Sansan, Inc. (hereinafter “the Company” or “Sansan”) operates with the mission of “Turning encounters into innovation.”
We consider customer information and other information assets we deal with in the course of our business to be of the utmost importance as a management foundation.
To protect information assets from security risks such as leaks, damage, or loss, all personnel, including executives and staff who deal with information assets, shall comply with this policy and carry out measures to ensure information security in terms of its confidentiality, integrity, and availability.
We have formulated an Information Security Policy, along with relevant regulations to protect information assets. we shall adhere to these when conducting business while upholding applicable laws, regulations, and other standards relating to information security and agreements with customers.
We shall clarify the criteria for analyzing and assessing existing risks to information assets such as leaks, damage, loss, etc., and establish a systematic process for risk assessment to be carried out regularly. In addition, we shall implement necessary and appropriate security measures based on the outcome of this assessment.
We shall establish information security systems centered on executive officers and clarify their authority and responsibilities for information security. In addition, we shall regularly implement education, training, and awareness-raising campaigns to ensure all employees recognize the importance of information security and the proper handling of information assets.
We shall regularly perform checks and audits on compliance with information security policy and information asset handling. We shall take prompt corrective action for any inadequacies or points requiring improvement that are discovered.
We shall implement appropriate procedures for dealing with information security events or incidents. We shall establish preemptive response procedures to minimize damage in the unlikely chance that a security event or subsequent incident occurs, allowing us to respond promptly and take the appropriate corrective actions when necessary.
We shall establish an information security management system that sets goals for realizing our basic principles. We will continuously review and improve the system during its implementation.
Information Security Requirements Applied to the Design and Implementation of Cloud Services
Cloud services provided by the Company (hereinafter “Cloud Services”) are designed and implemented after applying information security requirements from customers in addition to this policy, which was established by the Company.
Risks to Cloud Services
Appropriate measures for management will be taken for risks related to Cloud Services identified through risk assessment.
Risks from Permitted Internal Related Parties
Employees involved with the maintenance and management of Cloud Services will be identified, and periodic training will be given to internal related parties.
Isolation of Cloud Computing Environment
Cloud Services utilize a virtualized multi-tenant environment, and the cloud computing environment is logically isolated and provided.
Access and Protection of Customers’ Information Assets by the Company’s Employees
In order to solve problems related to Cloud Services or technical problems, the Company’s employees may access customers’ information assets, but other than in cases prescribed by the Company’s agreement, etc., customers’ information assets will not be viewed, edited or disclosed without prior permission from the said customer.
Administrative Access Control Procedure
Administrative access to Cloud Services is controlled through multi-factor authentication and other measures.
Notification to Customers Regarding Changes
Information related to changes to services details that will impact the customer will be provided by posting it on the service screen, etc.
Virtualization Security
The security of the virtual machine will be ensured as the hypervisor (virtualization software) will be protected from attacks and the host infrastructure will be protected from threats arising in the virtualized environment.
Access and Protection of Customers’ Information Assets
Appropriate access management and protection will be carried out for customers’ information assets handled by Cloud Services.
Account Management
The lifecycle management of the customers’ accounts will be operated in a way that the accounts are registered at the commencement of services and deleted at the termination of the services. It will be the responsibility of the customer to prepare and manage their account based on the agreement, etc. prescribed by the Company.
Information Sharing
Information will be shared for notification, investigation and forensic support regarding violations in the event that violations related to the usage of Cloud Services or matters that will damage information security are detected.
Note:
This document has been translated from the Japanese original for reference purposes only. In the event of any discrepancy between this translated document and the Japanese original, the original shall prevail.