Compliance Statement

Personal Information Handling Business Operator’s Statement

1. About this Statement

This Compliance Statement provides a general description of how Dubber handles and safeguards personal information and personal data of persons in Japan as a personal information handling business operator in accordance with the Act on the Protection of Personal Information (Act No.57 of 2003, as amended) of Japan (the “Act”) and its relevant implementation regulations and guidelines (collectively, the “Acts”).

Dubber Pty Ltd, is an Australian company with registered office at Level 5, 2 Russell Street, Melbourne, Victoria 3000, Australia (“Dubber”, “we”, “our” or “us”), is committed to protecting the privacy and security of personal information and personal data.

The terms “data subject” (“本人”), “personalinformation” (“個人情報”), “personaldata” (“個人データ”), “handling” (“取扱い”), “security control measures” (“安全管理措置”), and “personal information handling business operator” (“個人情報取扱事業者”) shall be interpreted in accordance with the Act. 

“Recordings”: means telephone recordings, voice recordings, Unified Communications Recordings (UCR), captured as audio, video or text and other processed outputs of these recordings with or without the application of Artificial Intelligence (“AI”), and any such other record made by Customers (defined in Section 2 below) and uploaded to our system via Dubber’s API.

2. Dubber as a Personal Information Handling Business Operator

The Acts apply in those cases where a personal information handling business operator who, in relation to supplying services to persons in Japan has collected personal information and/or personal data relating to the person who is the data subject, handles the personal information. Furthermore, the way in which any personal information handling business operator handles, collects, stores, protects or otherwise uses personal information is also regulated by the Act. The purpose of this Compliance Statement is to aid in the demonstration of Dubber’s compliance with the Act.

Dubber provides Recording solutions. When our customers use Dubber’s Recording and Artificial Intelligence (AI) Platform (the “Dubber Platform”) or receive ancillary services from Dubber, Dubber will be acting as a personal information handling business operator (or as a sub-processor). Such customers, who act as personal information handling business operators (the “Customers”), determine the manner in which any personal information is to be handled and for what purposes.

3. Summary of Dubber Handling Activities as a personal information handling business operator

Dubber appropriately handles, collects, uses, consigns, and provides personal information by clarifying the purposes for use of personal information, respecting the intentions of the data subjects, and taking into consideration the content and scope of our business. We implement measures to ensure that the handling of personal information does not exceed the scope necessary for achieving the specified purposes for its use.

3.1 Data subjects. The personal information we handle for the provision of our services concerns the following categories of data subjects: (a) Data subjects connected to our Customers who have their voice or communications (audio, video or text) recorded. (b) Customer Representatives who, by virtue of their employment or other contractual relationships with the Customer, use the Dubber Platform, engage in conversations with end users or are subsequently recorded. 3.2 Categories of data. We envisage that the personal information handled will likely concern the following categories of personal information:

(a) Any personal information contained in Recordings. Due to the nature of Recordings, it is possible that a wide variety of information, including personal information, may be disclosed by data subjects and subsequently handled by Dubber. (b) Information provided by our Customers when they join us or they interact with our customer services or representatives. Personal information may include first name, last name, financial data, or other details concerning the Customer’s products and services. (c) Information provided by our Customers (or their customers) when they use the Dubber Platform. Personal information may include email addresses and names of Customer representatives. (d) Special care-required personal information under the Act. Dubber will not ask for any personal data which may be considered as special care-required personal information under the Act. However, due to the nature of recording, Recordings could contain personal information under the Act. (e) Any personal information generated as a result of Dubber AI. Where Dubber AI is configured, Dubber may generate text transcriptionsand/or other outputs requested by the Customers, using the Customer’s supplied Recordings.

3.3 Methods of collection. Dubber collects personal information in the following ways:

(a) Through the Dubber Platform. (i.e. when Recordings are stored in our platform) as part of the normal use by the Customers, and their users, of the Dubber recording SaaS solution).

(b) Data migrations from Customers: a Customer may migrate Recordings to Dubber Platform from their historical recording archives (e.g., when they migrate from another service to Dubber) and these Recording will be uploaded onto the Dubber Platform. 

(c) Direct interactions. Customer representatives may give us their identity and contact data by filling in forms or corresponding with us by post, phone, email or otherwise. This includes personal information provided when creating a Dubber account. (d) Automated technologies or interactions. As data subjects interact with our website and the Dubber Platform, we will automatically collect technical data about equipment used, browsing actions and patterns. (e) AI generated. Data generated as part of Dubber AI processing may contain transcripts of Customer supplied Recordings and other outputs requested by the Customer.

3.4 Handling operations. Dubber will handle personal information to make available and operate the Dubber Platform to the Customer and any other services requested by the Customer in accordance with the agreement we have in place with the Customer.

3.5 Duration of the Processing of Personal Data. Dubber will process personal data during the term of its contracts with each of its Customers, including an exit period (if any), and thereafter, as long as Dubber is required to process the personal data by applicable law. Please refer also to Section 12: Destruction of Data and Termination of Contract, below.

3.6 Sub-processors within Japan, or in an adequate country or sectorestablishing a personal information protection system which have the same standards as those in Japan. A list with the sub-processors we use and how the sub-processors handle the relevant personal data is available at https://www.dubber.net/legal/subprocessors/. 3.7 Personal information transfers outside Japan, or outside an adequate country or sector establishing a personal information protection system which have the same standards as those in Japan. (a) Dubber will always store Recordings coming from Japan Customers in databases in Japan. (b) Depending on the geographic location of Dubber’s Customers and their individual end users and the nature of the services Dubber provides to them, Dubber may also engage third parties and one or more of its Affiliates as Sub-processors. (c) Dubber affiliates located outside Japan may, in limited cases and on a “need to know basis”, access customer data (including personal information contained therein) in the course of providing support, operating, delivering, and maintaining Dubber services including: (i) Call Recording, UCR, and Voice-AI software-as-a-service development, testing, and support; and (ii) the provision of other operational, business development, technical, sales, and support services to Dubber. (d) When we transfer personal information to any recipient (e.g. a sub-processor Dubber Affiliate) outside Japan to provide our services, we will take adequate technical and organisational measures to ensure that such personal information is handled securely and with an adequate level of protection comparable to and at the same level as the protection offered in Japan.

4. Security Overview

4.1 We have implemented appropriate security control measures in such a manner that handling meets the security requirements of the Act. 4.2 The Dubber Platform has been designed to provide maximum functionality with sophisticated security systems. Our security practices ensure that personal data is protected at every stage of the communication capture process and beyond to storage and analysis in accordance with good industry practice. 4.3 All user, Recording, and Dubber AI data is stored in encrypted repositories. Dubber recordings are encrypted using 256-bit Advanced Encryption Standard (AES-256). 

5. Records of Processing

We maintain a written record of all categories or processing activities carried out on behalf of a data controller as required by Article 30(2) of the GDPR. This record is updated at least annually by the Information Security Team and maintained in a format that can be used to demonstrate our processing activities to our Customers and the relevant supervisory authorities, as required.

More information on Dubber’s GDPR Compliance can be found in this link: https://www.dubber.net/legal/gdpr-compliance-statement/

6. Contracting and Procurement

6.1 Our contracts to outsource handling of personal data with semi-processors or contractors (collectively, the “Contractors”) stipulate that the Contractors must take necessary and appropriate measures to ensure the secure management of such personal data. We implement strict management and supervision for the purpose of ensuring that the Contractors maintain a personal data protection system equivalent to ours. In accordance with the contracts entered into with the Contractors, we regularly ask such Contractors to check and report on their compliance with the contracts on an annual basis. We also regularly review our procurement processes for the purposes of meeting our compliance obligations under the Act. In addition:

(a) Any arrangement in which an external supplier has access to Dubber information or systems is to be subject to previous appropriate security controls. This is to be given effect by: (i) requiring the external supplier to comply with all relevant security standards, policies, and procedures specified in Dubber’s information security management system (“ISMS”) policy; (ii) carrying out a risk assessment based on the nature of the service being provided by the external supplier. (b) It is important to note that large suppliers do not recognise small provider nomenclature and classification of terms, etc. In that instance, we adapt our approach accordingly to bridge any gaps and ensure the integrity of our ISMS is not compromised by such a supplier using different language or practices.

7. Incident Handling

In the event of a leak, loss or damage of personal data (the “Incident”), we will promptly report it to the relevant parties and regulatory authorities in Japan in accordance with procedures stipulated in the Act. 

8. Personnel Security

8.1 Dubber employees go through appropriate levels of background and reference checks pre-employment and any additional post-employment requirements depending on their role and commercial requirements. 

8.2 Dubber employees do not have access to any of our Customers’ personal data and Recordings, unless this is strictly necessary for them to perform their duties and on a “need to know basis” (e.g., for the provision of technical or customer support services or to carry out quality or spot checks as part of the service Dubber provides to the Customer).

8.3 All Dubber employees are required to complete mandatory information security training.

8.4 Dubber employees commit themselves to confidentiality in accordance with the Data Protection Legislation requirements. We will deal promptly with breaches of our security policies and procedures through formal processes, including disciplinary action. 

9. Physical Security

9.1 We limit access to our premises (sites, buildings or internal areas) where personal data is stored. We ensure that no Customer data is stored in any physical Dubber site. 

9.2 Dubber’s physical security protection measures including secure lock and key for personnel files and secured doors (building and office passes and controls).

9.3 We inspect the premises used for the provision of our services for risks and threats at least annually. 

10. Network and Cloud Security

10.1 Dubber’s service provides a private and secure link between communication networks. Our service benefits from built-in firewalls that allow private networks to link telephony equipment with Dubber, with additional control access of Dubber instances.

10.2 We implement security measures across our networks, to safeguard the confidentiality, availability and integrity of Customer end users’ personal data. There are logical and role-based access controls across information systems. Privileged access reviews are conducted at least twice a year. We regularly conduct security / penetration testing. 

10.3 All Recordings, including metadata and recorded data, is stored in dedicated data silos for each individual user. Customer’s users are only granted access to the data that belongs to their registered accounts. 

10.4 All user, Recording, and Dubber AI transcripts are stored in encrypted repositories. The Recordings are fully encrypted using one of the strongest block ciphers available – 256-bit Advanced Encryption Standard (AES-256).

10.5 We have systems in place in line with good industry practice to detect any security breaches that might occur. This allows us to act quickly to rectify any breaches and identify the sources of the attack. 

10.6 Dubber’s security measures include:

(a) use of controls in place that aim to prevent any purposeful attack; (b) secure communications between devices as appropriate; including the encryption of all non-console administrator access; (c) strong architectural design, which are tiered and zoned with effective robust identity management and operating system configuration which must be appropriately hardened and documented; (d) the disabling (where practical) of services, applications and ports that will not be used; (e) the installation of the most recent security patches as soon as practicable; (f) ensuring appropriate measures are in place to handle denial of service attacks; (g) monitoring all applicable vendors and other relevant information sources for vulnerability alerts; (h) Keeping Recordings secure. Recordings are protected in transmission and storage through use of secure protocols and encryption; (i) Defence in depth. The network is partitioned into zones with different trust levels and restrict traffic between those zones; (j) Protect what you can, detect everything else. Networks are monitored to detect unauthorised connections and suspicious traffic; (k) Secure application development processes: this is incorporated into the Dubber software development life cycle to reduce the risk of vulnerabilities being introduced into applications. This includes the use of secure design and programming methods, and testing and validation techniques for software application development; (l) Development, testing, and production environments are segregated from one another to reduce the likelihood of a weakness in a non-production system leading to the compromise of production data; (m) All system clocks are synchronised with a certified Network Time Protocol (NTP) provider via internal intermediary time servers, and modification of system clock times are prevented; (n) All traffic between the security domains traverse and are filtered by an application layer firewall or equivalent (proxy); (o) Production data is not used in development or test environments; (p) Two-factor authentication is used for management access to cloud resources; (q) Only secure protocols are used for transmission of data between environments. Insecure protocols (e.g. FTP, HTTP, Telnet) must be ‘tunnelled’ via a secure protocol such as SSH or TLS. (r) We have a business continuity plan in place which has been developed, implemented, and tested to deal with events where the CSP’s environment is unavailable; (s) All cloud deployments are security tested in line with comparative on premise deployments, including vulnerability scanning and penetration testing; and (t) VPN connections are authenticated using TLS-AUTH, or an industry recognised secure alternative.

11. Industry Standards and Certifications

11.1 ISO/IEC 27001. We adhere to and are compliant with the ISO/IEC 27001 industry standard. We are audited by an independent body annually on the ISO/IEC 27001 standard. Our certificate is available in the Dubber Website. A copy of the Statement of Applicability is available upon request.

11.2 HIPAA Compliance. We have a standard Business Associate Addendum (“BAA”) we present to Customers for signature.

11.3 Payment Card Industry Data Security Standard (“PCI DSS”). We have PCI DSS Compliance as a Service Provider for our Dubber PCI Comply products. A copy of our Attestation of Compliance (“AoC”) completed by a Qualified Security Assessor (QSA) is available upon request.

Our Dubber Affiliates are PCI DSS Level 4 Merchant, and we also completely outsource all their credit card data-handling and transactional operations to a PCI-certified service provider. A copy of the SAQ-A self-assessment is available upon request.

11.4 OWASP Secure Coding Standards. We adhere to OWASP security standards in our coding practices.

12. Destruction of Data and Termination of Contract

12.1 Dubber will delete the Customer’s data on termination or expiration of the Customer agreement or as otherwise agreed with the Customer.

12.2 Where Dubber is contractually required to destroy data for which we are a processor or a sub-processor, authority to do so must include a request or confirmation to destroy data from the Customer. Upon receipt of this request, Dubber will suspend the account(s) identified and undertake the following treatments within a reasonable period:

(a) Data held securely within Dubber applications is deleted from their respective repositories; and (b) Where data is held by a Dubber sub-processor for processing purposes, data is deleted from each of the destination sub-processor’s repositories.

12.3 Where we receive a request to transfer data to the Customer at the termination of the relevant Customer agreement, Dubber and the Customer will agree the full terms of the transfer, the transfer methods, and the details of what data is to be transferred and what data is to be destroyed.

13. Training

All Dubber employees receive training on information security, data protection and other relevant privacy laws. All Dubber employees are aware that unlawful access to and/or disclosure of personal information and/or personal data is prohibited. For details on Personnel Security, please refer to Section 8: Personnel Security.

14. Help desk

Dubber has set up a permanent personal information help desk to respond to complaints and inquiries and responds with integrity to the concerns of individuals with respect to the handling of their personal information. Please refer to Section 11: RESOLVING CONCERNS in our Privacy Policy.

15. Related Policies and Procedures

We have specific policies and procedures in place regarding the protection of personal information and/or personal data used in the course of our business. 

Last Modified: June 3, 2022