BeyondBrain Incorp. Data Processing Agreement (DPA)

1. Introduction and Scope

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the FifthKeys platform and related services ("Services"), as outlined in the Terms and Conditions. It ensures compliance with applicable data protection laws, including the GDPR and APPI, and forms an integral part of the agreement between the Parties.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") processed by the Processor on behalf of the Controller.
• Processing: Any operation or set of operations performed on Personal Data, including collection, storage, access, use, disclosure, or deletion.
• Data Controller: The Controller, who determines the purposes and means of processing Personal Data.
• Data Processor: The Processor, who processes Personal Data on behalf of the Controller.
• Subprocessor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Breach: Any unauthorized or unlawful access, disclosure, alteration, loss, or destruction of Personal Data.

3. Roles and Responsibilities

Controller's Responsibilities

• Ensure all Personal Data provided to the Processor is collected and processed lawfully, with appropriate consent from Data Subjects where required.
• Provide clear instructions to the Processor regarding the processing of Personal Data.
• Respond to Data Subject requests in a timely manner and instruct the Processor as needed to assist.

Processor's Responsibilities

• Process Personal Data only on documented instructions from the Controller, unless required by law to act otherwise.
• Implement appropriate technical and organizational measures to protect Personal Data.
• Assist the Controller in ensuring compliance with data protection obligations, including responding to Data Subject requests and reporting Data Breaches.

4. Scope of Data Processing

The Processor shall process Personal Data as follows:

• Types of Personal Data: Guest names, contact details, preferences, transaction history, and communication records.
• Categories of Data Subjects: Hotel guests and staff.
• Purpose of Processing: To provide AI-driven revenue management, operational tools (e.g., AI Concierge), and data analytics as part of the Services.
• Duration of Processing: For the term of the agreement between the Parties, unless otherwise instructed by the Controller.

5. Data Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures, including:

• Encryption of Personal Data during transmission and storage.
• Access controls to restrict access to authorized personnel only.
• Regular security audits and vulnerability assessments.
• Secure disposal of hardware and media containing Personal Data.
• Employee training on data protection and security protocols.

These measures will be regularly reviewed and updated to address evolving security risks.

6. Subprocessor Management

Engagement of Subprocessors

The Processor may engage Subprocessors to assist in providing the Services, provided that:

• The Controller is notified in writing of any intended changes to Subprocessors.
• The Controller has 14 days to object to such changes.

Subprocessor Obligations

The Processor shall ensure Subprocessors are bound by a written agreement imposing the same data protection obligations as this DPA.

Liability

The Processor remains fully liable for the performance of any Subprocessor's obligations.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests under applicable laws, including rights to:

• Access, rectify, or erase Personal Data.
• Restrict or object to processing.
• Data portability.

The Controller shall notify the Processor of any Data Subject request, and the Processor will provide reasonable assistance as instructed.

8. Data Breach Notification

In the event of a Data Breach, the Processor shall:

• Notify the Controller within 72 hours of becoming aware of the breach.
• Provide sufficient information to assess the breach's impact and meet notification obligations.
• Mitigate the breach's effects and prevent further unauthorized access.

The Processor shall not disclose breach information to third parties without the Controller's prior written consent, except as required by law.

9. International Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA) or Japan, the Processor shall ensure appropriate safeguards, such as:

• Using Standard Contractual Clauses approved by the European Commission.
• Ensuring the recipient country provides an adequate level of data protection.

No transfers to inadequate-protection jurisdictions shall occur without the Controller's prior written consent.

10. Audit Rights

The Controller may audit the Processor's data processing activities to verify compliance with this DPA:

• Upon reasonable notice to the Processor.
• No more than once per year, unless a Data Breach or significant event necessitates an additional audit.
• By the Controller or an approved independent third-party auditor.

The Processor shall provide reasonable assistance and access during audits.

11. Liability and Indemnification

Limitation of Liability

The Processor's total liability under this DPA shall not exceed the amount paid by the Controller for the Services in the six months preceding the claim, to the extent permitted by law.

Indemnification

The Controller shall indemnify the Processor against claims, damages, or losses arising from:

• Failure to obtain proper Data Subject consent.
• Breach of this DPA or applicable laws by the Controller.
• Instructions infringing third-party rights.

12. Termination and Data Return

Termination

This DPA remains in effect for the duration of the agreement. Upon termination:

• The Processor shall cease processing Personal Data, except as required by law.
• At the Controller's discretion, the Processor shall delete or return all Personal Data.

Survival

Sections 7, 8, 10, 11, and 13 survive termination.

13. Miscellaneous

• Amendments: Must be in writing and signed by both Parties.
• Entire Agreement: This DPA and the Terms and Conditions constitute the full agreement on Personal Data processing.
• Severability: Invalid provisions do not affect the remaining terms.
• Governing Law: Laws of Japan.
• Dispute Resolution: Binding arbitration in Tokyo, Japan, under the Japan Commercial Arbitration Association rules.

14. Contact Information

For questions about this DPA, contact: