2 新丸の内センタービル21階, Tokyo, Japan
Email: info@lgc.inc
Corporate Number: 0127-01-017983

To request a signed copy of this DPA for your records, email info@lgc.inc with your company name and LMS tenant ID.