Data processing addendum.
This Data Processing Addendum (DPA) is part of the agreement between IP Rich, Inc. (株式会社IPリッチ, the processor) and the Customer (the controller) for the use of PatentOS. It governs how we process personal data on the Customer's behalf.
1. Roles
Customer is the controller of any personal data uploaded to or generated within its PatentOS tenant. IP Rich is the processor. Where another entity directs Customer (for example, when Customer's own customer is the originating controller), Customer is acting as processor and IP Rich as sub-processor; the principles in this DPA flow through.
2. Scope of processing
- Subject matter
- Provision of the PatentOS platform and optional licensed attorney review.
- Duration
- The term of the agreement, plus the deletion window in Section 8.
- Nature and purpose
- Storage, analysis, machine learning inference (not training), and generation of patent intelligence artifacts.
- Categories of data subjects
- Customer personnel, named individuals in patent filings, suspected infringing parties, and any individuals identified in evidence submitted by Customer.
- Categories of personal data
- Names, business contact details, professional history visible in filings, and any personal data Customer chooses to upload.
3. Processing instructions
IP Rich will process personal data only on documented instructions from Customer, including in the agreement, the order form, and operational instructions given through the platform. We will notify Customer if we believe an instruction violates applicable data protection law.
4. Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role based access control with least privilege; production access on a need to know basis.
- Multi-factor authentication required for all personnel with access to customer data.
- Hardened cloud infrastructure with separation between tenants.
- Vulnerability management, patching cadence, and dependency scanning documented in the Security Policy.
- Personnel background checks and signed confidentiality undertakings.
- Independent attestation roadmap (SOC 2 Type II target).
5. Sub-processors
IP Rich uses a vetted list of sub-processors for hosting, email delivery, error tracking, and analytics. The current list is available at privacy@patentos.app and is updated before adding any sub-processor that handles personal data. Customers may object on reasonable data protection grounds within 14 days; if an alternative arrangement cannot be reached, the Customer may terminate the affected service.
6. International transfers
Personal data is primarily processed in Japan. Where data is transferred to a country without an adequacy decision, transfers are protected by the EU Standard Contractual Clauses (module 2 or 3, as applicable) and the Japan APPI mutual adequacy framework, plus supplementary measures (encryption, access controls, audit logging).
7. Data subject rights
IP Rich will assist Customer in responding to data subject requests through appropriate technical and organisational measures, including providing access to tenant data, supporting export, and acting on deletion requests. Customer remains responsible for direct interaction with data subjects.
8. Return and deletion
Within 30 days of termination or upon written request, IP Rich will return or delete Customer's personal data, except as required for legal or regulatory retention. Backup copies are overwritten or expired within 90 days. A deletion certificate is provided on request.
9. Audit and information
IP Rich will make available the information necessary to demonstrate compliance with this DPA, including audit reports, security questionnaires, and policy documents. Customer may audit no more than once per year, on reasonable notice, during business hours, at Customer's expense, and subject to confidentiality undertakings. A regulator with jurisdiction may audit at any time.
10. Breach notification
IP Rich will notify Customer without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting Customer's data. The notice will include known facts, categories and approximate number of records and subjects affected, likely consequences, and remediation actions taken or planned.
11. No model training on customer data
IP Rich will not use Customer tenant content to train, fine-tune, or otherwise adapt any AI model. Inference uses pre-trained models against Customer data; results stay within the tenant.
12. Order of precedence
This DPA prevails over conflicting terms in the agreement with respect to the processing of personal data. Where applicable law requires additional terms, those terms apply in addition to, not in derogation of, this DPA.
13. Contact
Data protection contact: privacy@patentos.app. Operating entity: IP Rich, Inc., Tokyo, Japan.