Cato Cloud Privacy Policy

In recognition of the importance of personal information, KDDI Corporation (hereinafter referred to as “KDDI” or “we”) complies with the law and ordinances related to our business in order to ensure the protection of personal information. KDDI handles personal information in the following manner.

1  Collection of Personal Information

We handle information, such as customer name, address, email address, IP address, device log information, etc., collected via the services named “Cato Cloud Services” provided by Cato Networks Ltd., organized in Israel (hereinafter referred to as “Services”) through legal and fair means. There may be cases where customer information is not considered personal information due to its nature. We will, however, give due consideration to the handling of such information.

KDDI takes necessary actions pursuant to regulations, such as obtaining the consent of customers, when collecting information stipulated by law as sensitive personal information.

2.  Use of Personal Information

(1) Purpose of Use

We may use the personal information for one or more of the following business purposes indicated below:

    • to provide the Services and enable consumers’ efficient use of the Services;
    • to process details regarding consumers’ use of the Services;
    • to provide various services correspondence to the consumers;
    • to process details of personal information that the consumers voluntarily provide on the Services;
    • to perform, monitor and enforce contracts concluded between the consumers and KDDI;
    • to conduct research, analysis, develop our services and products; and
    • to provide notification of information related to the Service and our other products.

(2) Legal basis of Use

We may use the personal information in the cases indicated below, in accordance with applicable laws:

    • If a customer consents thereto;
    • If necessary for the purposes of our legitimate interest;
    • If required by law or ordinance;
    • If such information is required for the protection of human life, body, or property;
    • If such information is required for the improvement of public health or the promotion of the healthy raising of children; or
    • If it becomes necessary under applicable laws and ordinances to cooperate with a government agency, local public agency, or parties authorized thereby.

(3) Deletion of Personal Information

We will maintain your personal information until the purpose of use therefor has been achieved. When the purpose of use has been achieved or when the Services has been discontinued, KDDI shall delete the relevant personal information without delay.

3.  Provision to Third Parties

We may provide your personal data to our affiliates, Cato Networks, Ltd and processors such as MACNICA, Inc. and the agency of Cato Networks, Ltd., and/or to third parties. We also may provide your personal data to countries outside of your country, including Japan and Israel, which may have a lower level of data protection than your country. When providing personal data to third parties outside your country, KDDI shall take the necessary measures therefor, such as obtaining consent and concluding a data processing agreement, etc., in compliance with the applicable law. For further information, including obtaining a copy of the documents used to protect your personal information, please contact us via our consultation office below.

4.  Management of Personal Information

We take measures to control access to personal information, limit means for taking personal information outside the office, and prevent unauthorized external access. We also take measures to prevent personal information being leaked, lost, or damaged and other necessary and appropriate measures for personal information security management (hereinafter referred to as “Security Management Measures”).
When taking Security Management Measures, we properly implement technological and organizational protections as shown below by using the framework of related laws and ordinances, guidelines, and the Information Security Management System (ISMS).

  1. (1) Technological Protection Measures
    We control access to personal information (limiting the number of employees authorized to access personal information, including the immediate cancellation of accounts of employees who are transferred or leave the company, the establishment of a system for monitoring access status, long-term storage of access logs, the change of passwords at regular intervals, and room entry/exit supervision, etc.).
    We limit the means for taking personal information outside the office (prohibition of saving to external storage devices without due reason and establishment of an internal-external email monitoring system in the company rules).
    We take measures to prevent unauthorized external access (installation of firewalls, etc.).

  2. (2) Organizational Protection Measures
    A) Supervision of employees (including temporary employees)
    We have appointed a “Person in charge of information security” as the designated person in charge of the management of personal information and have defined the responsibility and authority of such employee with respect to personal information security management.
    We have established internal rules and compiled manuals concerning security management, instruct employees to comply with such rules and manuals, and perform appropriate audits on the compliance status. We provide employees with training and education regarding personal information security management.

    B) Supervision of contractors
    We may contract out all or part of our personal information handling operations to third parties. In such a case, we shall select a contractor that is expected to properly handle personal information; appropriately specify matters concerning the handling of personal information such as Security Management Measures, confidentiality, terms and conditions of subcontracting, return of personal information upon the expiration or termination of the contract; and perform necessary and appropriate supervision thereof.

5.  Your Rights

If you or your agent exercise your rights under the applicable law, such as withdrawing consent, access, deletion, objection, or data portability, etc., please contact us via our consultation office below.

You may have the right to lodge a complaint with the supervisory authority of your country or region and you can refer the dispute to dispute resolution processes as set forth in the Terms and Use of Cato Cloud.

[KDDI Corporation Personal Information Disclosure Consultation Office]

Supplementary Provisions
Handling of the Personal Information of Consumers Residing in the State of California

In addition to the provisions set forth above, the following provisions apply to the handling of the Personal Information (information that identifies, relates to, describes, references, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. The same shall apply hereinafter in this Supplementary Provisions.) of consumers residing in the State of California in accordance with the provisions of the California Consumer Privacy Act of 2018(“CCPA”).

1. Information We Collect

KDDI has collected the following categories of Personal Information from our consumers within the last twelve (12) months and will collect the following categories of Personal Information:

Category Examples
A. Identifiers. A real name, online identifier, internet protocol address, email address, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name.
C. Internet or other electronic network activity information. Device log information.

We will not collect additional categories of personal information or use the personal information we collect for materially different, unrelated, or incompatible purposes without providing you notice thereof.

2. Sharing or Disclosure of Personal Information

We may share or disclose your personal information to a third party for business purposes or commercial purposes.
When we disclose personal information to service providers for business purposes or commercial purposes, we enter a contract that describes such purposes and requires the service providers to both keep that personal information confidential and not use it for any purpose except for performing the contract.

In the preceding twelve (12) months, we have shared or disclosed the personal information to the following categories of third parties for business purposes or commercial purposes:

    • Affiliated companies; and
    • Service providers including a company providing network security services to the consumers.

3. Sales of Personal Information

We have not sold any personal information in the preceding twelve (12) months.

4. Your Rights and Choices under the CCPA

CCPA provides consumers who are residents of California with specific rights regarding personal information. The following of this Section describes your CCPA rights and explains how to exercise those rights.

(1) Access Right to Specific Information

You have the right to request that we disclose certain information to you about our collection, sharing, disclosure or use of your Personal Information over the past twelve (12) months from the time of your request. Once we receive and confirm your verifiable consumer request, we will disclose to you any or all of the following information:

    • The categories of Personal Information we collected about you;
    • The categories of sources for Personal Information we collected about you;
    • Our business or commercial purpose for collecting or selling Personal Information;
    • The categories of third parties with whom we share or sell Personal Information;
    • The categories of personal information sold by each third party who sold Personal Information;
    • The categories of Personal Information disclosed for business purposes or commercial purposes; and
    • The specific pieces of Personal Information we collected about you.

(2) Deletion Request Rights

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

    • Complete the transaction for which we collected Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
    • Debug products to identify and repair errors that impair existing intended functionality;
    • Exercise free speech, ensure the rights of other consumers to exercise their free speech rights, or exercise other rights provided for by law;
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
    • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
    • Comply with legal obligations; or
    • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

(3) Opt-Out Rights

We have not sold and will not sell any Personal Information collected from you.

(4) Non-Discrimination

We will not discriminate against California residents for exercising any of their rights under the CCPA. Moreover, unless permitted by the CCPA, we will not:

    • Deny you goods or services;
    • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
    • Provide you a different level or quality of goods or services; or
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

(5) Exercising Access and Deletion Rights

To exercise the access and deletion rights described above, please submit a verifiable consumer request to us by contacting KDDI Corporation Personal Data Disclosure Consultation Office described above.

Only you, or a natural person or business entity registered with the California Secretary of State to conduct business in California that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

The verifiable consumer request must:

    • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
    • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond thereto.