Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement (“DPA”) sets out the terms under which OCFR Gemba (“OCFR Gemba”, “we”, “our”, “us”) processes personal data on behalf of its clients (“you”, “client”) in connection with the services provided through https://ocfr-gemba.com.

This DPA forms part of and is incorporated into any applicable service agreement, contract, or Statement of Work (SOW) between OCFR Gemba and the client.

2. Definitions

For the purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data, such as collection, use, storage, disclosure, or deletion.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means the entity that processes personal data on behalf of the Controller.

Unless otherwise stated, the client acts as the Controller, and OCFR Gemba acts as the Processor.

3. Scope & Purpose of Processing

OCFR Gemba processes personal data solely for the purpose of delivering agreed professional services, which may include:

Processing activities are limited to what is necessary to perform the agreed services.

4. Types of Personal Data & Data Subjects

Depending on the engagement, personal data may include:

Data subjects may include client employees, contractors, representatives, or other individuals relevant to the engagement.

5. Obligations of OCFR Gemba

OCFR Gemba agrees to:

Process personal data only on documented instructions from the client
Ensure confidentiality of personal data
Implement appropriate technical and organizational security measures
Ensure that personnel authorized to process personal data are properly trained
Assist the client in meeting applicable data-protection obligations, where reasonably required

6. Sub-Processors

OCFR Gemba may engage trusted third-party sub-processors (e.g., IT, hosting, or collaboration tools) solely as necessary to deliver services.

OCFR Gemba remains responsible for ensuring that any sub-processor provides appropriate data-protection safeguards.

7. Data Security

OCFR Gemba implements reasonable and appropriate measures to protect personal data against unauthorized access, loss, alteration, or disclosure, taking into account the nature of the data and processing activities.

8. Data Breach Management

In the event of a personal data breach:

9. Data Subject Rights

OCFR Gemba will, to the extent legally permitted and reasonably practicable, assist the client in responding to requests from data subjects to exercise their rights (e.g., access, rectification, deletion).

10. Data Retention & Deletion

Personal data will be retained only for as long as necessary to fulfill the purposes of the engagement or as required by law.

Upon completion of services, personal data will be deleted or returned to the client upon request, unless retention is legally required.

11. International Data Transfers

Where personal data is transferred outside the client’s jurisdiction, OCFR Gemba will take appropriate measures to ensure an adequate level of data protection in accordance with applicable laws.

12. Audits & Compliance

Upon reasonable request, OCFR Gemba will make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and security considerations.

13. Liability & Limitations

Liability related to data processing is governed by the terms of the applicable service agreement or contract between the parties.

14. Updates & Amendments

OCFR Gemba may update this DPA periodically to reflect legal, regulatory, or operational changes. The most current version will be published on the website.

15. Contact Information

For questions regarding this Data Processing Agreement or data protection practices, please contact: