Sansan, Inc. and its subsidiaries (hereinafter referred to as “Sansan Group”) operate with the mission of “Turning encounters into innovation.”
We consider customer information and other information assets we deal with in the course of our business to be of the utmost importance as a management foundation.
To protect information assets from security risks such as leaks, damage, or loss, all personnel, including executives and staff who deal with information assets, shall comply with this policy and carry out measures to ensure information security in terms of its confidentiality, integrity, and availability.
Sansan Group has formulated an Information Security Policy, along with relevant regulations to protect information assets. we shall adhere to these when conducting business while upholding applicable laws, regulations, and other standards relating to information security and agreements with customers.
Sansan Group shall clarify the criteria for analyzing and assessing existing risks to information assets such as leaks, damage, loss, etc., and establish a systematic process for risk assessment to be carried out regularly. In addition, we shall implement necessary and appropriate security measures based on the outcome of this assessment.
Sansan Group shall establish information security systems centered on executive officers and clarify their authority and responsibilities for information security. In addition, we shall regularly implement education, training, and awareness-raising campaigns to ensure all employees recognize the importance of information security and the proper handling of information assets.
Sansan Group shall regularly perform checks and audits on compliance with information security policy and information asset handling. We shall take prompt corrective action for any inadequacies or points requiring improvement that are discovered.
Sansan Group shall implement appropriate procedures for dealing with information security events or incidents. We shall establish preemptive response procedures to minimize damage in the unlikely chance that a security event or subsequent incident occurs, allowing us to respond promptly and take the appropriate corrective actions when necessary.
Sansan Group shall establish an information security management system that sets goals for realizing our basic principles. We will continuously review and improve the system during its implementation.
Information Security Requirements Applied to the Design and Implementation of Cloud Services
Sansan, Inc. (hereinafter referred to as “the Company”) designs and implements Cloud services provided by the Company (hereinafter “Cloud Services”) after applying information security requirements from customers in addition to this policy, which was established by the Company.
Risks to Cloud Services
The Company will take appropriate measures for management of risks related to Cloud Services identified through risk assessment.
Risks from Permitted Internal Related Parties
The Company will identify employees involved with the maintenance and management of Cloud Services, and will give periodic training to internal related parties.
Isolation of Cloud Computing Environment
The Company logically will isolate and provide Cloud Services utilize a virtualized multi-tenant environment, and the cloud computing environment.
Access and Protection of Customers’ Information Assets by the Company’s Employees
In order to solve problems related to Cloud Services or technical problems, the Company’s employees may access customers’ information assets, but other than in cases prescribed by the Company’s agreement, etc., customers’ information assets will not be viewed, edited or disclosed without prior permission from the said customer.
Administrative Access Control Procedure
The Company will controll administrative access to Cloud Services through multi-factor authentication and other measures.
Notification to Customers Regarding Changes
The Company will provide information related to changes to services details that will impact the customer by posting it on the service screen, etc.
The Company will ensure the security of the virtual machine as the hypervisor (virtualization software) will be protected from attacks and the host infrastructure will be protected from threats arising in the virtualized environment.
Access and Protection of Customers’ Information Assets
The Company will carry out appropriate access management and protection for customers’ information assets handled by Cloud Services.
The Company will operate the lifecycle management of the customers’ accounts in a way that the accounts are registered at the commencement of services and deleted at the termination of the services. It will be the responsibility of the customer to prepare and manage their account based on the agreement, etc. prescribed by the Company.
The Company will share information for notification, investigation and forensic support regarding violations in the event that violations related to the usage of Cloud Services or matters that will damage information security are detected.
This document has been translated from the Japanese original for reference purposes only. In the event of any discrepancy between this translated document and the Japanese original, the original shall prevail.