Legal
Data Processing Agreement (DPA)
Last updated: June 18, 2026
This Data Processing Agreement ("DPA") sets out the data-protection obligations of the parties pursuant to Art. 28 GDPR for the use of the hosted SaQura Crypto/REST API (crypto.saqura.de; alias crypto.kyototech.co.jp). It forms part of the usage/licence agreement concluded between the parties (the "Main Agreement"). In case of conflict, this DPA prevails on data-protection matters.
Parties
The controller is the customer under the Main Agreement (company, address and representation are entered upon conclusion).
The processor:
KyotoTech LLC (合同会社KyotoTech)Kyō-machi 2-237-202, Fushimi-ku, Kyoto 612-8083, Japan
Kontakt Datenschutz: support@kyototech.co.jp
EU representative of the processor pursuant to Art. 27 GDPR: DataRep (Data Protection Representative Limited), Altmarkt 10 B/D, 01067 Dresden, Germany — datarequest@datarep.com (subject: "KyotoTech; SaQura"). Please address postal inquiries to "DataRep".
§ 1 Subject matter and duration
The processor processes personal data on behalf of the controller solely to provide the hosted SaQura cryptography services (encryption/decryption, signing/verification and related cryptographic operations via the REST API), as described in Annex 1. The duration matches the term of the Main Agreement; the deletion/return (§ 10) and confidentiality obligations survive termination.
§ 2 Nature, scope, purpose; data types; data subjects
The nature and purpose of processing, the type of personal data and the categories of data subjects are set out in Annex 1. The processor does not process the data for its own purposes.
§ 3 Obligations of the processor (Art. 28(3))
The processor processes personal data only within the documented instructions of the controller and in particular warrants:
- (a) Instructions — processing only on documented instructions, unless legally required otherwise; in which case prior notice where legally permitted.
- (b) Confidentiality — authorised persons are bound to confidentiality.
- (c) Security — implementation of the technical and organisational measures under Art. 32 GDPR per Annex 2.
- (d) Sub-processors — engagement only under the conditions of § 6.
- (e) Data-subject rights — assisting the controller by appropriate measures with data-subject requests (Art. 12–23) where possible.
- (f) Art. 32–36 — assisting with security, breach notification, data-protection impact assessment and prior consultation where possible.
- (g) Deletion/return — at the controller's choice after the end of provision, per § 10.
- (h) Evidence/audit — providing the information required to demonstrate compliance and allowing audits per § 9.
The processor informs the controller without undue delay if it considers an instruction to infringe data-protection law.
§ 4 Right to issue instructions
Instructions are given in text form as a rule; oral instructions are confirmed in text form without undue delay. Authorised persons and recipients are named upon conclusion.
§ 5 Technical and organisational measures (Art. 32)
The processor implements the measures described in Annex 2. These may evolve provided the level of protection is not reduced; material changes are documented.
§ 6 Sub-processing
The controller approves the sub-processors listed in Annex 3 (general authorisation under Art. 28(2)). The processor notifies intended changes/additions at least 30 days in advance; the controller may object on important data-protection grounds. The processor imposes the same data-protection obligations on each sub-processor by contract (Art. 28(4)) and remains responsible.
§ 7 Assistance to the controller
The processor assists the controller appropriately, in particular through the no-log architecture (Annex 2) and, on request, by information on the circumstances relevant to a processing operation. Effort beyond the contractual base service may be charged on a time-and-materials basis.
§ 8 Breach notification
The processor notifies the controller without undue delay, and at the latest within 48 hours of becoming aware, of any personal-data breach within its area of responsibility, with the information required under Art. 33(3) where available. The obligation to notify the supervisory authority/data subjects remains with the controller.
§ 9 Audit rights
The controller may verify compliance with this DPA — by requesting information, submitted evidence/audit reports or, where necessary, on-site inspections at announced times without disrupting operations. The processor may primarily provide evidence through appropriate documentation (cryptography concept, TOM description) and certifications/attestations.
§ 10 Deletion and return after termination
After termination the processor deletes all personal data processed on behalf of the controller or returns it at the controller's choice, unless a statutory retention obligation applies. Due to the no-log architecture, cryptographic payloads (plaintext, keys, ciphertext) are not persisted and are processed only transiently in memory for the duration of each request; deletion beyond this is technically moot. Operational metadata per Annex 1 is deleted after the retention periods stated there.
§ 11 Processing location / third-country transfers
Processing of data submitted via the API (transient payloads and associated operational metadata) takes place exclusively in Germany (Nuremberg), within the EU/EEA. No third-country transfer occurs as part of the core service.
The processor is established in Japan; administrative access (operations, support, billing/licence administration) may occur from Japan. Billing-relevant operational metadata (in particular the associated customer email, subscription identifier and aggregate usage counters) is transmitted to the billing system operated by the processor from Japan for contract and billing administration; cryptographic payloads (plaintext, keys, ciphertext) are not transmitted there. For transfers from the EU/EEA to Japan an EU Commission adequacy decision (2019) applies, so no additional safeguards are required where the processing falls within its scope. Where further sub-processors in third countries without an adequacy decision are engaged, Standard Contractual Clauses (Art. 46) are agreed.
§ 12 Liability and final provisions
Liability is governed by Art. 82 GDPR and the Main Agreement. Amendments require text form. Should any provision be invalid, the remainder of the agreement remains effective. The law and jurisdiction agreed in the Main Agreement apply where permissible. The German version of this DPA prevails.
Annex 1 — Description of processing
| Nature of processing | Performing cryptographic operations (encrypt/decrypt, sign/verify) via the hosted REST API; transient processing in memory. |
| Purpose | Providing the cryptography service requested by the controller. |
| Payloads | The content submitted by the controller (plaintext/ciphertext/signature data) — may contain personal data; not persisted (no-log). |
| Operational metadata | Hashed API key, key prefix, plan, active status, creation/last-used/expiry timestamps, associated customer email, subscription identifier, and aggregate usage counters (number of billable requests per subscription, processed for usage-based billing and transmitted to the billing system). Request content is not recorded in the process. Stored in Germany for the duration of the API key/contract; billing-relevant data per statutory retention periods. |
| Categories of data subjects | Depend on the controller's content; determined by the controller (e.g. its customers/users/staff). |
As the processor can neither view the payloads (no-log) nor control their content, the controller determines data types and categories of data subjects.
Annex 2 — Technical and organisational measures (Art. 32)
- Encryption: the core service is encryption to the state of the art (BSI TR-02102-1 / NIST FIPS-203/204/205 algorithms). Transport encryption via TLS.
- No-log architecture: no persistence of plaintext, keys or ciphertext; processing only transiently in memory for the request duration.
- Confidentiality/access control: API-key authentication; server-side tier/quota enforcement; role-based access control and key-only SSH access.
- Integrity: authenticated encryption (AEAD) in all active schemes; hardened server, patch management.
- Availability/resilience: encrypted backups with off-site replication; monitoring.
- Review: release gates, tests and leak scans; regular reviews.
Annex 3 — Sub-processors & locations
| Sub-processor | Service | Location | Transfer basis |
|---|---|---|---|
| Hetzner Online GmbH | Server/infrastructure operation (Crypto API) | Germany (Nuremberg) — EU/EEA | within EU |
| Let's Encrypt (ISRG) | TLS certificates | USA / global | public certificates, no personal payloads |
Conclusion
This DPA becomes effective upon conclusion of the Main Agreement. Place, date and signatures of the parties are added upon conclusion.