When using Scan to Salesforce, customers obtaining and using personal information in the European Union (EU) and European Economic Area (EEA) are the Controller as per the GDPR, and by using a server located in Japan, we may be considered the Processor. As set forth in GDPR Article 45.1, a country the EU deems "ensures an adequate level of protection" can exchange personal data with no restrictions. As of January 23, 2019, it was also deemed that Japan "ensures an adequate level of protection". Therefore, we can transfer data between the EU and Japan in accordance with the GDPR.
We stipulate GDPR compliance in Article 33 of the Terms of Use. We take the safety management measures prescribed in the Standard Contractual Clauses. Appendix 2 his is stated regarding human, organizational, technical, and physical measures, and we process in accordance with the GDPR.