Information Security Policy

This policy is intended to protect all information assets handled by the Company from threats and to meet the trust placed in us by customers and other stakeholders. We maintain the confidentiality, integrity, and availability of information assets.

This policy applies to all directors, officers, and personnel of the Company, regardless of employment status, and to all information assets handled in our business activities, including customer information entrusted to us, our own information, and the facilities, systems, and media used to handle them.

The Company appoints a person responsible for information security and provides the organization and resources required to establish, operate, maintain, and improve the ISMS. Management provides leadership to ensure the effectiveness of this policy, and all personnel are responsible for complying with this policy and related rules.

• We identify information assets, evaluate their importance, and regularly conduct risk assessments based on threats and vulnerabilities.
• For assessed risks, we determine whether to reduce, avoid, transfer, or accept the risk, and select and apply appropriate controls.
• We evaluate residual risks and maintain them at acceptable levels with approval from the responsible owner.

• We implement access controls based on the principle of least privilege and user identification and authentication, including multi-factor authentication.
• We encrypt information, including customer data, in transit and at rest.
• We record and monitor access logs and operation logs, and implement measures against unauthorized access and malicious software.
• We manage vulnerabilities through measures such as patching and regular assessments.
• We implement measures to prevent theft, loss, or unauthorized removal of servers, devices, recording media, and similar assets.

The Company handles documents and data uploaded by customers to the Service only to the extent necessary to provide the Service, and does not repurpose them for training machine-learning models or similar purposes without customer consent. Retention and deletion of data are handled in accordance with the applicable agreement and the Privacy Policy. When information is handled in a foreign country, we understand the systems and conditions of that country and implement necessary and appropriate measures.

When outsourcing part of our operations, the Company evaluates and selects vendors based on their information security standards, contractually requires security management, and provides necessary and appropriate supervision. We apply equivalent management to the use of cloud services and other external services.

The Company complies with laws, regulations, guidelines, contractual requirements, and internal rules related to information security and personal information protection. We also fulfill security requirements agreed with customers.

The Company regularly provides information security education and training to directors, officers, and all personnel to ensure understanding of and compliance with this policy and related rules, and to improve security awareness.

The Company works to prevent information security incidents and maintains a structure to promptly detect, respond to, and recover from incidents, minimize impact, and prevent recurrence. For serious incidents, we report appropriately to affected customers, supervisory authorities, and other relevant parties. We also maintain business continuity plans so critical operations can continue or recover quickly during disasters or system failures.

The Company will respond appropriately to personnel who violate this policy or related rules in accordance with work rules and other applicable policies. Violations by vendors or other related parties will be addressed appropriately under the relevant contracts and arrangements.

Through internal audits and management reviews, the Company regularly evaluates the operation of the ISMS and the appropriateness of this policy, implements corrections and improvements, and continually raises the level of information security. This policy is reviewed and revised as necessary.