Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer”) and DynaMeet, Inc. (DynaMeet株式会社; “DynaMeet”) for the DynaMeet Platform (including Meeton ai; the “Service”) — whether the Self-Serve Terms of Service or a written order form (together, the “Agreement”). It applies whenever DynaMeet processes Customer Personal Data (defined below) on the Customer’s behalf.
1. Definitions
- “Customer Personal Data” — personal data or personal information collected from visitors to the Customer’s websites through the Service and processed by DynaMeet on the Customer’s behalf, as described in the Annex (Details of Processing).
- “Applicable Data Protection Laws” — the privacy and data-protection laws applying to the processing of Customer Personal Data, which may include the Act on the Protection of Personal Information (Japan), the Personal Data Protection Act 2012 (Singapore), the Privacy Act 1988 (Cth) including the Australian Privacy Principles (Australia), and the Privacy Act 2020 (New Zealand).
- “Sub-processor” — a third party engaged by DynaMeet to process Customer Personal Data.
2. Roles and instructions
2.1 As between the parties, the Customer is the controller (or the organisation/agency with primary responsibility under Applicable Data Protection Laws) of Customer Personal Data, and DynaMeet processes it as the Customer’s processor, data intermediary or agent.
2.2 DynaMeet will process Customer Personal Data only: (a) to provide, secure and support the Service; (b) as documented in the Agreement, this DPA and the Customer’s configuration of the Service (which together constitute the Customer’s documented instructions); or (c) as required by law, in which case DynaMeet will notify the Customer unless prohibited.
2.3 The Customer is responsible for the lawfulness of its collection of Customer Personal Data — including giving the notices and, where required, obtaining the consents that Applicable Data Protection Laws require for its use of the Service on its websites.
3. Confidentiality and personnel
3.1 DynaMeet ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and access Customer Personal Data only as needed to provide the Service, in line with the human-access restrictions described in our Privacy Policy.
3.2 First-party support access. DynaMeet’s authorised personnel may access a Customer workspace to provide onboarding, support or troubleshooting. Where they do: access is role-scoped and limited to what the task requires; it is temporary and expires automatically; each access is recorded in the Customer’s own activity log, where actions by DynaMeet staff are visibly flagged to the Customer’s team; and the Customer may disable such access at any time in the Service’s settings, which immediately removes any existing staff access.
4. Security
DynaMeet maintains an information security management system certified to ISO/IEC 27001 and ISO/IEC 27017 and implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access — including encryption in transit, access controls, logging, and network separation. Current details are published on the Security page.
5. Sub-processors
5.1 The Customer authorises DynaMeet to engage the Sub-processors listed at dynameet.ai/en/legal/sub-processors/. DynaMeet imposes data-protection obligations on Sub-processors no less protective than this DPA and remains responsible for their performance.
5.2 Change notice. Before adding or replacing a Sub-processor, DynaMeet will update the sub-processor page and notify account administrators by email at least 30 days in advance. If the Customer reasonably objects on data-protection grounds and the parties cannot resolve the objection, the Customer may terminate the affected subscription before the change takes effect and receive a pro-rata refund of prepaid fees for the unused portion of its term.
6. Where data is processed; international transfers
6.1 Customer Personal Data is hosted in the Amazon Web Services Tokyo region (ap-northeast-1) in Japan. The Customer instructs and authorises DynaMeet to process Customer Personal Data in Japan and in the locations of the Sub-processors listed on the sub-processor page.
6.2 Where the Customer is subject to transfer requirements under Applicable Data Protection Laws, this DPA constitutes the contractual safeguard through which DynaMeet undertakes to provide Customer Personal Data a standard of protection comparable to that required by those laws — including for the purposes of the cross-border transfer requirements of the PDPA (Singapore), APP 8 (Australia) and IPP 12 (New Zealand). Japan’s data-protection framework holds an EU adequacy decision and Japan participates in the Global CBPR system.
7. Assistance with individuals' requests
7.1 If DynaMeet receives a request from an individual concerning Customer Personal Data (access, correction, deletion, objection or similar), it will redirect the individual to the Customer and not respond substantively except on the Customer’s instruction or where legally required.
7.2 Taking into account the nature of the processing, DynaMeet will assist the Customer in responding to such requests — through the Service’s search, export, correction and deletion features, and where those are insufficient, through reasonable direct assistance within 10 business days of a request from the Customer.
8. Data breach notification
8.1 If DynaMeet becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data, DynaMeet will notify the Customer without undue delay after becoming aware, targeting notification within 72 hours, to the account administrator’s registered email. The 72-hour figure is a target the parties acknowledge as an objective, not a warranted deadline.
8.2 The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of individuals and records concerned, the likely consequences, and the measures taken or proposed. DynaMeet will provide timely updates as the investigation progresses and reasonably cooperate with the Customer’s own notification obligations (including statutory regulator and individual notifications under Applicable Data Protection Laws). DynaMeet’s notification is not an admission of fault.
9. Deletion and return
9.1 During the term, the Customer can export Customer Personal Data through the Service. On termination of the Agreement, the Customer may export Customer Personal Data for 30 days; thereafter DynaMeet deletes or de-identifies Customer Personal Data in principle within 90 days of termination, unless retention is required by law.
9.2 Data that has been de-identified and aggregated so that it cannot identify, and cannot reasonably be re-linked to, any individual or the Customer ceases to be Customer Personal Data and may be retained for service improvement and analytics.
10. Audit and information
On the Customer’s reasonable written request (no more than once per 12 months, absent a breach), DynaMeet will make available information reasonably necessary to demonstrate compliance with this DPA — its current ISO/IEC 27001 and 27017 certificates, summaries of its security measures, and written responses to reasonable security questionnaires. These constitute the agreed audit mechanism for self-serve subscriptions.
11. Liability, order of precedence and term
11.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.
11.2 If this DPA conflicts with the Agreement regarding the processing of Customer Personal Data, this DPA prevails. This DPA remains in force while DynaMeet processes Customer Personal Data.
11.3 Severability; local mandatory rights unaffected. If a provision of this DPA is held void or unenforceable, it is severed or read down to the minimum extent necessary and the remainder continues in full effect. Nothing in this DPA excludes, restricts or modifies any right or protection granted to the Customer or to any individual by a mandatory applicable law that cannot lawfully be excluded, restricted or modified.
Annex — Details of processing
- Subject matter and duration: processing of visitor data from the Customer’s websites to provide the Service, for the term of the Agreement plus the deletion window in Section 9.
- Nature and purposes: collection via the Service’s widget and features (AI chat, forms, calendar booking, content library, email delivery); hosting; AI response generation; analytics and reporting to the Customer; synchronisation to systems the Customer connects (such as its CRM); security.
- Categories of individuals: visitors to the Customer’s websites; the Customer’s leads and contacts.
- Categories of data: contact details submitted through chat and forms (name, business email, phone, company, job title, department); communication content (chat and email exchanges); behavioural data (pages viewed, time on page, scroll depth, sessions, engagement, document views); IP address, device and browser information, cookie/session identifiers; company-level attributes estimated from IP addresses. The Service is not intended for sensitive/special categories of data, and the Customer agrees not to configure it to collect them.
Established: [effective date — set at publish]